Re: Shared Security/Audit Position

[Matthew Dalton <daltonm () OHIO EDU>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Gary,

That is definitely the type of situation we want to avoid.  Our Security
Office does create IT policy, but the role as envisioned would not
participate in these activities.  Instead, they would be responsible for
non-policy, and non-enforcement activities for the Information Security
Office, in addition to their audit responsibilities.  These might include:

- - Awareness/Training
- - Security Research (Published Best Practice, etc.)
- - Security Audit (partner with the "other side" for pen testing, etc.)
- - Technical Assistance to University Audit

There probably are others, but these were thought on how to get around
the conflict.

Matthew

Gary Dobbins wrote:
> Who authors policies and standards might come into play.  It would be a
> conflict of interest for the audit role to author those, so if your
> security group does, it might be sticky.
>
> Matthew Dalton wrote:
> Hi!
>
> I was wondering if anyone on the list has had experience with a shared
> position between their internal audit and information security offices.
>  We are investigating this possibility to assist our Audit department.
> We are currently trying to determine what, if any, job responsibilities
> would not become conflicts of interest between the two roles.  Does
> anyone have any experience in this?  Thanks!

- --
Matthew Dalton
Director of Information Security
Office of Information Technology
HDL Center 375B
Phone: 740-597-1914
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHH5zKVKUofGqW+twRAvF1AJ9aR0omzsklu88n9kpbr1NLRLQbfgCfeGWS
0p2AoqMqTxVGzS6qr7mwyh4=
=PF2y
-----END PGP SIGNATURE-----