Internal auditors and CISOs mitigate similar risks


This article can also be found in the Premium Editorial Download "Information Security magazine: How to be successful with your security steering committee."

Download it now to read this article plus other related content.

"Absence of their policy and standard doesn't give me a get-out-of-jail-free card. If there's a problem I will state there's a problem whether there's a missing policy or procedure. Their lagging is my point," Sastry says."Where they're not lagging, they're absolutely an ally of mine."

Sastry says it's a healthy tension between internal audit and security, one that arises, obviously, when security is lacking an important cog in a policy or process. It's Sastry's job to point out the gap, and the internal or external policy line item that mandates why that gap must be filled. Sastry says the presence of a security steering committee, meanwhile, helps soothe some angst in those cases.

"If you put audit and the independent objective review of systems and security at one end of the spectrum, and you put the processor who is trying to do job No. 1 which is make money and keep customers happy at the other end, [the committee] lies in the center and tries to balance things," Sastry says. "The committee brings all points of views together, and says let's get a compromise, a tradeoff set of solutions that adequately address the risk side, and the cost, compliance and process sides of the equation." The committee's biggest benefit, Sastry observes, is the instant buy-in it affords to projects.

"At the end of that meeting, everyone agrees we have considered the alternatives, the risk, why we need to do it and we move ahead," Sastry says. "You can go to lower levels

    Requires Free Membership to View

of management and say that this has been agreed to by the ESC and now you have to comply with it. In our organization, if senior and executive management say you will do it, generally we will get good adoption."

Clearly the days of operating in silos are over for information security.

"The key is collaboration, especially up front on plans and policies," says Viacom's Noble. "You both need to agree on what needs to be done and the level of control in the organization. From there it's the business of internal audit to go in and validate."

This was first published in January 2009

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: