This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
CISOs ARE QUICK TO POINT OUT they are often at odds with internal auditors. Auditors are duty-bound to regulations and internal policy, and are accountable to ensure that industry and federal mandates are carried out by business leaders. Security officers bemoan that auditors pull the security staff in so many directions, and have them concentrating on controls that satisfy so many regs, that compliance supersedes security and the strategic plan is forsaken.
Reality may be a bit less contentious.
"I don't think we have different goals personally. Internal audit and information security have same goal, which is to mitigate risk," says Anthony Noble, vice president of IT audit at media giant Viacom. "Internal audit has a broader frame where we're trying to mitigate financial risk, while information security mitigates data loss or disclosure. They shouldn't have clashing agendas."
Noble has refined this vision sitting on Viacom's equivalent of a security steering committee, an ad hoc entity composed of information security, audit, finance, legal and human resources that formed on the heels of a publicly disclosed breach earlier this year.
As a result, the committee pushed through controls to secure personally identifiable information that include awareness training programs, the elimination of PII from business processes (e.g., the use of Social Security numbers as identifiers), and a DLP implementation that scans files for sensitive information.
"It's much more efficient to have that evaluation up front," Noble says, adding that he-and legal- audits against regulations such as Sarbanes-Oxley and state data breach notification acts, as well as internal policy. "We work fairly closely in developing the plan, and then there is that aspect of 'audit blessing' [afterward]."
Mergers and acquisitions (Viacom acquired CBS in 1999, and then the two split again in 2005) as well as the requirements presented by Sarbanes-Oxley drove information security and audit closer.
"[Security and audit] shouldn't have clashing agendas. The main area we might clash is if we say, 'Might it be good to do this control?' [and] they might turn around and say it's too expensive, that there's not enough risk to make the control cost effective," Noble explains. "In the end, we're both trying to mitigate risk. They have to evaluate the risk of data loss and we have to look at the risk of financial information being incorrect."
Whether tossed together contentiously or coexisting amicably, audit and security better get used to the sight of each other, especially in the current economic downturn that could bring more regulation and more demands for IT risk to be documented and presented.
This was first published in January 2009