The Control Policy Group

Data security the way you run your business

Effective security and compliance without political suicide

July 21st, 2008 | Category: Risk management

Most organizations separate the two functions: security functions typically inside the IT department and compliance usually reports to corporate finance or general management for large companies in a Chief compliance office.

We believe that security and compliance operations in a company are synergistic.Question is – How can you do it without committing political suicide in your company?

I saw a good example of this last year in an IT security audit we did for a NASDAQ-traded company as part of their Sarbanes-Oxley annual compliance effort.   The VP Global IT was careful to explain to us that our scope of work was the information systems – we needed to look at the three pillars of Information security – confidentiality, integrity and availability. When I asked what about fraudulent use of the line of business applications (they’re a big Oracle Applications user) – he said:

“Oh no – we’ve setup a separate fraud committee, if anything bad happens – it definitely is not my problem.”   I paused for a moment and  thought to myself – this guy is really smart; he doesn’t have responsibility for financial reporting controls – so why should he have any responsibility for the risk damage?

It’s like I learned at Intel – Organizational Politics is not a dirty word and staking at a turf – avoiding turf wars by “segmentation” of the risk – is a very good thing.

Segmentation of risk is a central precept in any risk management activity, not just from the political perspective.  Segmentation allows a company to separate functions on the basis of operational responsibility and need to know.

The International Standards Organization – ISO is going in this direction with a relatively new 55 page standard that was released in June 2008 – ISO 27005. As ISO explains on the ISO 27005 information page:

“ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security.”

2 comments

2 Comments so far

  1. Israeli Software » Blog Archive » 8 years after 9/11 - more connected, more hostile, more user-friendly September 9th, 2008 7:12 am

    [...] It’s like pre 9/11 – the FBI investigates and CIA analyzes but the two sides don’t talk about the threats and their potential damage. An excellent article on the Control Policy Group blog talks about the organizational politics of security and compliance. [...]

  2. Information Security in a Post 9-11 World : Information Security Resources September 11th, 2009 5:41 am

    [...] For more about crossing the security and compliance chasm – read the excellent article on the Control Policy Group blog on the organizational politics of security and compliance. [...]