Educause Security Discussion mailing list archives
<SPAM> RE: Shared Security/Audit Position
From: Jim Dillon <Jim.Dillon () CUSYS EDU>
Date: Wed, 24 Oct 2007 14:41:34 -0600
Matthew, There should be no problem with this as long as the IT person does not have an audit evaluative role over something where he/she has operational responsibilities. There should also be a process for documenting any potential or perceived conflicts of interest. A lot of the concerns go away when you take the time to document the potential conflict. When conflicts exist and aren't clearly disclosed is where you run into problems. I think it is a smart move to share the resource - whether you make it an official "dotted line" position or just a shared set of services (remember that auditors are allowed by standard to provide advisory/consultative services to management. This can be useful to IT groups too.) Many IT Auditors are highly pressured to try and "know" everything, to appear knowledgeable, or as a mis-interpretation of the proficiency requirements of the standard. After almost 14 years of audit I've discovered it is truly silly to think any one person can develop adequate networking skills, and forensic skills, and development skills, and management skills, and auditing skills, and security skills, and ... I've found both due to experience and simple necessity that sometimes it is best for the auditor to actually be "dumb" about an issue. Sometimes the "dumb" or "ignorant" question is the most revealing. Auditors should emphasize their credibility at risk analysis and process analysis more than being concerned about technical fluency, which is where this partnership comes in. Having a technically adept partner help with technical measurements is extremely valuable, and the cross-training it provides (leveling, empathy for other positions and objectives) has a great impact on achieving realistic action plans. I don't think you have a problem if you stay away from operational responsibilities and maintain good records of conflicts. Just make sure the IT person can't be evaluated in any sort of way on opposing objectives or against his/her own work due to audit participation. Best regards, Jim ***************************************** Jim Dillon, CISA, CISSP IT Audit Manager, CU Internal Audit jim.dillon () cusys edu 303-492-9734 ***************************************** -----Original Message----- From: Matthew Dalton [mailto:daltonm () OHIO EDU] Sent: Wednesday, October 24, 2007 12:44 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Shared Security/Audit Position -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I was wondering if anyone on the list has had experience with a shared position between their internal audit and information security offices. We are investigating this possibility to assist our Audit department. We are currently trying to determine what, if any, job responsibilities would not become conflicts of interest between the two roles. Does anyone have any experience in this? Thanks! - -- Matthew Dalton Director of Information Security Office of Information Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHH5JkVKUofGqW+twRAmIlAJ0X/G0YM9gyPniXz+vu4+EbgtfcDgCbBF4y hCSiYQcAwjW6wRE691PERwQ= =x+nW -----END PGP SIGNATURE-----
Current thread:
- <SPAM> Re: Shared Security/Audit Position Chad McDonald (Oct 24)
- <Possible follow-ups>
- <SPAM> Re: Shared Security/Audit Position Matthew Dalton (Oct 24)
- <SPAM> RE: Shared Security/Audit Position Jim Dillon (Oct 24)