|
"The current problems have really been driven by
people accepting too much risk, and not necessarily
that controls weren't there. From a business aspect,
they weren't evaluating risk adequately," Noble says.
"Personally, that's the aspect [that's going to grow];
you have to document more the risk you're taking to
prove you're aware of risk. Enterprise risk management
will be key."
Noble isn't in the camp that more controls will be
the answer. Companies are already bogged down in
expensive compliance programs, especially around
SOX and PCI. Former Speaker of the House Newt
Gingrich in November went so far as to call for a
repeal of SOX.
"Companies are going to look to cut the cost of
compliance with SOX and things like that. I can see
companies screaming and saying 'SOX is costing us
too much, we can't afford it in this climate,'" Noble
says. "I think there will be a corresponding push
toward more documentation of the business risk
being taken by companies and more transparency
to that. I think it's going to be difficult to implement
more regulations because of the cost element
because the cost of the control is going to be more
than the risk. It's a cost balance."
GAP ANALYSIS
Ram Sastry, an internal IT auditor at American
Electric Power in Columbus, Ohio, believes that
more regulation is inevitable in his industry and
that it will draw him closer to information security.
New NERC (North American Electric Reliability
Corp.) standards that govern cybersecurity in utilities
such as AEP aim to narrow gaps that expose
critical infrastructure to attack. Sastry's teams are in
place to assess what director of IT engineering security
Jerry Freese and his teams are doing to ready
business units and process owner...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
s.
"That's a good place where we have a strong
working relationship," Sastry says. Sastry was a member
of Freese's Executive Security Committee (see
"The Company You Keep," p. XX) for three-and-ahalf
years up until 2006, participating alongside
other business leaders in assessing information
security projects as they pertain to the business.
Sastry says his role is one of evaluating initiatives
for policies, procedures or processes that may be
absent and vital to the success of a project. While
up-front input is vital, in the end he has to ensure
compliance with internal or industry regulations.
"If you ask me from an audit, compliance and
regulatory standpoint, committee or no committee,
this is what you need to get done," Sastry says.
Sastry, who is responsible for internal audits on
NERC policies and processes, as well as AEP's SOX
compliance processes, says audit looks at a new policy
or upgrade from a different angle than security.
"We look at it from the lens, Can we audit from
this policy? Is this policy auditable? Is it actually
implementable? Are we having wide-scale exemptions
that water down the policy? Are you directing
people to do things but there's no way of preventing
or detecting violations? Or are there mechanisms
for providing a directive control, then preventing
them from doing it and detecting them if they had
done something inappropriate?" Sastry explains. He
adds that his teams review internal control testing
and those results are provided to external auditors
who use them to build on their testing efforts.
Clearly, there has to be an affinity with information
security for internal auditors.
Sastry says information security policies and
standards are referenced as controls by internal
audit.
|
 |
|
