Management may spend considerable time and energy making sure that personnel understand one thing when dealing with auditors: specifically answer the question that the auditor asked, not the question the auditor should have asked; and do not volunteer any information.
There is, however, a useful technique that management (and only management) sometimes uses when working with auditors. I prefer to call this seeding the audit results. Similar to the technique of cloud seeding, where rain clouds are seeded with substances to cause them to release rain, management can use audit seeding as a way of ensuring that auditors are aware of specific situations that they are willing to include in their audit report. The purpose of audit seeding is generally the creation of an audit issue that will permit management to prioritize an initiative to improve the business.
For example, external auditors are examining access controls, an area where a security manager has had difficulty obtaining funds to make key improvements. While in a discussion with auditors, the security manager may choose to illuminate particular actions, inactions, or other situations in access control processes or technology that the auditor might not have otherwise noticed.
Persons who are considering audit seeding must have a thorough understanding of the subject matter, the controls being tested, the procedures and technologies in play, the auditing methodology in use, and a bit of grit. Audit seeding may be considered a daring move that may have unforeseen results. Finally, persons considering audit seeding must not make auditors feel they are being manipulated, as this could have greater consequences. Instead, management is simply making auditors aware of an important aspect of a control they are auditing.
— excerpt from CISM All-In-One Study Guide
The need to protect your mission-critical communications system and business applications should be considered from the very start of our converged network planning. Is your converged voice, video and data network safe from threats, both internal and external? Download this E-Guide for best practices for converged network security.
Read this paper to learn more about:
* Best practices to secure your enterprise through a multi-layered security model
* Understanding the myriad of security approaches and technologies used to protect converged voice, video and data networks
* Extreme improvements for network security
Find out how to overcome the challenge with converged network security:
My apologies if this sounds like an ad. This is a cut-and-paste from TechTarget for an e-book I wrote last year.
Disaster Recovery is not simply about Katrinas nor earthquakes nor 9/11 catastrophes. Sometimes, the focus on these monumental events could intimidate even the most committed IT manager from tackling Disaster Recovery Planning. Disaster Recovery is really about the ability to maintain business as usual – or as close to ‘as usual’ as is feasible and justifiable – whatever gets thrown at IT.
Read entire review
Find out more about the book, IT Disaster Recovery Planning for Dummies
A security book just for Solaris® and UNIX® system administrators. Learn the specifics for making your system secure, whether it’s an organization-wide network or a standalone workstation. Expert author Peter Gregory has managed security for everything from top-secret corporate research facilities to casinos. Take advantage of his experience to build a secure, reliable system of your own.
Solaris Security™ looks at the physical, logical, and human factors that affect security, including:
- PROMs, physical security, bootpaths, permissions, auditing tools, system logs, passwords, and more
- Secure network interfaces and services for remote and Internet access, intrusion detection, access control, email, and printing
- Enhanced security for NIS, NIS+, DNS, and NFS
A special section shows you how to plan for the inevitable disasters so you can recover your data quickly and accurately without compromising security. References to books, journals, and online resources will help you keep up with the latest innovations.
eBook from Safari
Online from Amazon
Also available in Japanese and Chinese language editions
This weekend I have started another book. I took a two month writing break. I’ve been writing almost continuously since 1998, and a break is needed now and then.
I’m really excited about this project, as this is work with a new publisher, and a new type of work for me. The book – and related instructor materials – will be used in universities, community colleges, and vocational-technical schools.
I can’t talk about the book in any detail yet. I can say that it will be published in late 2008 and be available for Winter and Spring quarters in 2009.
Like many manuscripts, it’s starting out slow. I laid out all of my chapter files with their respective TOCs, set up my chapter status and image worksheets, and gathered my reference materials. Some of my references exceed 1,000 pages and I’m finding that I am in need of some leather bookweights. Right now I’m using my tape dispenser and stapler – poor substitutes indeed.
I’ve published eighteen books since 1999, or about two per year. Within the past few weeks, two new projects are in the pipeline:
- A book on biometrics (~320 pp)
- A security text book for community colleges and vocational / technical schools (~500 pp)
At least one of these books is with a publisher that I have not worked with before. I’m pretty excited about that. The biometrics book is going to be a lot of fun to write as well.
I’m writing one of these books on my own; I’ve brought in a professional colleague and friend to co-author the other.
2008 is going to be a busy but productive year. I’ll write more about these titles when they have been made public. After these two are done, I’ll have written and published twenty books. Ten years ago I would have never believed it.