This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
"The current problems have really been driven by people accepting too much risk, and not necessarily that controls weren't there. From a business aspect, they weren't evaluating risk adequately," Noble says. "Personally, that's the aspect [that's going to grow]; you have to document more the risk you're taking to prove you're aware of risk. Enterprise risk management will be key."
Noble isn't in the camp that more controls will be the answer. Companies are already bogged down in expensive compliance programs, especially around SOX and PCI. Former Speaker of the House Newt Gingrich in November went so far as to call for a repeal of SOX.
"Companies are going to look to cut the cost of compliance with SOX and things like that. I can see companies screaming and saying 'SOX is costing us too much, we can't afford it in this climate,'" Noble says. "I think there will be a corresponding push toward more documentation of the business risk being taken by companies and more transparency to that. I think it's going to be difficult to implement more regulations because of the cost element because the cost of the control is going to be more than the risk. It's a cost balance."
Ram Sastry, an internal IT auditor at American Electric Power in Columbus, Ohio, believes that more regulation is inevitable in his industry and that it will draw him closer to information security. New NERC (North American Electric Reliability Corp.) standards that
"That's a good place where we have a strong working relationship," Sastry says. Sastry was a member of Freese's Executive Security Committee (see "The Company You Keep," p. XX) for three-and-ahalf years up until 2006, participating alongside other business leaders in assessing information security projects as they pertain to the business.
Sastry says his role is one of evaluating initiatives for policies, procedures or processes that may be absent and vital to the success of a project. While up-front input is vital, in the end he has to ensure compliance with internal or industry regulations. "If you ask me from an audit, compliance and regulatory standpoint, committee or no committee, this is what you need to get done," Sastry says.
Sastry, who is responsible for internal audits on NERC policies and processes, as well as AEP's SOX compliance processes, says audit looks at a new policy or upgrade from a different angle than security.
"We look at it from the lens, Can we audit from this policy? Is this policy auditable? Is it actually implementable? Are we having wide-scale exemptions that water down the policy? Are you directing people to do things but there's no way of preventing or detecting violations? Or are there mechanisms for providing a directive control, then preventing them from doing it and detecting them if they had done something inappropriate?" Sastry explains. He adds that his teams review internal control testing and those results are provided to external auditors who use them to build on their testing efforts. Clearly, there has to be an affinity with information security for internal auditors.
Sastry says information security policies and standards are referenced as controls by internal audit.
This was first published in January 2009