Differences Between Assessment and Audit

written by: Sean Martin; article published: year 2008, month 01;


In: Categories » Business » Negotiation and communication » Differences Between Assessment and Audit

One of the main tenets of the IAM is that it is an assessment, not an audit or an inspection. These terms usually carry a bad connotation of distrust, whether on the side of the auditors or the audited, and generally both. There are key differences between the two concepts, and it often helps to ensure that everyone understands those differences. Something like this may seem rather tedious to present, especially after doing so several times with everyone involved on every assessment. Just remember—you may understand this difference, but chances are that many of your customers will not. The better the customer understands that this process is one of nonattribution, the more detailed and useful data you will be able to elicit from them, and that will ultimately result in a better overall deliverable for the client. Thus a willing and eager participant is always preferred, rather than a closed or guarded individual.

Nonattribution is the act of not establishing a specific individual as responsible for something. This is the specific term NSA uses to describe the process of reporting findings without laying “blame” on any individuals. The major difference between an assessment and an audit or inspection is the overall goal of the process. The audit or inspection is normally understood to be a check for compliance, often bringing with it consequences for failure. This process tends to create a very unfriendly environment in which the people you need to work with are wary and cautious in their dealings with you due to their fear of being held directly responsible for the findings—which will happen, because nonattribution is not an aspect of your typical audit.

In opposition to this concept, we have the goal of an assessment process, which is to help or assist the customer organization in improving its INFOSEC posture, not to pass judgment. In fact, we have often witnessed an organization request an assessment as a means of preparing for an audit. The concept of providing assistance cannot be overstated; many individuals who have been involved with assurance checks in the past likely felt as though they were inspected in a rather judgmental light. An assessment based on the IAM process can be an excellent tool for preparing for any upcoming audits. It allows the organization to work on meeting goals or compliance requirements in a friendly and cooperative environment.

Audits also carry a declaration of fault in regard to inefficiencies; the IAM, on the other hand, is what some people like to call a no-fault or nonattribution process. The objective is to assist in improving security rather than assign blame to anyone who may have forgotten to implement a patch or verify a backup tape. When something like that does occur, it is more likely due to a process and procedure failure, not someone trying to circumvent the system. People are more liable to be honest and forthcoming when they understand that their actions and answers will not be attributed directly to them but merely addressed as a finding in the final report. However, if in an interview one person discusses something that he or she has been arguing about with others for months, it will likely be apparent who made that statement. Furthermore, if only one person operates a system, any findings will be attributable to that operator. Other such scenarios may arise based on the simple process of elimination. However, the IAM will not put a name next to any pieces of information gathered. Any conclusions drawn in regard to attribution are not done so by the assessment team.

There may come a time when malicious or illegal activities are discovered during any security assessment—for example, the discovery of child pornography, pirated software, copyrighted multimedia files, and so forth. The IAM does not have a dedicated policy in regard to these issues beyond the common understanding that you will follow all applicable laws, both local and federal. How you plan to handle these situations is something you should consider documenting as an internal company policy and sharing with your customers. It might be wise to have an attorney specialized in the computer industry field review your policy for you as well.

A good understanding of the assessment process is also a fundamental factor in the overall success of your engagement. It is very important to ensure that the customer organization is comfortable with the what, how, when, why, and who components of what the assessment team is doing. The cornerstone of maintaining management buy-in and a sense of ownership in the final product results from the customer organization’s continued involvement and understanding as the engagement progresses, grows, and changes. The assessment is the client’s product, not yours, so ensure that it is treated as such.

Along those lines, the assessment team needs to realize that its largest role is that of facilitator. During the pre-assessment site visit, you will be helping the customer come to a deeper understanding of their information’s importance. You will be assisting them in determining their security priorities. You will be assisting them in defining goals and objectives. To reiterate, you are there to facilitate!

legal disclaimer

1) Our website is not responsible for the information contained by this article as well for any and all copyright infringements by authors and writers. E-articles is a free information resource. If you suspect this article for any copyright infringements, please read the Terms of service and contact us to investigate the problem.
2) The E-articles directory team is not responsible for inaccuracies, falsehoods, or any other types of misinformation this tutorial may contain and will not be liable for any loss or damage suffered by a user through the user's reliance on the information gained here. Please read the Terms of service

