SBS - The Best Value in QMS software

IT Governance

#1
I'm Conducting IT audit in an operational company, I found that
■ The IT function is not presented in an independent department; but under the financial department.
■ there is no separate IT strategic plan; the IT strategy is integrated within the corporate company strategy.
■ the company is using fortiGate product as firewall, router, antivirus, anti-spam, and Intrusion Detection System.

please help me identify the risk and impact of this situation



Ahmed
IT Auditor
 
Last edited:
Elsmar Forum Sponsor

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#2
Welcome to The Cove Ahmed!

If an IT strategy is robust and carried out effectively, I see no reason to be concerned about its being integrated with the corporate company strategy. In fact, I would be more worried if IT was in a world by itself and not given the attention and support it needs from top management.

Similarly, I do not worry about IT being under the financial department as long as it is adequately resourced.

The fortiGate product is a proprietary solutions package by Fortinet. It is critical for a robust IT strategy to address external risks through firewalls, and I am not IT so I cannot remark on it specifically, but I saw good reviews about it in three different internet sources. The risks I see with proprietary products is the chance that the company will be sold, merge or cease operations, thus potentially stopping support for the product and leaving its users with the need to migrate to new systems with great disruption. Lotus Notes is an example. Fortinet's value is trending very favorably on Forbes, which may mean it is in good shape or it is a ripe target for purchase. We cannot know which without more research.

Certainly the site's description of the fortiGate product seems comprehensive in its technical features. I would be interested to see how thoroughly the fortiGate features and services are implemented, tested and maintained. For example: has anyone tried out the backups by deleting a test file, then retrieving it via the service and its customer support? During an internal audit of IT I once tried to get Google to tell us how we would retrieve one of our Google Docs if it vanished. They sent us a flyer describing how they had backups in x number of global places for safety, but never told us how we would go about retrieving our lost data. Who does one call? Google? Maybe by now they have made this customer support need more readily available, but none of my 3rd party audit clients using Google Docs were able to tell me either. That looks like risk to me. Additionally, if the organization is using a mirrored server I would be interested to learn if they ran tests to see how well and how quickly they could recover if the main server is lost or shut down unexpectedly.

Lastly but perhaps most importantly is how the organization's employees understand and fulfill their responsibilities, for example to not be victimized by phishing. People continue to be the weak link in the IT security chain. I would ask about phishing training and drills too.

I hope this helps.
 
#3
Hi
Jen Kirley

thank you very much indeed for your interesting
Regarding fortiGate; addition to your point you, I'm afraid that one of the problems that can arise as a result of this situation is single point of failure, because of relying on a single product to control all or most of the information security issues

Ahmed Adam
 

Jen Kirley

Quality and Auditing Expert
Staff member
Admin
#4
Ahmed,

I understand your concern and would agree if I had seen this product first hand and could analyze its capabilities to address risks as I understand them. My husband is an IT professional, and does not use this product but describes knowing about it and its respected reputation. He says he would use it if he was starting his strategy from the beginning. I would be surprised to see an organization duplicate the structure between fortiGate and some other product.
 
#5
Ahmed,

I understand your concern and would agree if I had seen this product first hand and could analyze its capabilities to address risks as I understand them. My husband is an IT professional, and does not use this product but describes knowing about it and its respected reputation. He says he would use it if he was starting his strategy from the beginning. I would be surprised to see an organization duplicate the structure between fortiGate and some other product.


Thank you so much
I appreciate your comments, and for sure it was a valuable contribution
 
Top Bottom