in2sam audit defence_itam review amsterdam april 2016
TRANSCRIPT
Nico Blokland & Sean van Koutrik
In2SAM
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
Who are we?
Nico Blokland Sean van Koutrik
• IT&SAM:-Evangelist, -expert, -coach, -mentor, -trainer, -consultant,…
• Dutch representative at the WG21 for ISO 19770-x
• Husband and father • Co-owner at In2SAM
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
• IT&SAM: -Evangelist, -expert, -mentor, -trainer, -consultant,…
• Agile coach and practitioner • Husband and pilot • Co-owner at In2SAM
What’s In2SAM ?
Our name says it all: We Are In2SAM
Ø Based in the Netherlands – acting globally Ø Distinction:
§ Independent from vendors § Includes Legal and Agile approaches § ISO 19770-x
Ø We bring solid and future ready solutions to our customers. More than a century of IT&SAM experience. • Four pillars:
• Processes • Standards • Contracts • Agility
• Best in Class Tooling partners
SERVICE PORTFOLIO • Audit support • Contract analysis service • Pre audit assessment • SAM maturity assessment • SAM transition projects • SAM or LM service • IT&SAM Consultancy • In2SAM Academy
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
Get your voucher for the Audit Monitor certification course at In2SAM
What’s up?
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
• How to prepare for an audit
• Who to prepare
• Your goals
• The vendors audit goals
Who is acting?
An Audit Protocol should be in place to guard your organizations procedures and rights
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
Level 1
Level 2
Level 3
Audit Monitor Legal
IT
System managers, Network managers
Application owners, Database administrators
Architects
Procurement Contract manager,
Buyer Administrator
The different levels that (should) act during an audit
Appointed by
senior management Appointed by Audit Monitor Appointed by
Team managers
Level 1 • Audit Monitor
– Appointed by Senior management
– Sufficient mandate – derived from Audit Protocol
• Audit Monitor’s goal: – Protect the organizations rights – Monitor audit process – Protect the organizations interest – Use organizations potential.
Attention for: Data and Privacy, Security, Commercial, Data protection
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
• Legal – Mandate derived from role
• Legal’s goal:
– Protect the organizations rights – Monitor legislation – Protect the organizations interest – make use of the organizations
potential.
Software Auditor’s goal: Disrupt your audit protocol, ‘ignore’ laws and regulation, protect software creators interest
Solution: Ensure the Audit Monitor is in charge (planning and communication)
Level 2
• Who: IT management, team leaders, application owners, contract/vendor- managers and architects
• Goal: Deliver resources for providing required data and information
• Monitors’ goal: – Not all data is ad hoc available – not all data can be made available to the auditor due to legal restrictions. – Check legality, accuracy and availability
• Software Auditor’s goal: get in direct contact with this group, push on planning & delivery, ‘legal or not’
Solution: All requests via a single point of contact (Audit Monitor). Never ever, ever ever, ever ever ever allow direct communication with the auditor (unless supervised by the audit Monitor)
Attention for: data and Privacy, Security, Commercial, data protection
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
Level 3
• Who: system/network managers/operators, purchasers/buyers, administrators, database administrators (DBA’s)
• Goal: Actual delivery of required data from systems using discovery, scripts, descriptions, drawings.
• Audit Monitor’s goal: Prevent producing data without a legal basis, gather only effective, checked and accurate data. Put it on a secure network excluded environment
• Software Auditor’s goal: Get as much data and extra information to get the best license proposition towards you – from their perspective and interest !!
Solution: Communicate the protocol, ensure all communication and any data is delivered via the SPoC – Audit Monitor
Attention for: data and Privacy, Security, Commercial, data protection
The Audit Monitor
• Single point of Contact between Auditor and organization; • Can be delegated in large organisations; • Controls, informs and manages and all internal involved employees; • Informs and discusses organizations’ attitude towards the auditor with management
and legal department; • Final check on delivering requested data; • Supervision on all software auditor meetings (preferably in a dedicated ‘green room’); • Checks with Legal department on legality of the data requests; • Checks auditors scripts with security officer and system manager(s); • Checks the auditors references/credibility; • Arranges, meetings, admittance, technique (availability).
The Audit Monitor cannot be responsible for the actual outcome of the audit Make sure the protocol is followed
Recap
Get all internal actors in line with the company goals; Clearly communicate the audit protocol to the auditor and the software creator/publisher/vendor; Don’t be pressured in time by the auditor, your organizations schedule sets the speed; Keep distance, be formal (no first name basis); Communicate that your local laws apply in all cases;
Analyse your (software)contracts (effectiveness/harmfulness); When in Europe: look at the second hand market to “pré-repair” breaches.
Most important: Prevent audits by having a solid License administration / SAM process (internal or external)
Questions?
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
What’s done?
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
• Are you prepared for an audit
• Who to prepare
• Your goals clear?
• The vendors audit goals gone?
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
P.S. for your helicopter pilot license, contact:
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
how to effectively react to an audit announcement
Workshop Audit Defense:
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
Workshop Audit monitor
• Introduction • Starting point • Case: audit anouncement/warning
– Work out: (15 minutes) • Meeh’s Response to auditor DuL / software creator Microsoft (in bullets) • Internal organization • Desired outcome
– Gathering data: How and when is it accurate (15-20 minutes) (Belarc) • Software • Entitlement
– Discuss some outcomes (10-15 minutes) Remember: Laws & legislation, data issues, communication, organization
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
Tips
• Check and follow your internal audit protocol • Install an audit monitor • Communicate your audit protocol and SPOC to the Software Creator or Auditor • Check:
– Data protection – Privacy Laws – Security – Commercial data
• NDA with auditor • Check and install SAM process.
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
Tips
• Check and follow your internal audit protocol • Install an audit monitor • Communicate your audit protocol and SPOC to the Software Creator or Auditor • Check:
– Data protection – Privacy Laws – Security – Commercial data
• NDA with auditor • Check and install SAM process.
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016
Audit Protocol
Example Content of an audit protocol: 1. Authority mapping of the organization (sr management, legal, etc.) 2. NDA, certification levels of auditor(s) 3. Security rules 4. Admittance rules to high security environments 5. Applicable laws 6. Commercial protection 7. Data protection 8. Data/processflow of anouncement untill closure of an audit
ITAM Review Audit Defence Workshop, Amsterdam, April 12th, 2016