-
Search
-
Categories
-
Recently Written
- Managing mobile assets – making it part of your ITAM program
- Keep an Eye on the Hardware Lifecycle
- Managing mobile assets – bills
- Managing mobile devices – email addresses
- Managing mobile assets - contracts
- Managing mobile devices - applications
- Managing mobile assets - SIM cards
- Managing mobile assets – risks
- Retiring software assets
- Quick tips on keeping software licenses organized & updated
-
Blogroll
-
Subscription
-
-
-
Archives
-
Members
Subscribe by EmailFeb
12
QSA – Friend or Foe?
Author: Phara McLachlan
Filed Under ITAM (Asset Management), Information Security, Software License Compliance
Security professionals often face challenges from both ends of the stick — internal audit staff and external auditors. Further straining this relationship is the Qualified Security Assessors (QSAs). Although this sometimes can seem as a threat, my advice is to make nice - it will benefit both your and the QSA’s mission, and make the whole process go more smoothly. When the QSA comes into your organization they are looking for a few things: that each of your controls work as intended, that all risk has been identified with appropriate controls in place, and that you have documentation that all actions were carried out properly.
Additionally, here are some tips about working with auditors for those of you out there who will go through this process:
1. Document everything - from measures to reduce risk AND when you decide to accept risk
2. Embed controls and control objectives in the security architecture
3. Don’t get “cocky” - don’t overstate or underestimate the degree of confidence you have in your controls and mitigations. If you over exaggerate in one instance, the auditor will second guess everything.
Comments
Leave a Reply