FIVE EASY STEPS TO A SMOOTHER

CYBERSECURITY AUDIT EXPERIENCE

STEVE SIMMONS, CHIEF OPERATING OFFICER, A-LIGN
PLATFORM INFORMATION & QUICK TIPS

• Download the presentation deck from the MATERIALS window.

• Windows on the platform can be hidden or expanded to fit your preference.

• Submit questions in the Q&A window.

• Use the HELP icon at the bottom for FAQ’s and system requirements.

• Please click on the ISACA Customer Experience Center image to be

redirected to ISACA’s customer support page.

• Experiencing technical difficulties? Try Refreshing your browser!

CPE CERTIFICATE & CREDIT

LIVE EVENT & ON DEMAND RECORDING

• You must view the live or recorded webinar for the required amount of time (50
minutes). Check the CPE Credit and Certificate window to view the timer.

• Your CPE Certificate will automatically appear in the ISACA CPE RECORDS tab
on the MyISACA page in your account after completing the required viewing
time.

• Please be patient. This process could take up to 48 hours for your CPE
Certificate and the CPE credit to be applied to your account.

• As a reminder, will all ISACA webinars, the CPE credits and CPE certificates
expire 365 days post live event.
TODAY’S SPEAKER

Steve Simmons
Chief Operating Officer, A-LIGN
• 20 years experience, audit & compliance
• Manages team of 240 auditors & staff
• CISA, CIA, CISSP, QSA
WHAT WAS YOUR LAST AUDIT EXPERIENCE LIKE?
SECURITY AUDITS HAVE LOTS OF CHALLENGES

Old-school processes Time-consuming for Things change

& communication high-skilled resources year-to-year

Takes too long to Multiple audits – Is your auditor the

get the final report duplicated effort best fit for you?
MEANWHILE AUDITS ARE CHANGING AROUND US

• New regulations & policies every year

• Increasing use of automation

• Environments are getting more audit-aware

• IT/Sec staff are squeezing out inefficiencies

• Greater number of audit efforts

• Long-lasting impacts of COVID
Shouldn’t this be
easier by now?

It should…
but change is hard.
FAST-FORWARD: AUDITABILITY IN 2024

ORGANIZATION INDEPENDENT AUDIT STAKEHOLDERS

Fieldw ork
Assessment
Validation

Enterprise Software LICENSED

CUSTOMERS
AUDITOR

BUSINESS PARTNERS
CLOUD APPS
AUDIT APIs & Automation Portal
DATA COMPLIANCE
MANAGEMENT GOVERNMENT
INFRASTRUCTURE SECURITY
SYSTEM
Readiness Report storage
Evidence Access management REGULATORY BODIES
Crosswalk Distribution

1. Auditability will become a standard feature of enterprise software

2. Automation and APIs will feed auditable data into an independent compliance system
3. Human auditors will verify data against regulations
4. Third parties can access a company’s verified reports upon authorization
THE ANNUAL AUDIT SCRAMBLE

Only involved during the audit

AUDITOR

FIGHTING SCRAMBLE
DISRUPTIVE
CYBERSECURITY FIRES, AS AUDIT
AUDIT
YEAR-ROUND APPROACHES

FRUSTRATED TEAM
GETTING FROM HERE TO THERE

Here’s how it
gets easier.
PRIORITIZE TOP CONTROLS

1 Information Security Policy 7 Logging & Monitoring Policy

2 Access Control Policy 8 Vendor Management Policy

Step 1
for a
3 Password Policy 9 Data Classification Policy
Smoother
4 10
Change Management Policy Acceptable Use Policy
Audit
Risk Assessment & Mitigation Information, Software & System
5 Policy 11 Backup

Business Continuity & Disaster

6 Incident Response Policy 12 Recovery
DEDICATE TIME THROUGH THE YEAR

• Confirm immediate revocation of creds for terminated users/

Daily / Weekly • Review logs for security events and functions
• Perform critical file comparisons for unauthorized modifications

• Install security patches

Step 2
Monthly
•
•
Remove / disable inactive users
Internal / external vulnerability scans
for a
• Review security policies and operational procedures
Smoother
• Video surveillance storage
Quarterly
•
•
Analyze audit trails
Review firewall & router rulesets
Audit
• Penetration testing

• Conduct security awareness training

• Review offsite media location
Yearly • Perform risk assessment
• Review and test incident response plan
• Perform vendor risk assessment
GET STARTED WITH AUDIT AUTOMATION

Step 3
for a
Smoother
Audit

1. Access to prior audits, working documents, reports

2. Ability to log evidence throughout the year
3. Single source of communication throughout audit
CONSOLIDATE AUDITS

Step 4
ISO
SOC 2

Pen Pen
ISO
Pen
Test Pen
Test
for a
Test SOC 2 Pen
Test
PCI Test
Smoother
Audit

Pen
Test
CHOOSE A PARTNER, NOT JUST AN AUDITOR

Top signs your auditor is partnering with you:

1 Communicates well and responds quickly to questions

Step 5
2 Guides you through the process based on experience
for a
Smoother
3 Uses technology to automate Audit
4 Gets you the final report faster

5 Committed to your successful audit

EASY STEPS LEAD TO A SMOOTHER AUDIT

Guiding you through the complete process to ensure your success

AUDITOR

CYBERSECURITY
CONSOLIDATED SMOOTH
BEST PRACTICES,
AUDIT PREP AUDIT
YEAR-ROUND

HAPPY TEAM

AUDIT AUTOMATION
SUMMARY: 5 EASY STEPS TO BEST AUDIT PRACTICES

1. Prioritize Top Controls

2. Dedicate Time Through The Year

3. Adopt Audit Automation

4. Consolidate Audits
5. Choose a Partner, Not Just An Auditor
THE RIGHT AUDIT PARTNER CAN BE YOUR GUIDE

❑ Confirm they are licensed / accredited

❑ Ensure they are properly staffed and qualified

❑ Check out their audit automation platform

❑ Verify they respond in 24 hours

❑ Review the quality of their work

❑ Review their services offered
WE INVITE YOU TO PARTICIPATE – SURVEY CLOSES SOON

Visit go.a-lign.com/benchmark
All survey respondents will be invited to exclusive
VIP walkthrough and Q&A with report authors.

• Benchmark against your peers

• Compare budgets and priorities
• Re-assess programs after COVID The 2021 Compliance Benchmark Survey is produced
by A-LIGN Security & Compliance Services.

Survey closes 2/28/2021

QUESTIONS?
This training content (“content”) is provided to you without warranty, “as is” and “with
all faults”. ISACA makes no representations or warranties express or implied, including
those of merchantability, fitness for a particular purpose or performance, and non-
infringement, all of which are hereby expressly disclaimed.

You assume the entire risk for the use of the content and acknowledge that: ISACA
has designed the content primarily as an educational resource for IT professionals and
therefore the content should not be deemed either to set forth all appropriate
procedures, tests, or controls or to suggest that other procedures, tests, or controls
that are not included may not be appropriate; ISACA does not claim that use of the
content will assure a successful outcome and you are responsible for applying
professional judgement to the specific circumstances presented to determining the
appropriate procedures, tests, or controls.

Copyright © 2021 by the Information Systems Audit and Control Association, Inc. (ISACA). All rights reserved. This webinar may not be used, copied, reproduced,
modified, distributed, displayed, stored in a retrieval system, or transmitted in any form by any means (electronic, mechanical, photocopying, recording or otherwise).
THANK YOU FOR
ATTENDING THIS
ISACA WEBINAR