What date do you usually put in for audit and maintenance date? There are some controls which have to be started soon but are due only 1 - 2 months later.
e.g. I have just put in our security awareness e-learning as a control, I have put the very first date as maintenance date (= 3 months before deadline), so that I get a notification when to start updating it.
But for the audit control itself it would be nice to have another start date to be reminded to initiate the e-learning and not only get a notification 10 days before deadline because this is far too late to initiate it.
How is it supposed to be done within Eramba? How do others handle this?
First make sure we distinct in between what we understand for “audit” and what we mean by “maintenance”, using your awareness example:
maintenance: every month i sit down with people and ask them to listen to my security speech.
audit: i ask people to complete multiple choice exams, they must answer correctly all answers to call the audit a pass.
eramba needs (ideally) at least “audits” to operate (none of them are MANDATORY FIELDS in eramba).
You set them in the periods you feel is needed or you know you will be requested (if you have external audits and they expect you to audit every semester, you audit every quarter just to be sure things will be all right when they come).
most people i know do not use maintenance since their GRC department does not “run” things. But in your example, again it could be as much as you feel is needed so people pass the “audits”.
Important note: since you can plan what controls you have, how many audits and maintains each will have over the year and how much time each take - you can and should budget things (your team time, your time and of course money!) right so you can keep up with your audits. Planning to audit 4 times a year and auditing 3 times or 4 times late is typically a bad sign for an external audit…im sure you know that.
This week we run Security Services trainings and will be discussing this topic. Feel free to join!
In our case we have some key controls in the entreprise Internal Control System where fix deadlines are set that we need to keep. Since the ICS is implemented in a very awful and unusable web application I want to manage the security controls all in Eramba. It doesn’t look nice when the dates are different between Eramba and the ICS, but I think I will set the start date in Eramba to not miss the deadline date.
I’m used to always set two dates for each control, a start and an end date. But of course this usually applies to highly formalized and monitored controls.
Yep i think i understand you, i have an internal audit department and they keep their own dates too on my controls. I also have external auditors … so my dates in eramba are designed to address both of them. In the end our IT teams get audited by three different people … they are quite fed-up!