Consider transitioning to a Career in Cyber Security

The information Technology industry is one that has over the decades experienced fast paced growth and has impacted on people’s political, economic and social standing in copious ways. Technology has disrupted many industries, changing and redefining the way services are delivered from manufacturing, agriculture, marketing to medicine. Amidst all this magnificent development, another industry was born, the world of cyber security. Like they say in physics that “for every action, there is an equal and opposite reaction”. The heavy losses incurred by firms and individuals through cyber-crime has created a need for an equal response. The cybersecurity industry has germinated to counter the devastating effect of cybercrime which has since been dubbed the “world’s fastest” growing industry. Motivated by easy pickings, driven by skill and having the patience of a chameleon, “black hats” as they have come to be known have operated under the radar for a long time. With some of these criminals being funded by well-resourced organisations and to some extent by governments, they have managed to successfully carry out some of the world’s biggest information heists. Arguably among some of the greatest information swoops of all time is the J.P Morgan Chase hack which saw the bank losing information on 75 million of its customers. Cyber security has thus become a sign of hope and a pinnacle of defense against such barbaric acts which some governments have taunted as acts of terrorism.

The changing technology landscape entails that more opportunities are being availed by the increasing demand in skilled, motivated workforce especially in the area of cyber security as it is famously known. In the United States alone, US Department of Labor predicts the career landscape for cyber security will increase by 28% from 2016 to 2018. This increase is much faster than the average for all occupations in all sectors of the economy. Below is an extract of summary of statistics presented by the US department of Labour;

This huge demand entails that transition into information security is a worthwhile option for many. The growing criminal activity also has seen governments enacting legislation to protect themselves, and entities operating with their jurisdictions. Such moves have also seen service providers being required to provide specified levels of protection to information. A case in point is the GDPR [General Data Protection Regulation] recently introduced in the European Union which businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states with non-compliance could cost companies dearly. This requirement thus sees a surge in the amount of skilled professionals required to meet the obligations thrust upon firms by such legislation through services such as information systems audit and compliance.

The question of career transition therefore becomes key. As some careers are taken over by technology and the need for cyber security experts surges the call to join in is becoming even louder. With a qualification and experience in accounting, auditing or risk, and IT in general, it presents many with an opportunity to easily enter into information security. However, this should not be an impediment for those that are not in this domain. One simply needs to take an audit of their career, organisation and possible areas of entry. Key to all is the motivation, enthusiasm and drive to be a cyber security expert. So where does one start?

The initial step towards a career in information security commences with an audit of self and current situation and take steps to become an expert. The current information security landscape of the organisation provides one with the areas which one can enter into to exploit the opportunities available to them. Among some of the things that can be done, one needs to take on more information security related tasks or projects within their organisation and to be a leader on projects. As one charters a new career there is need to build goals that directly relate to the new performance initiatives. In this way, one will be able to begin the journey on a new path albeit with support from the manager. Lastly, networking with other employees and managers presents another clear repository which one can make use of in ensuring one remains on the path to repositioning themselves.

Perhaps one of the most critical steps, is acquiring enough skills for one to become a competent cybersecurity expert. The growing need for cybersecurity experts has also been heavily supported by the growing number of institutions which provide information security certification, skills and education. Among some of the notable certifications which have become highly regarded and rewarding in the industry include:

It is imperative to note that among the top ten certifications of 2017, five of them are security oriented certifications. Certifications provide one with requisite knowledge and skills to actively participate in information security programs. Therefore, this is major step towards transitioning into the information security arena.

The growing need for security experts provides one with an alternative career path. It takes zeal, enthusiasm, networking, initiative and focus to become the most sought after cyber expert. And as one leader said “If you feel safe in the area you’re working in, you’re not working in the right area. Always go a little further into the water than you feel you’re capable of being in. Go a little bit out of your depth. And when you don’t feel that your feet are quite touching the bottom, you’re just about in the right place to do something exciting”. Why not start today? Why not start now?

The need for IT audit to enhance decision making in Enterprise Risk Management among Zimbabwean firms

Introduction

The Information Communications Technology (ICT) industry has evolved immensely since the turn of the 21^st millennium. The contribution of ICT to the general business performance through the use of bookkeeping and reporting systems has helped firms grow their revenue and in some instances avoid winding down. Information systems have introduced a layer of efficiency in the manner in which businesses operate through provision of better ways to manage information and communications among companies. The introduction of these systems have not only brought with them efficiency but cybercrime and malicious system access which have had a negative impact on the confidentiality, integrity and availability of data. Globalization efforts among trade partners and nations have also significantly made use of ICTs to bridge geographical boundaries and distances.

The negative effects of the introduction of systems necessitated the introduction of control mechanisms to ensure proper usage of these systems using a process called auditing. Auditing is a means of evaluating the effectiveness of a company's internal controls. Maintaining an effective system of internal controls is vital for achieving a firm’s objectives, obtaining reliable financial reporting on its operations, preventing fraud and misappropriation of its assets.  The risks associated with the introduction of computer systems again called for the introduction of means of monitoring and controlling the use of the computer systems in business called information technology audit. The role of information technology control and audit is a critical mechanism for ensuring the integrity of information systems and the reporting of organization finances to avoid and prevent future financial crises.

Asian Risk Management Institute explain ERM as a disciplined and cohesive approach to risk that support the configuration of strategy, process, people, and technology, and allow firms to categorize, rank, and effectively accomplish their serious risks. The Information Systems audit contributes to the enterprise risk management effort by assessing the organisation’s critical systems, technology architecture and processes to assure information assets are protected, reliable, available and compliant with organisation’s policies and procedures, as well as applicable laws and regulations with the country of operation. Significant relationship was found between the level of ERM implementation and the firm’s value. This finding therefore makes it imperative that efforts be directed towards strengthening enterprise risk management through the use of technology to continue increasing firm value.  IT risk systems and their integration with the enterprise risk management process varies widely among enterprises, the auditor must define the scope of the audit to fit the enterprise. This assertion therefore presents the need to assess how effective IT audit systems improve enterprise risk management decisions in firms.

Background

The production of audited company statements is a requirement enshrined in the Zimbabwe companies act 243 (3). The requirements mandates firms to appoint auditors to produce audit reports for the respective company accounts kept within the firm. The adoption of ICT systems by a majority of firms in Zimbabwe has helped them manage information better as well as increase productivity, monitoring and evaluation. This increased use of ICTs in firms has thus paused significant risk to firms in the growing cyber space form cybercriminals. Malicious has also been report to have been generated from organisation’s own employees and system users. To effectively manage the IT risks introduced to the business processes, many firms have adopted the use of IT auditors, internally and externally to review the controls within IT infrastructure, identify the risks and put forward recommendations on how the risks can be managed. The uptake and use of IT audit has been slow with majority of firms preferring to use only financial auditors. However, a report by (PWC, 2011) indicated that threats from the use of ICTs is growing phenomenally with global cybercrime costs estimated to be 400 billion USD by 2017. Some organisations have therefore embraced this growing threat and embarked on a drive to strengthen their enterprise risk management process with the use of IT auditing providing a mechanism for planning, and evaluation of the effectiveness of measures that have been implemented.

Auditing in Zimbabwe

The auditing professions is regulated by the PAAB. Its role is to regulate the audit profession. It can be noted that many organisations have internal audit departments within their organisations with the mandate of carrying out reports which are directed to the board of directors. For the purposes of publication, a number of organisations engage the services of external auditors to issue audit opinions on the status of their financial position. For other organisations, forensic audit processes are initiated to allow for specific issues to be investigated within firms.

Internal auditors are tasked with using a risk-based approach, internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including the manner in which the board and operational management achieve risk management and control objectives. Without internal auditing, organisations would be besieged by fraud, theft, waste and inefficiencies that make them less competitive.

