As IT environments are becoming more complex, enterprises are relying on them more than ever before, said Michael Juergens, principle at Deliotte & Touche, told attendees at an ISACA CACS audit and compliance conference.
He identified 10 areas in which complexity makes IT more difficult to monitor. "This list is designed to get you thinking about your environments and if currently scheduled IT audit procedures will evaluate this risks," Juergens said. "The list is in no particular order, is by no means a comprehensive list, and will vary by environment. There may be a greater or lesser risk depending on your industry, technology, business processes, and other factors," he added.
He said that auditors should make a careful risk assessment at any enterprise that uses external cloud computing solutions. A key risk for compliance is simply keeping track of the data and recovering it if part of the cloud goes down. IT administrators must have insight into the cloud to enable forensics if an investigation is required.
Juergens added that virtualization, often a key component of private clouds, carries the same risks as public clouds. The key issue is finding and tracing data, which can move to different servers within a virtualized environment.
During this economic downturn, many companies will face disgruntled employees and will need to be able to control their access. "Specific attention items should be: timely removal of access, periphery security, internal security architecture, physical security and badge location, help desk procedures, workstation security and IDS management," Juergens said.
Layoffs can harm an organization even without disgruntled employees. Many help desks and incident response teams will be understaffed, and Juergens advised that now is a good time to re-examine security procedures.
A related risk could occur if an employee takes on the responsibilities of another, combining tasks that were previously segregated for compliance purposes.
Enterprise search tools are more powerful than before, but auditors must "review data classification schema, access management, index design and maintenance, and user training," said Juergens.
Mobile devices and social networking will require careful examination and specific best practices. Failed policies could result in the loss of critical data or the transmission of important data over the Internet in an insecure manner.
Juergens said that as companies rely more on outsourcers, the IT supply chain becomes more complex and that can lead to reduced service levels and more errors. IT organizations must have contingency plans in place in case a partner fails and must be able to monitor the status of the entire supply chain, including that part of it that is outside the company.
For those organizations pursuing green IT initiatives, auditors must monitor their effectiveness and their compliance with local and federal law.
Auditors should work as part of the team. "Don't walk the plank alone communicate with management and the audit committee," said Juergens.
Article courtesy of InternetNews.com.