issc498 discussion response 2


I need two responses of at least 150 words each for the below students discussions for this week. Also in the bold below are the questions the students at answering.

Questions (both questions must be answered):

1. Find an online article (or resource) regarding IT risk assessment, cyber law, OR auditing.

2. Summarize the article.

Student one:

Information System Audits

I will be summarizing Dr. Ocharo’s, Certified Information System Auditor (CISA), article called “The Importance of Information Systems Audit”.because many may think of auditing as a simple task of checking blocks on a checklist, such as ensuring the password complexity group policy was applied in accordance with the password policy.

Dr. Ocharo opens with how organizations depend so greatly on their IT infrastructures for operations. This dependence makes it critical for management to ensure their IT infrastructure is not only reliable but secure. As IT professionals we all understand that to secure an infrastructure we most focus on the CIA Triad, confidentiality, integrity, and availability. “An information systems audit would, therefore, ensure that the organization’s data is confidentially stored, that data integrity is ensured and data is available at all times for the authorized users” (Dr.Ocharo, 2015). She explains that to ensure CIA security, auditing of information systems looks at the organizations IT systems, management, operations, and other related processes. The three types of audits conducted to focus on either support of financial statements, compliance (law, policy, or standard), or performance. IT audits would focus on performance or compliance. Performance IT audits focus on the return of investment (ROI) which necessary since so many times the IT department gets tightly budgeted (security isnt cheap!).

In my studies, I have learned to place security in the frontend because it can be difficult to apply in the backend, so it was no surprise to learn that auditing can be placed in the front end of the initial design and installation of information systems to ensure proper placement of IT controls. Dr. Ocharo in-depth perspective on auditing supports her recommendation of auditors being CISA certified with their workload consisting of learning the organizations objective and scope, identifying IT controls relevant to the type of audit being performed and evaluating them through testing, and building a report of the findings. The testing for evaluation requiring some level of IT understanding.

As I was studying for my GSNA certification (GIAC Systems and Network Auditor) one thing I remember was cooperation was key between the auditor and the IT personnel and Dr. Ocharo says this can be difficult since most see auditors as a sadist but that they are there to assist and improve. Since risk management is fed by a risk assessment, the audit would be the official evaluation of how well it was managed. Auditing should be seen as a form of checks and balance, ensuring that the IT control was indeed applied and functioning in the way it was briefed to and documented to management. By auditing the IT controls, Dr. Ocharo writes how it is useful in building confidence and public reputation, by saving an organization the public humiliation or damage to reputation in the event of a breach due to gaps in security.


Ocharo, H. (2014, June 20). The Importance of Information Systems Audit. Retrieved from…


Student two:

The article “How to Perform IT Risk Assessment” by Illia Sotnikov does a wonder job of breaking down the daunting process of conducting an IT risk assessment into nine steps (2018). The first two steps, identify and prioritize assets and identify threats, can be a challenge to any organization (Sotnikov, 2018). IT network grow so fast that it is difficult to keep an accurate account of what is on the network. Even with the best configuration management procedures and policies in place equipment can get added to network by administrators that are in a hurry or want to take shortcuts.

Steps three and four, identify vulnerabilities and analyzing controls, can be made easier by using popular automated vulnerability assessment tools (Sotnikov, 2018). Some of these tools can identify not only known vulnerabilities but controls for the vulnerabilities as well. Determining the likelihood of an incident and assessing the impact of a threat, steps five and six, requires some imagination (Sotnikov, 2018). Identifying all possible threats to a network could turn into a long list of possibilities. The key to identifying threats is focusing on real threats, if a business is in Kansas there is no need to plan for hurricanes. Focusing on real threats and their impact will help with later steps of the process.

The final steps, prioritizing risks, recommending controls, and documenting results culminate what can be a very long process (Sotnikov, 2018). Prioritizing risks can be done by starting with the most likely threat that will have the greatest impact. When looking at controls it is helpful to realize not all controls will be able to be implemented. All organizations have a finite budget and some risk will either need to be accepted or avoided. At the end of the process the results of the assessment need to be documented so it can be approved by senior management for resource allocation and control implementation.

Sotnikov, I. (2018). How to Perform IT Risk Assessment. Retrieved from