Professional Documents
Culture Documents
• Project Co-ordination/PMO
Old security controls that are in place and if new sec controls have come up by BSI (British Standard
Institution) – this transition’s plan has to be created
ISG – any process of aligning your IT resources or practices and your org goals with company
stakeholders. Main aim is all info systems are in compliance and effective with all standards and
regulations.
• IT General Controls
Part of statutory audit. ITGC & ITAC(Automated Control) own set of requirement base. Ask evidences
from the clients. Requirements list – user access management, asset management, business
continuity plans, bus recovery plans, password management plans, network security. Ask evidence
for these stuff – you evaluate on that basis. ITGC is a small part of ISO 27001 – security controls ka
requirements are in ITGC
It’s a standard
Conduct on organisational level basis. Call all business processes. Go control by control what is
applicable or not, find out gaps and go in depth what are the risks, risk assessments, why internal
audit is imp you ask them, user access, asset requirements, maintaining NDA or not, background
verification of employees, third party vendor assessment. Maintaining SOPs or not and your work
etc. Adhering to ISO standards or not.
• Information Security
ISO ka baap. ISO has 93 controls and SOC has 250 controls. Much more in detail. Confidentiality,
Integrity, Privacy, Security and Availability. 5 parameters of SOC. 2 types of SOC. Type 1 and Type 2
Can be done to various certifications like ISO ITGC- effectiveness of IT Controls How are you
following various parameters and what sec measures have you implemented in the org, appearing to
ISO Methods. BCMS – Business Continuity
• Developing IT risk remediation strategies
Done by conducting gap assessments, then by internal audits, identification of risks by going through
understanding all business processes, after id mitigating all the risks, maintaining separate risk
register, risk register document. Formulating risk assessment policies and defining them for the
organisation.
As per ISO Standards, understand all business processes – doc called statement of applicability from
there you can assess all the controls what all is applicable for the organisation and you can find out
all the gaps of the org. eg firewall isn’t there, that’s a gap so they need to implement it, if no
antivirus they must implement it.
Talks about if you are having a business you should always document a bc which should have the
number of incidents documented which says that if any mentioned incident shappen what will be
the next step of action, how much downtime can you afford that should be documented(MTO, RPO,)
DR- Disaster Recovery drills will be conducted.
Software assets within org should be document and defined in a policy which says that it should be
classified – data classification should be there based on that the software is critically classified.
Transition from 2013 is old standard and transition to 2022 new standards – implement new
standards
GEORGE MATHEW – PARTNER FOR 14YRS AND CA Switched to info systems audit 17yrs back
another big4 then to EY
EY INDIA ACHIEVED A MILESTONE – FINANCIALS DAILY – BILLION DOLLAR REVINUE FROM INDIA
OPOERATIONS AND BULK OF IT COMES FROM CONSULTING.
TAX PRACTICE, MERGER AND ACQUISITIONS AND FORENSICS BUT BULK OF REV COMES FROM
CONSULTING
ECO TIMES INTERVIEWED HEAD OF COMPEDES – YOU ARE NO, 2 IN CONSULTING IN INDIA AND
ANOTHER IS THREE, WHEN DO YOU SEE YOURSELF AT NUMBER ONE CONSULTING BRAND IN INDIA
LIKE EY – SAYS WE ARE STILL A COUPLE OF YEARS AWAY.
WHAT DO WE DO IN CONS?
NOTHING AND SOUTHING, PEOPLE CONSULTING
AS A TEAM – ENGAGEMENT IS THE KEY TO SUCCESS – JOIN HANDS, PROVIDE INPUTS TO ADD AND
DELIVER VALUE TO CLIENT. WE SHOUL;D HAVE A MINDSET TO LISTEN TO OTHERS AND NOT JUST BE
IN YOUR OWN PRESCRIBED WORLD – CONTRIBUTE TO A THOUGHT PROCESS – COLLABORATION.
FUELLED BY PEOPLE AND INNOVATION – PEOPLE ARE THE ASSETS FOR THEM – SINCE YOU WILL
WORK HARD, COLLABORATE AND DELIVER ENGAGEMENTS. - BASIC PHILOSOPHY.
PEOPLE FOR DIFF BACKGROUNDS HERE FOR A REASON – VARIOUS CLUBS IN EY LIKEMINDED PEOPLE.
WHAT WE DO
HANDING OVER NONE CORE ACTIVITIES TO THIRD PARTIES
WHEN ENGAGING WITH A PLETHORA OF THIRD PARTIES HOW TO ENSURE SECURITY? WHAT IF THE
THIRD PARTY MISUSES THE DATA THAT YOU SHARED?
KEEP A VERY KEEN EYE HOW THESE GUYS ARE MANAGING THEIR DATA AND CONFIDENTIALITY OF
THEIR CUSTOMERS
THEY HAVE CONTROLS AND DESIGNED – CHECK IF THEY ARE OPERATING EFFECTIVELY. THAT’S WHAT
WE DO
YOU ARE A PART OF FINANCE TEAM AND THEY COME AND ASK IF THEY WANA BUY 100 TRUCKS
A LOT OF QUESTIONS ON THE REQUEST TO BUY AN ASSET – CLOSELY SCRUTINIZED SO WHEN
BUYING SOFTWARE THERE IS A NEED FORO SCRUTINY AS WELL. HELP COMPANIES SAVE A LOT OF
MONEY BY LOOKING AT WHAT THE EMPLOYEES ARE DOING ON DAILY BASIS AND WHAT
SOFTWARES DO THEY USE AND BY ANALYSING THEIR VOLUME OF RENEWAL – SAVE A LOT OF
MONEY
UNLESS THEY DON’T ADOPT TO THESE CHANGES – THEY WILL BE OUTDATED – SO WE HELP CLIENTS
IN THIS
CONTRACT FARMING – IN ORDCER TO HELP IMPROVE FARMERS AND PRODUCTIVITY –
COMPREHENSIVE, INNOVATIVE AND SHOW INFO IN STATE – DATA REQUIRED
RELATIONSHIP BUILDING
BRAND BUILDING BY A LOT OF EXPERIENCE YOU DO AT WORK – TECH MBA – BADGES – ONLINE
PROHRAMS YOU SELECT – COULD BE ANYTHING – BADGES YOU acquire aas per the knowledge you
get in that area of expertise
EY JOURNEY
ASSOCIATE CONSULTANT AND THEN YOU MOVE ON