This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."
Download it now to read this article plus other related content.
"Absence of their policy and standard doesn't give me a get-out-of-jail-free card. If there's a problem I will state there's a problem whether there's a missing policy or procedure. Their lagging is my point," Sastry says."Where they're not lagging, they're absolutely an ally of mine."
Sastry says it's a healthy tension between internal audit and security, one that arises, obviously, when security is lacking an important cog in a policy or process. It's Sastry's job to point out the gap, and the internal or external policy line item that mandates why that gap must be filled. Sastry says the presence of a security steering committee, meanwhile, helps soothe some angst in those cases.
"If you put audit and the independent objective review of systems and security at one end of the spectrum, and you put the processor who is trying to do job No. 1 which is make money and keep customers happy at the other end, [the committee] lies in the center and tries to balance things," Sastry says. "The committee brings all points of views together, and says let's get a compromise, a tradeoff set of solutions that adequately address the risk side, and the cost, compliance and process sides of the equation." The committee's biggest benefit, Sastry observes, is the instant buy-in it affords to projects.
"At the end of that meeting, everyone agrees we have considered the alternatives, the risk, why we need to do it and we move ahead," Sastry says. "You can go to lower levels
Clearly the days of operating in silos are over for information security.
"The key is collaboration, especially up front on plans and policies," says Viacom's Noble. "You both need to agree on what needs to be done and the level of control in the organization. From there it's the business of internal audit to go in and validate."
This was first published in January 2009