"Absence of their policy and standard doesn't give me a get-out-of-jail-free card. If there's a problem I will state there's a problem whether there's a missing policy or procedure. Their lagging is my point," Sastry says."Where they're not lagging, they're absolutely an ally of mine."

Sastry says it's a healthy tension between internal audit and security, one that arises, obviously, when security is lacking an important cog in a policy or process. It's Sastry's job to point out the gap, and the internal or external policy line item that mandates why that gap must be filled. Sastry says the presence of a security steering committee, meanwhile, helps soothe some angst in those cases.

"If you put audit and the independent objective review of systems and security at one end of the spectrum, and you put the processor who is trying to do job No. 1 which is make money and keep customers happy at the other end, [the committee] lies in the center and tries to balance things," Sastry says. "The committ...

"At the end of that meeting, everyone agrees we have considered the alternatives, the risk, why we need to do it and we move ahead," Sastry says. "You can go to lower levels of management and say that this has been agreed to by the ESC and now you have to comply with it. In our organization, if senior and executive management say you will do it, generally we will get good adoption."

Clearly the days of operating in silos are over for information security.

"The key is collaboration, especially up front on plans and policies," says Viacom's Noble. "You both need to agree on what needs to be done and the level of control in the organization. From there it's the business of internal audit to go in and validate."

< PREV PAGE   |   1  |   2  |   3  |   NEXT PAGE  >