One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 427480 |
| Date de publication | 2017-11-03 09:35:50 (vue: 2017-11-03 09:35:50) |
| Titre | NBlog November 3 - audit sampling (LONG) |
| Texte | [This piece was stimulated by a question on the ISO27k Forum about ISO27k certification auditors checking information security controls, and a response about compliance audit requirements. It's a backgrounder, an essay or a rant if you like. Feel free to skip it, or wait until you have a spare 10 mins, a strong coffee and the urge to read and think on!]“Sampling†is an important concept in both auditing and science. Sampling (i.e. selecting a sample of a set or population for review) is necessary because under most circumstances it is practically impossible to assess every single member – in fact it is often uncertain how many items belong to the set, where they are, what state they are in etc. There is often lots of uncertainty.For example, imagine an auditor needs to check an organization's “information security policies†in connection with an internal audit or certification/compliance audit.  Some organizations make that quite easy by having a policy library or manual or database, typically a single place on the intranet where all the official corporate policies exist and are maintained and controlled as a suite. In a large/diverse organization there may be hundreds of policies, thousands if you include procedures and guidelines and work instructions and forms and so forth. Some of them may be tagged or organized under an “information security†heading, so the auditor can simply work down that list … but almost straight away he/she will run into the issue that information security is part of information risk is part of risk, and information security management is part of risk management is part of management, hence there should be lots of cross-references to other kinds of policy. A “privacy policyâ€, for instance, may well refer to policies on identification and authentication, access control, encryption etc. (within the information security domain) plus other policies in areas such as accountability, compliance, awareness and training, incident management etc. which may or may not fall outside the information security domain depending on how it is defined, plus applicable privacy-related laws and regulations, plus contracts and agreements (e.g.nondisclosure agreements) … hence the auditor could potentially end up attempting to audit the entire corporate policy suite and beyond! In practice, that's not going to happen. |
| Envoyé | Oui |
| Condensat | 100 about absence access according accountability add again agreements alien all almost already: analysis and/or another any apart applicable approach are areas arises arrangement assess assessments assumptions assurance attempt attempting audit auditing auditor auditors audits audits; authentication available awareness away backgrounder balanced based basics basis because been before belong beyond boarding boilerplate booklet both bottom broad business but call can card careful case catch certain certification certification/compliance chain characteristics check checked checking checks circumstances clear client clients close closely coffee coherent come compiled complete compliance concept concern concerns conclusions conduct conducted conglomerate connection consider considered constrained constraints consume contact contingent continuity contracts control controlled controls convention copies corporate cost could couple course cover criterion cross current data database date deep deeply defined deliberately delve dependent depending depth depths detail determine diary digging discuss documentation documented does domain don down draft draw dubious each easily easy effect effective elaborating emerging employee encryption end engineering entails entire especially essay established etc even every everything evidence example except exception excuse exist expense experience explicitly exploring exposure external extrapolating eye fact facts fair fairly fall fashion feel finally findings firm first following formal formally formats forms forth forum free from function furthermore gdpr generalizing genuine get getting global gloss goes going great guidelines habit hands happen hard harder has have having he/she heading health help hence high hours poring how hundreds identification identify imagine important impossible improvements incident include inevitably informal information infosec initial initiate instance instead instructions intent internal interviews intranet invalid involve iso27k issue issued items its itself jail job just justify key kinds know knowledge large/diverse later latter laws leads level library lifecycle like likely limitations: line list little local long look looking lots machine made maintained make making managed management managers mandated manual many material matter may mean means meetings member method might mins misleading miss missing modified mongolia months more most naturally nblog necessarily necessary need needed needs network never new next nice nondisclosure normally nose not note: november official often one ones only opportunity organization organizations organized other out outside over owner owns painstakingly part particular particularly parts past people perhaps period pick picking piece pitched place plan planning plus point points policies policies†policy policy†population possibilities possibly potentially practically practice practice: pragmatic pre preference privacy probably procedures process produced prove provided purposes pyramid quality quantify question quite random rant rather rationale read readily realistically recommended refer reference references regulations related relatively released relevant relying reminiscent repeated report reports representative representativeness requirements resources response responsible results review reviewing reviews risk rulebook run safe safety same sample sampling sanctioned sausage say schedule science scientific scope scoping secure security security†see seek selecting sensible sequence set several short shortlist should simple simply since single situations six skip small some sometimes sound spare specialist specific spend spent start started state statistical status stimulated sting straight stratified strive strong styles such suite supplier supply surprisingly tagged tail taken tax team technical technique techniques terms tests text than that them then theoretical there these thing things think those thousands three time title too: top totally trail training trick |
| Tags | Guideline |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.