World View
Oui, Virginia, There Is a Hell
Wherein our intrepid American CISO sits before a European audit committee?
By Paul Raines
September 01, 2006 — CSO —
There's an old joke that heaven is where the policemen are English, the engineers are German and
the cooks are Italian. Hell is where the policemen are German, the engineers are Italian and the cooks
are English. Having now gone through three security audits in Europe, I would like to add my own
addendum to the joke. In heaven the auditors are American; in hell they are European. That lesson was
driven home to me in my last audit. A panel of auditors from different European countries reviewed my
status report.
"So tell me," the German audit chairwoman asked, peering over my report. "Why did you neglect to
publish die minutes of your information security forum meeting?"
"Ummm, because I didn't know I was required to?" I offered sheepishly. "I mean, why take minutes?
We discuss security issues, and if there are any action items coming out of the meeting then we deal
with those in a separate list of action items."
"Und how do you suppose I am to know exactly what was said at dis meeting?"
"Why do you need to know?" I asked. Oops, first mistake on my part.
"Der auditor should be able to reconstruct die significant actions that have occurred between now
und die last audit." Karate chopping the air to emphasize each syllable, she continued: "Dat is a matter
of efficiency."
"Well, pardon my French, mais je pense c'est le bull." Darn, there was my second goof.
"Je comprends français," the French auditor piped up, "et ce n'est pas le bull."
He had me there. It didn't seem like a good idea to pursue this line of defense in a Latin
language.
"OK," I conceded, "Next time I'll publish minutes."
It was now the Dutch auditor's turn. "En Ik noticed dat your risk assessment had no standard for
what is een acceptable risk."
"That's because the organization doesn't have a standard for acceptable risk," I countered. "In a
risk assessment, I outline the different types of risks, their potential impact, their likelihood of
occurrence and the mitigating controls in place. At the end I make a professional judgment as to
whether the level of risk is acceptable to the organization."
"Dat is not what ist required by ISO 17799," the German chairwoman said, irritated at my
blasphemy. "Die standard is there for ein reason."
"But an audit is about considering whether sufficient controls are in place to mitigate significant
risks," I protested. "It's not about whether you are following the letter of a standard." Strike three!
You're outta there!
A collective groan went up from the panel. The auditors spent the next 20 minutes lecturing me on
$firstKeyword
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