I.T audit in Zimbabwe

IT audit in Zimbabwe has been a growing phenomenon and many organizations are embracing the need for well-trained information systems auditors. IT auditors have played a pivotal role in assisting firms to manage risks related to IT systems. IT audit not only points to vulnerabilities but it also helps organisations assess exposure levels and compare those with the baseline risk appetite defined within its global ERM strategy.

 
The growth of cybercrime as mentioned above has also contributed to the growth of IT audit functions to include forensic investigation. IT audit professionals have found themselves needing forensic investigation skills as crime escalates. The ability to recover from attackers and exploited threats in the major key to establishing IT risk resilient organization.

It is imperative that firms in Zimbabwe continue to invest in equipping their audit functions, especially those related to IT as business embrace technology in doing business. IT auditors also need to be trained and have their skills upgraded in order for them to be able to help organisations detect and respond to cyber threats.

Why IT audit should be considered??

Access Control

Unauthorised access to information and systems is one of the dangers paused by both internal and external actors. This deliberate breach on systems security causes damage to files, and perhaps the integrity of systems and organisations.  Firms need to engage well skilled IS audit personnel to diligently evaluate controls on information to avoid both intentional and unintentional disclosure and changes to files. Policies and procedures need to be employed to manage and limit access to information systems resources. The policies adopted should point out on how access is allocated to both internal and external stakeholders to the organization and it is the work of the auditors to verify that such policies are being adhered to by asking common sense questions regarding aspects of access control such as password change policies, time limitations, and so forth.

Network Security

Computer systems have largely been connected through the use of networks which has seen the advent of such concepts as the internet of things. Network systems protection becomes very important in this era of the internet to ensure no authorized access is granted. Measures also need to be taken to protect data that is transit to ensure that no unauthorized access occurs. The development of protocols and standards have ensured that systems from different vendors can be connected. That interconnectedness of devices also means that more vulnerability to external players who could be remotely locate and yet have active access to systems through networks.

Companies must consider all of the ways in which data flows into and out of their systems and target the weakest links in order to protect against such malicious activity. The transmission of information across airwaves, through technology such as wireless routers and infrared ports, is especially open to hacking because signals are not contained physically.

Investment is therefore needed in ensuring that networks are hardened to protect against attacks.

Asset Management

The computers and other technological devices which store such data are themselves valuable and costly as well. Hardware equipment is subject to theft, damage, impoundment, and maintenance costs. Portable devices such as laptops are especially vulnerable to the two former risks, whereas they and all stationary devices are subject to the two latter risks. Upon the decision to dispose of hardware, an organization must take into account the sensitivity of the data on the machine in determination of its destruction process.

People pose additional risks in consideration of asset management when they become addicted to counter-productive computer activities, download hacker-enabling files, and share illegal files using their machines. The computer activity of employees should be managed carefully, and clear policies should outline computer use expectations. Technological solutions are also available that limit use and monitor activity.

Software Acquisition and Development

An organization’s purchase of software applications poses risks in terms of its usability, effect on customers, legal issues, and effect on company processes. Software tends to be most expensive when developed within a company with the input of outside consultants, and software intended from its onset to perform its function within the company tends to reduce overall risk and minimize costs. A company must be especially careful when choosing Internet-based applications because the lifespan of software is much shorter due to competition and the speed of development.

A successful internal auditor can take into consideration the multi-faceted and ever-changing nature of technology risks within a company and ensure that measures imposed by management provide both flexibility and restriction where they are necessary to allow for effective and realistic business function. The use of common sense in general audits can lead to significant findings even when compared to complex technical reviews, which yield ineffective results if not supported by a strong foundation.

Conclusion

Overall IT audit is a key component of ERM as can be obtained. Firms therefore need to relook into their IT and Risk Management strategy to ensure the aspect of IT risks is considered and given its priority when necessary. Investment should be directed towards equipping IT auditors and information security personnel to further cement the organisation’s cyber resilience. The above recommended areas are only but the beginning to a journey in which IT audit becomes a critical component of risk planning and management in firms.