Useful tools and features

Translate this article to...    Send this article to you or to a friend

Link to this article from your page   
If you like this article (tutorial), please link to it from your web page using the information above. Linking to this page, this is the only way to help us improve our service, the same time providing your visitors with a way to improve their online experience.

related articles

1. Employee Recruiting
Job Descriptions and Requirements Many positions naturally demand certain requirements with respect to education, experience, and qualifications. For instance, it is customary for CFOs (Chief Financial Officers) to be qualified in accounting and finance and usually to have an MBA. However, in many cases, companies define prerequisites that are not essential to the nature of the position, but are rather the result of norms. In practice, many companies find that relevant experience, if it is accompanied by profound profes...

2. Incentives to Tie Employees to the Company
Over and above the monetary compensation, many companies invest considerable efforts in creating a work environment that will bond the employees with the company and encourage them to stay with it. Recruiting a talented employee is only the first stage in the battle to keep him or her with the company. In times of prosperity on the capital market the demand for good workers is high, thus increasing the turnover rate of employees. Companies are required to make significant investments to train employees for their positions in th...

3. Employee Compensation in the Technology Segments
One of the main objectives of companies in general, and startups in particular, is to navigate the company to a path of rapid growth that will enhance its profits and establish its financial stability. Since the development of products is based primarily on the human factor, the recruitment of talented employees and enhancing their bonding with the company are crucial elements on the road to the company's success. As in any field, companies, including startups, also seek to compensate their employees in order to bring out the b...

4. Reasons Why We Are Poor Listeners
Lazy listening is enormously costly to our success. Most of us think we are good listeners, but that overconfidence may be the reason for our downfall. Nothing puts a sales call in jeopardy faster than poor, inattentive listening. Customers don't take long to get a sense of your listening commitment, especially given the fact that 90% of communication is nonverbal. That's right, 90%. About 55% is through obvious body language and 35% is by how you say it. Given these overwhelming statistics, it's pretty tough to convinc...

5. The Five Principles of Creative Negotiation
Dealing with conflict and differences is rarely an easy task. Barriers to creative negotiation can be numerous and are often the saboteurs of a potential sale. Remember: your goal is to reach win-win-win-win settlements with qualified customers. To that end, I offer these five principles of creative sales negotiation: Principle #1: Attitude First Are you a good negotiator? Your answer reflects your level of confidence in your negotiation skills. Creating a positive mindset involves basic attitudinal charac...

6. WHAT IS WRONG WITH MEETINGS
Review the following questions and check the ones that can be answered with a “yes.” - Have you attended meetings where you did not get the information you needed? - Have you attended meetings where the atmosphere was hostile or abusive? - Have you attended meetings where most of the decisions were postponed? - Have you attended meetings where the purposes was unclear? In all the cases where the answer was a yes, the meeting was not an effective coordination tool....

7. USING PROJECT MEETINGS AS SUCCESSFUL COORDINATION TOOLS
For project meetings to serve as communication and coordination tools they have to achieve the following goals: - Inform project members - Provide opportunities to contribute expertise and knowledge - Achieve agreement and support for the outcome To attain these goals this article has focused on three aspects of meetings: 1. A well-defined purpose 2. A tangible outcome 3. A comfortable and supportive atmosphere All three are important for successful and effective communic...

8. How to make meetings a valuable communication tool
What do meetings that one experienced as valuable to attend — meetings one keeps going back to — have in common? Here are some responses people gave in a survey for a project post-mortem: - The meetings address issues of concern. - It is important to get everyone face to face, but also limit the time spent doing so. - Everyone gets the same information. - Everyone is made aware of the changes. Personally, the Sunday church meetings and the weekly toastmaster’s meetings are ...

9. How to make meeting participants feel confortable
Meeting participants will feel more comfortable, if: - A meeting adheres to a common format. - The facilitator provides guidance. - The facilitator uses context-free questions to solicit needs and feelings. People feel comfortable if they know what they can expect. Think of that recent Sunday church meeting. How is it different from the one before? It is the content that is different, but not the format. A common format makes people feel comfortable that they can participate and that they know how. Thi...