|
CISOs ARE QUICK TO POINT OUT
they are often at odds with internal auditors.
Auditors are duty-bound to regulations and internal
policy, and are accountable to ensure that industry
and federal mandates are carried out by business
leaders. Security officers bemoan that auditors pull
the security staff in so many directions, and have
them concentrating on controls that satisfy so many
regs, that compliance supersedes security and the
strategic plan is forsaken.
Reality may be a bit less contentious.
"I don't think we have different goals personally.
Internal audit and information security have same
goal, which is to mitigate risk," says Anthony Noble,
vice president of IT audit at media giant Viacom.
"Internal audit has a broader frame where we're
trying to mitigate financial risk, while information
security mitigates data loss or disclosure. They
shouldn't have clashing agendas."
Noble has refined this vision sitting on Viacom's
equivalent of a security steering committee, an ad
hoc entity composed of information security, audit,
finance, legal and human resources that formed on the
heels of a publicly disclosed breach earlier this year.
As a result, the committee pushed through controls
to secure personally identifiable information
that include awareness training programs, the elimination
of PII from business processes (e.g., the use
of Social Security numbers as identifiers), and a DLP
implementation that scans files for sensitive information.
Noble's job is one of checks and balances that
ends up being much more than a rubber stamp on
the process. Up front he helps evaluate t...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
he committee's
plans and points out potential gaps that could
increase risk. And on the back end is the validation of
whether work was done as promised and that controls
are working and effective. His participation up
front via the committee allows him to monitor controls
as they're being developed and ward off shortcomings
before they're put in production.
"It's much more efficient to have that evaluation
up front," Noble says, adding that he-and legal-
audits against regulations such as Sarbanes-Oxley
and state data breach notification acts, as well as
internal policy. "We work fairly closely in developing
the plan, and then there is that aspect of 'audit blessing'
[afterward]."
Mergers and acquisitions (Viacom acquired CBS
in 1999, and then the two split again in 2005) as well
as the requirements presented by Sarbanes-Oxley
drove information security and audit closer.
"[Security and audit] shouldn't have clashing
agendas. The main area we might clash is if we say,
'Might it be good to do this control?' [and] they
might turn around and say it's too expensive, that
there's not enough risk to make the control cost
effective," Noble explains. "In the end, we're both
trying to mitigate risk. They have to evaluate the risk
of data loss and we have to look at the risk of financial
information being incorrect."
Whether tossed together contentiously or coexisting
amicably, audit and security better get used to the
sight of each other, especially in the current economic
downturn that could bring more regulation and more
demands for IT risk to be documented and presented.
|
