World View

Oui, Virginia, There Is a Hell

Wherein our intrepid American CISO sits before a European audit committee?

By Paul Raines

September 01, 2006CSO

There's an old joke that heaven is where the policemen are English, the engineers are German and

the cooks are Italian. Hell is where the policemen are German, the engineers are Italian and the cooks

are English. Having now gone through three security audits in Europe, I would like to add my own

addendum to the joke. In heaven the auditors are American; in hell they are European. That lesson was

driven home to me in my last audit. A panel of auditors from different European countries reviewed my

status report.

"So tell me," the German audit chairwoman asked, peering over my report. "Why did you neglect to

publish die minutes of your information security forum meeting?"

"Ummm, because I didn't know I was required to?" I offered sheepishly. "I mean, why take minutes?

We discuss security issues, and if there are any action items coming out of the meeting then we deal

with those in a separate list of action items."

"Und how do you suppose I am to know exactly what was said at dis meeting?"

"Why do you need to know?" I asked. Oops, first mistake on my part.

"Der auditor should be able to reconstruct die significant actions that have occurred between now

und die last audit." Karate chopping the air to emphasize each syllable, she continued: "Dat is a matter

of efficiency."

"Well, pardon my French, mais je pense c'est le bull." Darn, there was my second goof.

"Je comprends français," the French auditor piped up, "et ce n'est pas le bull."

He had me there. It didn't seem like a good idea to pursue this line of defense in a Latin

language.

"OK," I conceded, "Next time I'll publish minutes."

It was now the Dutch auditor's turn. "En Ik noticed dat your risk assessment had no standard for

what is een acceptable risk."

"That's because the organization doesn't have a standard for acceptable risk," I countered. "In a

risk assessment, I outline the different types of risks, their potential impact, their likelihood of

occurrence and the mitigating controls in place. At the end I make a professional judgment as to

whether the level of risk is acceptable to the organization."

"Dat is not what ist required by ISO 17799," the German chairwoman said, irritated at my

blasphemy. "Die standard is there for ein reason."

"But an audit is about considering whether sufficient controls are in place to mitigate significant

risks," I protested. "It's not about whether you are following the letter of a standard." Strike three!

You're outta there!

A collective groan went up from the panel. The auditors spent the next 20 minutes lecturing me on

RESOURCE CENTER
Loading...
WEBCAST
Gartner Video: Best Practices for Web Application Security and Compliance

Cenzic Faced with the growing threat of hacker attacks, how do you protect your data and your corporate reputation while increasing revenue?

» View this Webcast

WHITE PAPER
Email Continuity: Don't Know What You've Got Till it's Gone

MessageLabs Today, more email is being sent and attachment sizes are becoming larger. This means that security, archiving, and continuity systems must be able to scale easily. Learn to manage your email better…

» View this White Paper

Featured Sponsors