In December 2020 the European Commission published a proposal to repeal the current NIS Directive (European Directive on Network and Information Systems) and to replace it with a new Directive: the so-called NIS-2 Directive. This post will give an update on the status of negotiations of NIS-2, and will outline the aspects we already know and don’t know about the upcoming Directive’s final form.
GRC: Be Connected! – Turning audit into enablement
23 februari 2021 – Cyber Security Coalition
GRC Be connected: about auditing
Who’s afraid of the big, bad internal auditor? Well, that should be no one who attended the fourth GRC: Be connected! webinar, with focus on auditing – the why, the how and the value to an organization. Do check this webinar for the best possible returns on audit efforts.
The first presentation, by Monique Garsoux, Head of the Audit Office at Belfius, provided an overview of the internal auditor mission. It is about “how to enhance and protect organizational value by providing risk-based, objective assurance, advice and insight.” This is the result of activities based on standards, core principles and a code of ethics by independent professionals, to provide value to all stakeholders in the ‘three lines model’, whether operational people, management, governance bodies, externals and/or regulators, “to improve things, not to find problems.”
Bluntly, the internal auditor should not be a bogeyperson, but a trusted advisor in a bi-directional relationship with the organization, participating in the everyday workings through joining workgroups, meetings etc. The purpose is to turn the audited parties into allies, with auditors being asked for advice. Rather than focusing on known risks, the function of the auditor should be the thought leader, anticipating future and emerging risks, by keeping abreast with new technologies and business evolutions.
Indeed, an audit is about benefits, for the auditor, the client and audit-savvy professionals – that is the mainstay of the presentation by Prof. Georges Ataya, Solvay Brussels School of Economics & Management. Why were audits invented? To offer comfort to persons wondering whether their organization is on par regarding risks and challenges, and to provide validated opinions on which decisions can be reliably based. An audit is about the relation between who requests an audit, the accountable party and the assurance professional. It is about the scope of the assurance initiative, including the subject matter over which assurance is to be provided; about understanding the subject, including suitable criteria against which the subject matter will be assessed; and about communicating the results. It is about providing the requested comfort statement to who needs it, as e.g. board of directors.
In this presentation, Prof. Ataya once again points out the advantages of mapping actions and requirements on the Cobit-approach!
Ultimately, an audit is about opportunities. For the auditor, this is a matter of focusing on the client’s request and to justify every conclusion. The audit-savvy professional will turn it to his advantage to prove the use of resources or to obtain arguments for additional efforts. The audit client will value the auditor as a source of a solid second opinion.
At the end of his presentation Prof. Ataya urged the attendees to check with ISACA, either ‘connected’ or as a member for the many advantages.
In the ‘Anatomy of an audit assignment’, Kelly Hogan, audit expert and trainer, provides an overview of the parts of an audit, with a focus on planning, performing the audit and communicating the results, based on the structure of the IIA audit model (Institute of Internal Auditors).
Of particular importance is the planning phase, with Kelly Hogan providing an overview of the basic steps, objectives, scope and – important – the use of a risk & control matrix. This phase is crucial for a successful audit, and a ‘must understand’ for the audited parties (e.g., explaining why this phase may consume 40 to 60% of the budget, because of a huge learning/’getting acquainted’ effort). She also points out the deliverables the audited parties should expect to receive, with possibly already some preliminary recommendations. A solid planning is money and effort well spent!
Next she explains how an auditor will be about performing the audit: the ‘field work’ for ‘collecting sufficient, reliable, relevant and useful information’. Test results must be documented, to confirm facts. Again, a list of deliverables is given.
The communication phase – reporting – is again a multi-step activity, starting with a draft report. Feedback for comments on the draft is a must (both regarding facts and tone), leading to a final report and a customer survey (how well did the auditor do?).
Ransomware – today’s universal cyberworry – is but one aspect of a crime: cyber extortion. Orange Cyberdefense provides some insights into this scourge, based on its ‘Security Navigator 2022’-report.
The Cyber Security Coalition and top cybersecurity trainer SANS Institute joined forces to provide specially needed insights and recommendations on successful cloud security, as well as how to handle cyber security in these times of war.
It is easy to drown in the sea of dire warnings about the danger of AI, in particular to our privacy. The main point is that AI in good trust is possible, but requires solid, long term and well-structured approaches. This session of the Privacy focus group offers some crucial insights and welcome examples.
On computer security day we pay tribute to Ada Lovelace, the forgotten mother of the computer. Often described as the first computer programmer — before computers were even invented — Ada was a real visionary. Imagine what she might have achieved had Babbage actually built his “computer” and she hadn’t died at the age of 36.