© 2011 NetIQ Corporation. All rights reserved.

5 Insider Tips: Using IT Audits to Maximize Security

Mike Chapple – Senior Director for Enterprise Support Services at the University of Notre Dame

Renee Bradshaw – Senior Product Marketing Manager, NetIQ

© 2011 NetIQ Corporation. All rights reserved.

An Insider’s Guide to Effective Audits − Treat audits as a lifecycle process. − Understand the scope.− You shouldn’t learn anything!− Don’t be afraid to speak up!− Embrace findings.

Aligning Compliance, Security, and Business Goals

Q and A

Agenda

© 2011 NetIQ Corporation. All rights reserved.

About the Speaker

Mike ChappleSenior Director for Enterprise Support Services at the University of Notre Dame• Assistant professor, Information Security, University of

Notre Dame• Former senior advisor to the Executive Vice President

at University of Notre Dame • Former Executive Vice President and Chief Information Officer

at Brand Institute • Former active duty intelligence officer in the U.S. Air Force• Published author, including the best-selling CISSP: Certified

Information Systems Security Professional Study Guide • Ph.D. and BS, Computer Science and Engineering, University

of Notre Dame; MBA, Auburn University; MS, Computer Science, University of Idaho

5 Insider TipsUsing IT Audits

to Maximize Security

Mike Chapple, Ph.D

Senior Director, Enterprise Support Services

University of Notre Dame

Tip #1

Treat Audits as a Lifecycle Process

Audits Shouldn’t be your Super Bowl

But More Like a Doctor’s Visit

Auditing as a Lifecycle

Prepare

Assess

Audit

Remediate

Tip #2

Understand the Scope

Covered Devices

Business Processes

Standards

PCI DSS

SOX

HIPAA

SAS 70

COBIT

GLBA

FISMA

Audit Process

Tip #3

You Shouldn’t Learn Anything!

This is Not the Time for Discovery!

Tip #4

Don’t be Afraid to Speak Up!

It’s Now or Never

Just Keep It Civil

Tip #5

Embrace Findings

Learn and Adapt

Auditing as a Lifecycle

Prepare

Assess

Audit

Remediate

5 Insider TipsUsing IT Audits

to Maximize Security

Mike Chapple, Ph.D

Senior Director, Enterprise Support Services

University of Notre Dame

mchapple@nd.edu

© 2011 NetIQ Corporation. All rights reserved.

Aligning Compliance, Security, and Business Goals

Renee Bradshaw – Senior Product Marketing Manager, NetIQ

© 2011 NetIQ Corporation. All rights reserved.

Compliance should be a “by-product” of security efforts.− Compliance mandates only provide

minimum standard

Focus first on minimizing risk and improving security.− Leverage your audit findings− Define tools and controls which align to risk

tolerance and business objectives− Realize improvement in overall security posture

Plan for Good SecurityDirect compliance efforts towards risk mitigation

24

© 2011 NetIQ Corporation. All rights reserved.

Implement a common set of controls− Encompasses regulatory, industry, and

internal corporate mandates− Simplifies audits; provides reporting

framework− Avoids conflicting controls and

unnecessary expense− Adds controls as the regulatory

environment changes

Improve security and efficiency of IT environment− Automates routine, labor-intensive tasks− Reduces the cost of compliance − Avoids “audit panic”

Ease the Compliance BurdenCreate an adaptable compliance program

25

© 2011 NetIQ Corporation. All rights reserved.

The best way to achieve compliance is to get the security basics right.

Realize positive, long-term business impact.− Reduce breach risk− Avoid non-compliance penalties − Operational efficiencies − Improve security posture

Back to BasicsGood security makes compliance easier

26

© 2011 NetIQ Corporation. All rights reserved.

Complete our survey. − Enter for a chance to win

an Apple iPad!

Access informative white papers; gain insight. − “Achieving ROI from your PCI DSS

Investment” − “Sustainable Compliance: How to

Align Compliance, Security and Business Goals”

Learn More at NetIQ.com

27

tinyurl.com/ROIfromPCI

tinyurl.com/sustainable-compliance