Q&A
Former ISACA Head: SAS 70 Changes Coming
Marios Damianides, a partner in Ernst & Young's technology and security risk services group and past president of ISACA's board of directors, expects changes for SAS 70 and more collaboration between security and non-security management groups
By Bill Brenner, Senior Editor
ISACA has a formal working relationship with ASIS and ISSA. How did that come about?
Some years back the then-president of ISSA and I were speaking at a conference in L.A. and we met afterwards and agreed there was a lot of commonality between what the two groups were doing. We also agreed there was a convergence happening between the physical and the logical security worlds, and we ultimately invited the ASIS folks to join us in the discussion. That's how our alliance was born.
What specifically have the three groups achieved together?
We've brought together the various professionals at the management level of organizations, the technical security practitioners who aspire to be managers, and the physical security leadership. We issued several joint studies, including a convergence study a couple years ago and we have set up security councils.
What's the next step?
We're talking to groups more focused on program management to see if they would consider a closer working relationship with us, and we want to expand how we look at security convergence beyond our individual boundaries. We want to look at security in a broader form than what the three of us are focused on.
The functions represented by these organizations all have an obvious connection to the "risk management" function, i.e. the Risk and Insurance Management Society (RIMS) and the insurance world. Have you approached them? What might be achieved by working with those folks?
We have approached them. We considered if there was a broader risk framework that could be deployed and thought that since RIMS has some of those elements taken care of it could be framework we could adopt, adapt and develop a common methodology. We've had discussions. It's something that's in progress.
There's been a lot of turmoil in the banking sector of late, especially with the FBI investigating several lenders for mortgage fraud. Talk about the affect this has had, if any, on how security, audit, loss prevention and related functions/fields need to work together.
The problems in this sector are leading to more changes around compliance. In some instances, there was either no policy or policies that were not in tune with the speed and functionality of today's environment. The policies were written when there was more time to do analysis and to take into account everything out there, and when the speed of information picked up, analysts started cutting corners to keep up. So policies are being revised to make sure corners are not being cut when system data is reviewed.
Marios Damianides
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
