Wright Christopher. - Fundamentals of Information Risk Management Auditing

Fundamentals of Information Risk
Management Auditing

An Introduction for Managers and Auditors

An Introduction for Managers
and Auditors

Christopher Wright

Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the readers own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author.

Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address:

IT Governance Publishing

IT Governance Limited

Unit 3, Clive Court

Bartholomews Walk

Cambridgeshire Business Park

Ely

Cambridgeshire

CB7 4EA

United Kingdom

www.itgovernance.co.uk

Christopher Wright 2016

The author has asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the author of this work.

First published in the United Kingdom in 2016

by IT Governance Publishing.

ISBN 978-1-84928-818-7

FOREWORD

Its often said that we live in the Information Age. When we consider our lives and how important information has become over the last 20 or so years, it is amazing. Every decision we make is based on information be it our choice of holiday, career, new car, or where to live. Thanks to social networking, we know more about what our friends, family and associates are doing right now (often more than we would like to know!). Events on the far side of the world are streamed to us in real time. We can search for answers to the most obscure questions imaginable even during the quiz at our local pubs. We can watch movies, read books from a library of many works, check out our contacts, and review the news and share prices all from our telephones and mobile devices almost anywhere in the world. New businesses are thriving in sectors unimaginable 20 or so years ago social networking, sale of content and knowledge, online shopping and take-away food, to name but a few. Even well-established businesses have changed the way they operate and interact with their customers.

These changes are historic, comparable to the impact of exploration of the New World in the late middle ages, or indeed the Industrial Revolution. There are risks we are all aware of the scares around loss of personal and highly sensitive data by large organisations, disasters impacting data centres, etc.

We all need to be aware of these risks and adapt strategies and processes which will enable us to reduce the likelihood and impact of these risks to acceptable levels.

PREFACE

At my age I dont remember much about my school days. But I do have a very vivid memory of being shown a 35 mm film (yes it was a long time ago) called GIGO Garbage in Garbage Out. I watched it again recently on YouTube and was struck not only by what had changed so dramatically (no more ticker tape and punched cards) but also by what had not changed. The risk of programming errors, security and need to change business processes are the same today as they were in 1969 when the film was made. Added to that, we have new risks and challenges with viruses, hackers and advanced persistent threats (APTs), to name a few. The modern information risk manager and auditor needs an appreciation of the whole realm of information risk and governance, in addition to a detailed understanding of their own specialist fields.

I also remember running training in the early 1990s when we stated that by 2002 there would be no computer audit/information risk management (IRM) specialists all auditors and consultants would have the necessary skills to undertake the work themselves and so specialists would not be required. Thankfully (for me) this has not been the case. The need for IRM specialists/auditors is now greater than ever, as threats have become more complex (e.g. APTs, cyber crime and terrorism). At the same time, the traditional threats still remain and are compounded by general ignorance and naivety of the risks. It is however true that all auditors need an appreciation of the basic information risks facing their organisations and how these can be mitigated.

The aim of this book is to provide insight and guidance for those considering a career in information risk management, and also to provide an introduction for non-specialists. It has been written in four main parts:

I. What is risk and why is it important?

This provides an introduction to general risk management and introduces information risk.

II. Introduction to general IS and management risks

This gives an overview of general IS controls and the controls over the operation and management of IS. It also considers risks and controls for confidentiality, integrity and availability of information.

III. Introduction to application controls

This introduces the concepts of application controls, the controls built into systems to ensure that they process data accurately and completely.

IV. Life as an information risk management specialist/auditor

This provides a guide for those considering, or undergoing, a career in information risk management.

Each chapter contains an overview of the risks and controls that you may encounter when performing an audit of information risk, together with a suggested approach. I have based this approach on risks and controls rather than providing a detailed list of specific questions given the variety of organisations and technologies in use, I find such questions of very limited benefit unless they are used effectively.

This book is not intended to provide an in-depth analysis however, there are references to other sources. I hope you find the book helpful, informative and entertaining. Happy auditing.

ABOUT THE AUTHOR

A qualified accountant, Certified Information Systems Auditor and Certified ScrumMaster, Chris has over 30 years experience of providing financial and IT advisory and risk management services. He worked for 16 years at KPMG where he managed a number of major IS audit and risk assignments. These included a number of project risk and business control reviews. He was head of information risk training in the UK and also ran training courses overseas including India and throughout mainland Europe. He has worked in a wide range of industry sectors including oil and gas, public sector, aviation and travel.

For the past eight years he has been an independent consultant specialising in financial, SOX and operational controls for major ERP implementations, mainly at oil and gas enterprises.

He is an international speaker and trainer on Agile audit and governance and has published two other titles for ITGP: