World View
Oui, Virginia, There Is a Hell
Wherein our intrepid American CISO sits before a European audit committee?
By Paul Raines
September 01, 2006 — CSO —
There's an old joke that heaven is where the policemen are English, the engineers are German and
the cooks are Italian. Hell is where the policemen are German, the engineers are Italian and the cooks
are English. Having now gone through three security audits in Europe, I would like to add my own
addendum to the joke. In heaven the auditors are American; in hell they are European. That lesson was
driven home to me in my last audit. A panel of auditors from different European countries reviewed my
status report.
"So tell me," the German audit chairwoman asked, peering over my report. "Why did you neglect to
publish die minutes of your information security forum meeting?"
"Ummm, because I didn't know I was required to?" I offered sheepishly. "I mean, why take minutes?
We discuss security issues, and if there are any action items coming out of the meeting then we deal
with those in a separate list of action items."
"Und how do you suppose I am to know exactly what was said at dis meeting?"
"Why do you need to know?" I asked. Oops, first mistake on my part.
"Der auditor should be able to reconstruct die significant actions that have occurred between now
und die last audit." Karate chopping the air to emphasize each syllable, she continued: "Dat is a matter
of efficiency."
"Well, pardon my French, mais je pense c'est le bull." Darn, there was my second goof.
"Je comprends français," the French auditor piped up, "et ce n'est pas le bull."
He had me there. It didn't seem like a good idea to pursue this line of defense in a Latin
language.
"OK," I conceded, "Next time I'll publish minutes."
It was now the Dutch auditor's turn. "En Ik noticed dat your risk assessment had no standard for
what is een acceptable risk."
"That's because the organization doesn't have a standard for acceptable risk," I countered. "In a
risk assessment, I outline the different types of risks, their potential impact, their likelihood of
occurrence and the mitigating controls in place. At the end I make a professional judgment as to
whether the level of risk is acceptable to the organization."
"Dat is not what ist required by ISO 17799," the German chairwoman said, irritated at my
blasphemy. "Die standard is there for ein reason."
"But an audit is about considering whether sufficient controls are in place to mitigate significant
risks," I protested. "It's not about whether you are following the letter of a standard." Strike three!
You're outta there!
A collective groan went up from the panel. The auditors spent the next 20 minutes lecturing me on
Gartner Video: Best Practices for Web Application Security and Compliance
Faced with the growing threat of hacker attacks, how do you protect your data and your corporate reputation while increasing revenue?
Email Continuity: Don't Know What You've Got Till it's Gone
Today, more email is being sent and attachment sizes are becoming larger. This means that security, archiving, and continuity systems must be able to scale easily. Learn to manage your email better…



