<SPAM> RE: Shared Security/Audit Position

[Jim Dillon <Jim.Dillon () CUSYS EDU>]

Matthew,

There should be no problem with this as long as the IT person does not
have an audit evaluative role over something where he/she has
operational responsibilities.  There should also be a process for
documenting any potential or perceived conflicts of interest.  A lot of
the concerns go away when you take the time to document the potential
conflict.  When conflicts exist and aren't clearly disclosed is where
you run into problems.

I think it is a smart move to share the resource - whether you make it
an official "dotted line" position or just a shared set of services
(remember that auditors are allowed by standard to provide
advisory/consultative services to management.  This can be useful to IT
groups too.)

Many IT Auditors are highly pressured to try and "know" everything, to
appear knowledgeable, or as a mis-interpretation of the proficiency
requirements of the standard.  After almost 14 years of audit I've
discovered it is truly silly to think any one person can develop
adequate networking skills, and forensic skills, and development skills,
and management skills, and auditing skills, and security skills, and ...
I've found both due to experience and simple necessity that sometimes it
is best for the auditor to actually be "dumb" about an issue.  Sometimes
the "dumb" or "ignorant" question is the most revealing.  Auditors
should emphasize their credibility at risk analysis and process analysis
more than being concerned about technical fluency, which is where this
partnership comes in.  Having a technically adept partner help with
technical measurements is extremely valuable, and the cross-training it
provides (leveling, empathy for other positions and objectives) has a
great impact on achieving realistic action plans.

I don't think you have a problem if you stay away from operational
responsibilities and maintain good records of conflicts.  Just make sure
the IT person can't be evaluated in any sort of way on opposing
objectives or against his/her own work due to audit participation.

Best regards,

Jim

*****************************************
Jim Dillon, CISA, CISSP
IT Audit Manager, CU Internal Audit
jim.dillon () cusys edu
303-492-9734
*****************************************
 
 
-----Original Message-----
From: Matthew Dalton [mailto:daltonm () OHIO EDU] 
Sent: Wednesday, October 24, 2007 12:44 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Shared Security/Audit Position

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!

I was wondering if anyone on the list has had experience with a shared
position between their internal audit and information security offices.
 We are investigating this possibility to assist our Audit department.
We are currently trying to determine what, if any, job responsibilities
would not become conflicts of interest between the two roles.  Does
anyone have any experience in this?  Thanks!


- --
Matthew Dalton
Director of Information Security
Office of Information Technology

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFHH5JkVKUofGqW+twRAmIlAJ0X/G0YM9gyPniXz+vu4+EbgtfcDgCbBF4y
hCSiYQcAwjW6wRE691PERwQ=
=x+nW
-----END PGP SIGNATURE-----