Security Management Strategies for the CIOCISOs ARE QUICK TO POINT OUT they are often at odds with internal auditors. Auditors are duty-bound to regulations and internal policy, and are accountable to ensure that industry and federal mandates are carried out by business leaders. Security officers bemoan that auditors pull the security staff in so many directions, and have them concentrating on controls that satisfy so many regs, that compliance supersedes security and the strategic plan is forsaken.
Reality may be a bit less contentious.
"I don't think we have different goals personally. Internal audit and information security have same goal, which is to mitigate risk," says Anthony Noble, vice president of IT audit at media giant Viacom. "Internal audit has a broader frame where we're trying to mitigate financial risk, while information security mitigates data loss or disclosure. They shouldn't have clashing agendas."
Noble has refined this vision sitting on Viacom's equivalent of a security steering committee, an ad hoc entity composed of information security, audit, finance, legal and human resources that formed on the heels of a publicly disclosed breach earlier this year.
As a result, the committee pushed through controls to secure personally identifiable information that include awareness training programs, the elimination of PII from business processes (e.g., the use of Social Security numbers as identifiers), and a DLP implementation that scans files for sensitive information.
Noble's
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
job is one of checks and balances that
ends up being much more than a rubber stamp on
the process. Up front he helps evaluate the committee's
plans and points out potential gaps that could
increase risk. And on the back end is the validation of
whether work was done as promised and that controls
are working and effective. His participation up
front via the committee allows him to monitor controls
as they're being developed and ward off shortcomings
before they're put in production.
"It's much more efficient to have that evaluation up front," Noble says, adding that he-and legal- audits against regulations such as Sarbanes-Oxley and state data breach notification acts, as well as internal policy. "We work fairly closely in developing the plan, and then there is that aspect of 'audit blessing' [afterward]."
Mergers and acquisitions (Viacom acquired CBS in 1999, and then the two split again in 2005) as well as the requirements presented by Sarbanes-Oxley drove information security and audit closer.
"[Security and audit] shouldn't have clashing agendas. The main area we might clash is if we say, 'Might it be good to do this control?' [and] they might turn around and say it's too expensive, that there's not enough risk to make the control cost effective," Noble explains. "In the end, we're both trying to mitigate risk. They have to evaluate the risk of data loss and we have to look at the risk of financial information being incorrect."
Whether tossed together contentiously or coexisting amicably, audit and security better get used to the sight of each other, especially in the current economic downturn that could bring more regulation and more demands for IT risk to be documented and presented.
This was first published in January 2009
Join the conversationComment
Share
Comments
Results
Contribute to the conversation