Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

<SPAM> Re: Shared Security/Audit Position

From: Matthew Dalton <daltonm () OHIO EDU>
Date: Wed, 24 Oct 2007 15:49:01 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve,

Interestingly enough, it's because of the good relationship we have, or
at least, that I inherited, that this question has come up.  The
Director of University Audit asked me if it was something we could
consider.  I'm still trying to see if there is a way to make it work,
and that includes separating them from those functions that would best
be approached differently by the two offices.  The way we have discussed
it so far is that it would be a position reporting to me, but not part
of the main group, and with dotted line reporting to Director of Audit.
 We want to tread carefully, for the very reason that you indicated - we
don't want to jeopardize the good relationship that we've had so far.

Steve Schuster wrote:

At Cornell, we do not have a shared resource but rather have focused on
building a strong relationship between the IT Security Office and
University Audit.  I support the Audit Office in performing such things
as IT scans with interpretation if necessary and the Audit Office
supports me in findings that support hte wider security mission.  The
Audit Office does a fine job of IT audits but, let's face it, between
the two groups we have very different approaches to things.  I see this
as a good thing.

I would rather focus on strong relationships with shared interests
rather than a shared resource.

sjs

Steve Schuster
Director, IT Security Office
Cornell University
sjs74 () cornell edu <mailto:sjs74 () cornell edu>




On Oct 24, 2007, at 2:43 PM, Matthew Dalton wrote:

Hi!

I was wondering if anyone on the list has had experience with a shared
position between their internal audit and information security offices.
 We are investigating this possibility to assist our Audit department.
We are currently trying to determine what, if any, job responsibilities
would not become conflicts of interest between the two roles.  Does
anyone have any experience in this?  Thanks!




- --
Matthew Dalton
Director of Information Security
Office of Information Technology
HDL Center 375B
Phone: 740-597-1914
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHH6GtVKUofGqW+twRAiKaAKCeSHlbLqC9MnPVYoNtM6H61e7vmQCeNX3j
G8EZXya/0GLNAJfT6MRQck4=
=Xj4k
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: