What best practices for asset management should organizations use to minimize audit risks?

Security Strategy & RoadmapGovernance, Risk & ComplianceRisk Management+1 more
328 views1 Upvote2 Comments
Sort By:
Oldest
Group Director of Information Security in Banking15 days ago
In the cloud and digitalized world where more and more cloud shared responsibility models are taking away the management and maintenance aspects of hardware and software assets upto the layer of operating system (as in WebApps, containers, SaaS etc.) or leaving out OS layer as in the case of IaaS, below are the best practices to minimise audit risks:

1. Only enumerate and inventory your assets at application level. 
2. Capture application criticality (Critical vs Important) via business owner and map it to a business process.
3. Demarcate all security controls deployment into two categories. Those that are applicable to be deployed for 'Important' application and those extras, that gets deployed for 'Critical' applications.

By following above 3 steps, you will reduce audit risks and findings by NOT wasting your efforts and budgets over securing 80% of the applications which are seldom classified as business 'critical' but you need to be very clear about definitions of what's important and critical for the business.

1
lock icon

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

  • Peer Discussions and Polls
  • One-Minute Insights
  • Connect with like-minded individuals
Director of IT in Banking14 days ago
Start with basics by implementing a Configuration Management Database (CMDB). But it doesn't have to be a sophisticated system; you could do something as simple as making a list on paper to get started. The key is to list all the assets and identify those that are essential to the organization.

Next, it is critical to know the latest installation or patch levels of these assets. You can do this by cross-referencing with websites like VirusTotal, which provide information on whether certain components are affected by vulnerabilities and how to address them, usually through patches.

To manage all this information effectively, it's best to use tools like SQL Server or Excel for quick sorting and analysis of the data, making it easier to stay on top of asset management and minimize audit risks.
1

Content you might like

Which teams have a role in deciding which compliance technology to purchase?

Strategy & ArchitectureCloudGovernance, Risk & Compliance+5 more

Security41%

IT77%

Legal38%

Compliance (We have a dedicated leader)26%

Other

View Results
5.9k views2 Upvotes3 Comments

How do you see the CISOs role in building trust across the business?

Security & GRCSecurity Strategy & RoadmapBusiness Relationships
CISO13 days ago
CISOs play a crucial role in organizations, as data and information protection falls under their responsibility. Building trust across the organization is essential for maintaining a strong cybersecurity posture.

Collaboration ...read more
79 views1 Comment

Has anyone witnessed a SecOps manager leading incident response efforts directly? Additionally, are you observing a trend in your markets where organizations are shifting away from relying on a CISO or formalizing the CISO role, instead adapting it to meet regulatory requirements?

Secure Code & Automation (DevSecOps)Security Strategy & RoadmapPeople & Leadership
Lead Infrastructure Engineer in Finance (non-banking)13 days ago
Let me answer your first question.  Witnessed a SecOps manager leading incident response efforts directly, Yes.  

I have seen the lead incident responder role or Incident commander role, shift in a single event from ...read more
309 views1 Comment

What are the areas that your organization prioritizes for digital risk protection to help defend against cyber threats? (check all that apply.)

Security & GRCSecurity Strategy & RoadmapIT Strategy & Roadmap+21 more

Attack Surface Management39%

Account Takeovers60%

Executive Protection49%

Hacktivism/Disinformation32%

Brand Abuse/Impersonations18%

Phishing Attacks30%

View Results
1.5k views

When staffing cybersecurity roles, have you had success with hiring candidates who lack technical experience? If so, what made that strategy effective?

Talent Sourcing & HiringSecurity & GRCSecurity Strategy & Roadmap
61 views