Playing the blame-game with regulatory compliance issues

By Marcia Savage, Featured Editor, Information Security magazine 19 Jun 2006 | SearchSecurity.com

News on data management trends and technology Digg This!     StumbleUpon     Del.icio.us

SAN FRANCISCO -- Compliance can complicate the job of protecting information, and security professionals often pin much of that difficulty on compliance auditors. However, according to an analyst at last week's Burton Group Catalyst Conference, security pros need to acknowledge that they too contribute to some of that pain.

Trent Henry, senior analyst at Midvale, Utah-based Burton Group, told attendees that both teams tend to have different opinions on compliance and often have an adversarial relationship.

For more on compliance and security Check out our Spotlight on Security Learn why SOX compliant firms are reporting a drop in costs in their second year of compliance

For example, an auditor may ask a security team if passwords are eight characters long. But a company may have deployed strong authentication; a simplistic question like that, Henry said, shows the auditor hasn't properly assessed risk in the individual environment.

On the other hand, a security team may use compliance to justify pet projects, such as encryption. Holes in a company's infrastructure may not match up with regulatory requirements.

Henry advised security professionals to see the auditor as a friend, not a foe. Spend time talking with the internal audit team, and if possible, the external audit team too.

"Let's move towards partnership," he said.

Security professionals should try to understand the auditor's perspective, Henry advised. Auditors will look for coverage of fundamentals, such as segregation of duties, change control, authorized access, and records retention, especially when it comes to Sarbanes-Oxley. They'll also ask for a security policy. While it's essential that an organization have updated policies, Henry said many are lax on that front.

Additionally, security teams should take the time to understand the regulations, relate technology to controls and objectives and avoid vendor promises, such as those that claim to offer Sarbanes-Oxley compliance "in a box."

At the same time, auditors need to meet security teams halfway. "It's not just about their [auditors'] methodology," Henry said.

"We can't eliminate the pain here but there are a few tablets we can take," he added.

In another session, David Drossman, CISO of Investment Technology Group Inc. a New York-based brokerage agency and technology firm, advised security professionals to understand the business of their organization.

"Don't just read the Web site to learn about your company," he said. "That's not going to make you a leader."

Rather, learn about the business by spending a week shadowing the sales or other staff. "There's no better way to learn than riding shotgun," Drossman said.

Another way to learn is by attending seminars on subjects outside your expertise; an example might be accounting. Understand the other technology functions in your company such as development and support.

"Even though your job is security, the main goal is to keep the business running," Drossman said.

This year's Catalyst Conference also included a variety of sessions on identity management, network strategies, and application issues. The event drew some 1,800 attendees.

This article orginally appeared on SearchSecurity.com.

Tags: Auditors in the Enterprise,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Auditors in the Enterprise Salaries for SOX accountants on the rise

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary