About Us | Contact Us
View Cart

Audit Checklist Does Not Equal Security

By Vigilize | Thursday, October 24, 2013 - One Comment

For organizations to develop a mature risk management program, they must go beyond the checklist.

We have always believed that checklists are dangerous in audits, that audits should be based on risk as much as compliance. We believe that risk assessments should determine the controls that mitigate the most risk, and that those are the controls that should be tested in an audit, and that compliance risk should be considered as just one of the many types of risk. This article helps bolster our position.

Compliance does not always equal security. When organizations focus only on passing the audit checklist, they are missing the whole point of having a security system. In order to function, there needs to be a concerted effort to build the resilience of the organization’s IT system. Constantly reacting to one breach after another is not fixing the problem. This is only treating the symptoms. In order to prevent future breaches, organizations must work to get in front of the attackers and bolster their defenses.

The newest Global Information Security Survey showed that out of 9,600 organizations, only 17% possessed a mature risk management program.

Every company needs to understand how much risk they are willing to tolerate and understand the consequences – both long term and short term – of accepting too much IT risk. Integrating security into everyday business operations can be a good first step. The idea is that organizations move away from this idea of checklist compliance to proactively securing their organization.


Original article by George V. Hulme.
Read the full story here.

One Response to “Audit Checklist Does Not Equal Security”

Comment from k
Time 10/24/2013 at 1:59 pm

So true! We need to go in with eyes wide open so that mitigations can be put in place. And if few mitigations are available we still need to decide if we can ‘accept that baggage’!

Latest News
      Alternatives From 2020 Conferences The 2020 Update Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Each year as we go to various conferences throughout the Midwest ranging in scope; from small banker conferences that Dan himself moderates, to hacker conferences like Defcon.  We […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    The IBA Presents an infotex Workshop: Tech-Shop (A Virtual Workshop for Banks IT Geeks) Live Workshop Time for a workshop for the technical side of the community-bank. Time for a workshop full of command lines and configurations, acronyms we are forbidden to use around management, and even dark-web jokes. Time for a workshop where we […]
    An Analogy… …About Taking Better Notes Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . An interesting set of metaphors arose out of our efforts to improve our time management practices at infotex.  In the spirit of sound strategic planning, we as a team decided […]
    A Webinar-Movie In our current world of uncertainty there is at least one thing that is certain. Business needs to continue, and that means that it is important for managers to be able to meet with their team even if everyone is working remotely at this point. In this Webinar-Movie, Dan will compare virtual meeting […]