Potemkin's villages are what you get when you announce information security audits, because people can't afford to be at the receiving end of "critical audit findings". "Audits are of little use for the management to steer a company and manage risks." No sustainability of audit preparation. People are threatened by audits, and don't see audits as risk management techniques.
- Make the assessment selection process transparent
- Make the conclusions transparent
- Make it a shared decision and assessment process
- Don't blame anybody for risks found in an assessment
No comments:
Post a Comment