<SPAM> Re: Shared Security/Audit Position

[Chad McDonald <chad.mcdonald () GCSU EDU>]

I agree with Gary's comments.  This may have the added benefit of buying
your unit more credibility by tying it to the audit unit.  I have found
that people often have little understanding of what "information
security" means.  On the other hand, everyone knows what an auditor is,
and are generally more likely to listen to an auditor rather than the
security guy/gal.

Chad McDonald, CISSP, CISA
Chief Information Security Officer
Georgia College & State University
Phone   478.445.4473
Cell    478.454.8250
Fax     478.445.1202
Email   chad.mcdonald () gcsu edu

> Who authors policies and standards might come into play.  It would be a
> conflict of interest for the audit role to author those, so if your
> security group does, it might be sticky.
>
> Matthew Dalton wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Hi!
> >
> > I was wondering if anyone on the list has had experience with a shared
> > position between their internal audit and information security offices.
> >  We are investigating this possibility to assist our Audit department.
> > We are currently trying to determine what, if any, job responsibilities
> > would not become conflicts of interest between the two roles.  Does
> > anyone have any experience in this?  Thanks!
> >
> >
> > - --
> > Matthew Dalton
> > Director of Information Security
> > Office of Information Technology
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.7 (MingW32)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQFHH5JkVKUofGqW+twRAmIlAJ0X/G0YM9gyPniXz+vu4+EbgtfcDgCbBF4y
> > hCSiYQcAwjW6wRE691PERwQ=
> > =x+nW
> > -----END PGP SIGNATURE-----
>
> --
>
>  Gary Dobbins, CISSP -- Director, Information Security
>  University of Notre Dame, Office of Information Technologies