Introduction The Information Communications Technology (ICT) industry has evolved immensely since the turn of the 21st millennium. The contribution of ICT to the general business performance through the use of bookkeeping and reporting systems has helped firms grow their revenue and in some instances avoid winding down. Information systems have introduced a layer of efficiency in the manner in which businesses operate through provision of better ways to manage information and communications among companies. The introduction of these systems have not only brought with them efficiency but cybercrime and malicious system access which have had a negative impact on the confidentiality, integrity and availability of data. Globalization efforts among trade partners and nations have also significantly made use of ICTs to bridge geographical boundaries and distances. The negative effects of the introduction of systems necessitated the introduction of control mechanisms to ensure proper usage of these systems using a process called auditing. Auditing is a means of evaluating the effectiveness of a company's internal controls. Maintaining an effective system of internal controls is vital for achieving a firm’s objectives, obtaining reliable financial reporting on its operations, preventing fraud and misappropriation of its assets. The risks associated with the introduction of computer systems again called for the introduction of means of monitoring and controlling the use of the computer systems in business called information technology audit. The role of information technology control and audit is a critical mechanism for ensuring the integrity of information systems and the reporting of organization finances to avoid and prevent future financial crises. Asian Risk Management Institute explain ERM as a disciplined and cohesive approach to risk that support the configuration of strategy, process, people, and technology, and allow firms to categorize, rank, and effectively accomplish their serious risks. The Information Systems audit contributes to the enterprise risk management effort by assessing the organisation’s critical systems, technology architecture and processes to assure information assets are protected, reliable, available and compliant with organisation’s policies and procedures, as well as applicable laws and regulations with the country of operation. Significant relationship was found between the level of ERM implementation and the firm’s value. This finding therefore makes it imperative that efforts be directed towards strengthening enterprise risk management through the use of technology to continue increasing firm value. IT risk systems and their integration with the enterprise risk management process varies widely among enterprises, the auditor must define the scope of the audit to fit the enterprise. This assertion therefore presents the need to assess how effective IT audit systems improve enterprise risk management decisions in firms. Background The production of audited company statements is a requirement enshrined in the Zimbabwe companies act 243 (3). The requirements mandates firms to appoint auditors to produce audit reports for the respective company accounts kept within the firm. The adoption of ICT systems by a majority of firms in Zimbabwe has helped them manage information better as well as increase productivity, monitoring and evaluation. This increased use of ICTs in firms has thus paused significant risk to firms in the growing cyber space form cybercriminals. Malicious has also been report to have been generated from organisation’s own employees and system users. To effectively manage the IT risks introduced to the business processes, many firms have adopted the use of IT auditors, internally and externally to review the controls within IT infrastructure, identify the risks and put forward recommendations on how the risks can be managed. The uptake and use of IT audit has been slow with majority of firms preferring to use only financial auditors. However, a report by (PWC, 2011) indicated that threats from the use of ICTs is growing phenomenally with global cybercrime costs estimated to be 400 billion USD by 2017. Some organisations have therefore embraced this growing threat and embarked on a drive to strengthen their enterprise risk management process with the use of IT auditing providing a mechanism for planning, and evaluation of the effectiveness of measures that have been implemented. Auditing in Zimbabwe The auditing professions is regulated by the PAAB. Its role is to regulate the audit profession. It can be noted that many organisations have internal audit departments within their organisations with the mandate of carrying out reports which are directed to the board of directors. For the purposes of publication, a number of organisations engage the services of external auditors to issue audit opinions on the status of their financial position. For other organisations, forensic audit processes are initiated to allow for specific issues to be investigated within firms. Internal auditors are tasked with using a risk-based approach, internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including the manner in which the board and operational management achieve risk management and control objectives. Without internal auditing, organisations would be besieged by fraud, theft, waste and inefficiencies that make them less competitive. I.T audit in Zimbabwe IT audit in Zimbabwe has been a growing phenomenon and many organizations are embracing the need for well-trained information systems auditors. IT auditors