I am not a big fan of Questionaires when it comes to GRC, I am happy that someone shares my sentiment.
Andrew also provides some important pointers.
Important Lesson for GRC - Garbage In - will result in Gargabe Out
(From the article)
Do you sincerely believe that an incompetent person is going to respond to a questionnaire in a manner that highlights their incompetence? For example, imagine an incompetent or lazy system administrator. His work is poor, his attention to detail weak, perhaps he is distracted with personal or financial problems. On a questionnaire, it asks this system administrator to explain how often he checks systems for updated patches. He knows that company policy mandates that every system is checked monthly. However, he has not checked them in months.
Incompetent people often overstate and inflate their skill set where as highly competent people tend to understate their skills
If the data gathered from staff does not paint a representational picture of the environment, then whatever risk analysis comes from that data is faulty. This is merely a variant on the “garbage in, garbage out” cliché.
Threats are evolving so rapidly, that what was important to the organization 12 months ago could be radically different now. As such, any questions written 12 months ago, are not as relevant now. Standardization of questions assumes the threat landscape never changes.
The link below has more information:-
No comments:
Post a Comment