Undercover

Audit Agitation

What do you do when your customers want you to do an independent security auditand your CEO doesn't?

Page 3

"We have you to do our security! Are you telling me you're not doing your job?" He was turning crimson. Maybe I should have updated my résumé and put more money in that rainy-day fund.

"Let me explain," I said. "There are regulatory requirementslike Sarbanes-Oxleythat require companies to check the security of their information services providers. To our clients, we are an information services provider. Our clients are asking us for an independent, third-party assessment of our information security practices so that they can be assured that we aren't endangering their computing environment."

"What does it cost?" he demanded. Now we were getting down to business.

"Because of the size of the company and the services we provide, it will probably cost us around a quarter of a million."

"What?! You want to spend a quarter of a million dollars for a piece of paper?"

"Our clients...."

"If they don't have anything better to do, then tell them to go f*** themselves! Now get out of here!"

"But...."

"I said get out!" he shouted. The door slammed behind me.Great. Now What?I trudged back to my desk and contemplated my options. Not only had I not gotten approval for the audit, but I had actually been given an order to get rid of passwords, which would have been crazy. I got out a legal pad, drew three columns and labeled them "Option," "Pros" and "Cons."

In the first column, I put the password order. We could implement a biometric sign-in, which would allow us to drop the password and go with just the biometric identifier. But that would involve a lot of effort and money, and no one else in the company was complaining about passwords. I also had a obligation as a security professional not to weaken security by doing away with passwords. What doctor would knowingly put the lives of his patients in danger? By the same reasoning, what security professional would knowingly put the security of his network at risk? Chances are the CEO would never bring it up again. The first decision was made: Ignore the password order.

Next came the decision on the SAS 70. This was a different matter altogether. I wasn't exactly putting the security of the company at risk by not doing the audit, but it was clearly important. My first option: Order the SAS 70 on my own. I couldn't do this for two reasons. One: If the CEO ever found out, then he actually would have a good reason to fire me. Two: Because of the price tag, I would never be able to get it by the purchasing department without his permission.

$firstKeyword

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Security Directions: A Virtual Conference

Security Directions Available On Demand Sept. 30 - Dec. 30

Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.

» Register Now

WEBCAST
Protecting PII: How to Work with IT to Manage Risk

Compuware Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.

» View this Webcast

Featured Sponsors