have played a pivotal role in assisting firms to manage risks related to IT systems. IT audit not only points to vulnerabilities but it also helps organisations assess exposure levels and compare those with the baseline risk appetite defined within its global ERM strategy. The growth of cybercrime as mentioned above has also contributed to the growth of IT audit functions to include forensic investigation. IT audit professionals have found themselves needing forensic investigation skills as crime escalates. The ability to recover from attackers and exploited threats in the major key to establishing IT risk resilient organization. It is imperative that firms in Zimbabwe continue to invest in equipping their audit functions, especially those related to IT as business embrace technology in doing business. IT auditors also need to be trained and have their skills upgraded in order for them to be able to help organisations detect and respond to cyber threats. Why IT audit should be considered?? Access Control Unauthorised access to information and systems is one of the dangers paused by both internal and external actors. This deliberate breach on systems security causes damage to files, and perhaps the integrity of systems and organisations. Firms need to engage well skilled IS audit personnel to diligently evaluate controls on information to avoid both intentional and unintentional disclosure and changes to files. Policies and procedures need to be employed to manage and limit access to information systems resources. The policies adopted should point out on how access is allocated to both internal and external stakeholders to the organization and it is the work of the auditors to verify that such policies are being adhered to by asking common sense questions regarding aspects of access control such as password change policies, time limitations, and so forth. Network Security Computer systems have largely been connected through the use of networks which has seen the advent of such concepts as the internet of things. Network systems protection becomes very important in this era of the internet to ensure no authorized access is granted. Measures also need to be taken to protect data that is transit to ensure that no unauthorized access occurs. The development of protocols and standards have ensured that systems from different vendors can be connected. That interconnectedness of devices also means that more vulnerability to external players who could be remotely locate and yet have active access to systems through networks. Companies must consider all of the ways in which data flows into and out of their systems and target the weakest links in order to protect against such malicious activity. The transmission of information across airwaves, through technology such as wireless routers and infrared ports, is especially open to hacking because signals are not contained physically. Investment is therefore needed in ensuring that networks are hardened to protect against attacks. Asset Management The computers and other technological devices which store such data are themselves valuable and costly as well. Hardware equipment is subject to theft, damage, impoundment, and maintenance costs. Portable devices such as laptops are especially vulnerable to the two former risks, whereas they and all stationary devices are subject to the two latter risks. Upon the decision to dispose of hardware, an organization must take into account the sensitivity of the data on the machine in determination of its destruction process. People pose additional risks in consideration of asset management when they become addicted to counter-productive computer activities, download hacker-enabling files, and share illegal files using their machines. The computer activity of employees should be managed carefully, and clear policies should outline computer use expectations. Technological solutions are also available that limit use and monitor activity. Software Acquisition and Development An organization’s purchase of software applications poses risks in terms of its usability, effect on customers, legal issues, and effect on company processes. Software tends to be most expensive when developed within a company with the input of outside consultants, and software intended from its onset to perform its function within the company tends to reduce overall risk and minimize costs. A company must be especially careful when choosing Internet-based applications because the lifespan of software is much shorter due to competition and the speed of development. A successful internal auditor can take into consideration the multi-faceted and ever-changing nature of technology risks within a company and ensure that measures imposed by management provide both flexibility and restriction where they are necessary to allow for effective and realistic business function. The use of common sense in general audits can lead to significant findings even when compared to complex technical reviews, which yield ineffective results if not supported by a strong foundation. Conclusion Overall IT audit is a key component of ERM as can be obtained. Firms therefore need to relook into their IT and Risk Management strategy to ensure the aspect of IT risks is considered and given its priority when necessary. Investment should be directed towards equipping IT auditors and information security personnel to further cement the organisation’s cyber resilience. The above recommended areas are only but the beginning to a journey in which IT audit becomes a critical component of risk planning and management in firms.

Introduction

The Information Communications Technology (ICT) industry has evolved immensely since the turn of the 21^st millennium. The contribution of ICT to the general business performance through the use of bookkeeping and reporting systems has helped firms grow their revenue and in some instances avoid winding down. Information systems have introduced a layer of efficiency in the manner in which businesses operate through provision of better ways to manage information and communications among companies. The introduction of these systems have not only brought with them efficiency but cybercrime and malicious system access which have had a negative impact on the confidentiality, integrity and availability of data. Globalization efforts among trade partners and nations have also significantly made use of ICTs to bridge geographical boundaries and distances.

The negative effects of the introduction of systems necessitated the introduction of control mechanisms to ensure proper usage of these systems using a process called auditing. Auditing is a means of evaluating the effectiveness of a company's internal controls. Maintaining an effective system of internal controls is vital for achieving a firm’s objectives, obtaining reliable financial reporting on its operations, preventing fraud and misappropriation of its assets.  The risks associated with the introduction of computer systems again called for the introduction of means of monitoring and controlling the use of the computer systems in business called information technology audit. The role of information technology control and audit is a critical mechanism for ensuring the integrity of information systems and the reporting of organization finances to avoid and prevent future financial crises.

Asian Risk Management Institute explain ERM as a disciplined and cohesive approach to risk that support the configuration of strategy, process, people, and technology, and allow firms to categorize, rank, and effectively accomplish their serious risks. The Information Systems audit contributes to the enterprise risk management effort by assessing the organisation’s critical systems, technology architecture and processes to assure information assets are protected, reliable, available and compliant with organisation’s policies and procedures, as well as applicable laws and regulations with the country of operation. Significant relationship was found between the level of ERM implementation and the firm’s value. This finding therefore makes it imperative that efforts be directed towards strengthening enterprise risk management through the use of technology to continue increasing firm value.  IT risk systems and their integration with the enterprise risk management process varies widely among enterprises, the auditor must define the scope of the audit to fit the enterprise. This assertion therefore presents the need to assess how effective IT audit systems improve enterprise risk management decisions in firms.

Background

The production of audited company statements is a requirement enshrined in the Zimbabwe companies act 243 (3). The requirements mandates firms to appoint auditors to produce audit reports for the respective company accounts kept within the firm. The adoption of ICT systems by a majority of firms in Zimbabwe has helped them manage information better as well as increase productivity, monitoring and evaluation. This increased use of ICTs in firms has thus paused significant risk to firms in the growing cyber space form cybercriminals. Malicious has also been report to have been generated from organisation’s own employees and system users. To effectively manage the IT risks introduced to the business processes, many firms have adopted the use of IT auditors, internally and externally to review the controls within IT infrastructure, identify the risks and put forward recommendations on how the risks can be managed. The uptake and use of IT audit has been slow with majority of firms preferring to use only financial auditors. However, a report by (PWC, 2011) indicated that threats from the use of ICTs is growing phenomenally with global cybercrime costs estimated to be 400 billion USD by 2017. Some organisations have therefore embraced this growing threat and embarked on a drive to strengthen their enterprise risk management process with the use of IT auditing providing a mechanism for planning, and evaluation of the effectiveness of measures that have been implemented.

Auditing in Zimbabwe

The auditing professions is regulated by the PAAB. Its role is to regulate the audit profession. It can be noted that many organisations have internal audit departments within their organisations with the mandate of carrying out reports which are directed to the board of directors. For the purposes of publication, a number of organisations engage the services of external auditors to issue audit opinions on the status of their financial position. For other organisations, forensic audit processes are initiated to allow for specific issues to be investigated within firms.

Internal auditors are tasked with using a risk-based approach, internal audit provides assurance on the effectiveness of governance, risk management and internal controls, including the manner in which the board and operational management achieve risk management and control objectives. Without internal auditing, organisations would be besieged by fraud, theft, waste and inefficiencies that make them less competitive.

