Controls are implemented to address vulnerabilities and manage risk. If your organization has key IT controls documented, monitored, tested in an enterprise GRC tool, and clear auditor evidence, this presentation is not for you. A discussion on how to determine key controls, when to get those controls into a GRC, what makes great evidence for control effectiveness, and how to present your controls to leadership, auditors, and operations.
There are numerous standards and regulations that must be considered when selecting controls. When an auditor creates an audit plan, a framework such as COBIT may be used, so how do you address audit plans during controls selection?
GRC tools may vary in terms of complexity and implementation, but maturing controls inventory is not a technical issue. The strategy for maturing a controls inventory must be customized based on environmental factors. What are the factors that need to be incorporated in the strategy?
Requirements for evidence of control design or operational effectiveness is different. Understanding the requirements is critical for appropriate audit response. Examples of different evidence and how to use them will be discussed.
Metrics and reporting must be incorporated into controls! Without this, leadership will not know the risks, which areas need support, and confidence of security or operational health may be unsupported.
- Be able to select controls based on risk
- Be able to develop strategy for documenting controls in GRC
- Be able to prepare evidence for any audience