I.T audit in Zimbabwe

IT audit in Zimbabwe has been a growing phenomenon and many organizations are embracing the need for well-trained information systems auditors. IT auditors have played a pivotal role in assisting firms to manage risks related to IT systems. IT audit not only points to vulnerabilities but it also helps organisations assess exposure levels and compare those with the baseline risk appetite defined within its global ERM strategy.

 
The growth of cybercrime as mentioned above has also contributed to the growth of IT audit functions to include forensic investigation. IT audit professionals have found themselves needing forensic investigation skills as crime escalates. The ability to recover from attackers and exploited threats in the major key to establishing IT risk resilient organization.

It is imperative that firms in Zimbabwe continue to invest in equipping their audit functions, especially those related to IT as business embrace technology in doing business. IT auditors also need to be trained and have their skills upgraded in order for them to be able to help organisations detect and respond to cyber threats.

Why IT audit should be considered??

Access Control

Unauthorised access to information and systems is one of the dangers paused by both internal and external actors. This deliberate breach on systems security causes damage to files, and perhaps the integrity of systems and organisations.  Firms need to engage well skilled IS audit personnel to diligently evaluate controls on information to avoid both intentional and unintentional disclosure and changes to files. Policies and procedures need to be employed to manage and limit access to information systems resources. The policies adopted should point out on how access is allocated to both internal and external stakeholders to the organization and it is the work of the auditors to verify that such policies are being adhered to by asking common sense questions regarding aspects of access control such as password change policies, time limitations, and so forth.

Network Security

Computer systems have largely been connected through the use of networks which has seen the advent of such concepts as the internet of things. Network systems protection becomes very important in this era of the internet to ensure no authorized access is granted. Measures also need to be taken to protect data that is transit to ensure that no unauthorized access occurs. The development of protocols and standards have ensured that systems from different vendors can be connected. That interconnectedness of devices also means that more vulnerability to external players who could be remotely locate and yet have active access to systems through networks.

Companies must consider all of the ways in which data flows into and out of their systems and target the weakest links in order to protect against such malicious activity. The transmission of information across airwaves, through technology such as wireless routers and infrared ports, is especially open to hacking because signals are not contained physically.

Investment is therefore needed in ensuring that networks are hardened to protect against attacks.

Asset Management

The computers and other technological devices which store such data are themselves valuable and costly as well. Hardware equipment is subject to theft, damage, impoundment, and maintenance costs. Portable devices such as laptops are especially vulnerable to the two former risks, whereas they and all stationary devices are subject to the two latter risks. Upon the decision to dispose of hardware, an organization must take into account the sensitivity of the data on the machine in determination of its destruction process.

People pose additional risks in consideration of asset management when they become addicted to counter-productive computer activities, download hacker-enabling files, and share illegal files using their machines. The computer activity of employees should be managed carefully, and clear policies should outline computer use expectations. Technological solutions are also available that limit use and monitor activity.

Software Acquisition and Development

An organization’s purchase of software applications poses risks in terms of its usability, effect on customers, legal issues, and effect on company processes. Software tends to be most expensive when developed within a company with the input of outside consultants, and software intended from its onset to perform its function within the company tends to reduce overall risk and minimize costs. A company must be especially careful when choosing Internet-based applications because the lifespan of software is much shorter due to competition and the speed of development.

A successful internal auditor can take into consideration the multi-faceted and ever-changing nature of technology risks within a company and ensure that measures imposed by management provide both flexibility and restriction where they are necessary to allow for effective and realistic business function. The use of common sense in general audits can lead to significant findings even when compared to complex technical reviews, which yield ineffective results if not supported by a strong foundation.

Conclusion

Overall IT audit is a key component of ERM as can be obtained. Firms therefore need to relook into their IT and Risk Management strategy to ensure the aspect of IT risks is considered and given its priority when necessary. Investment should be directed towards equipping IT auditors and information security personnel to further cement the organisation’s cyber resilience. The above recommended areas are only but the beginning to a journey in which IT audit becomes a critical component of risk planning and management in firms.