Q&A

Former ISACA Head: SAS 70 Changes Coming

Marios Damianides, a partner in Ernst & Young's technology and security risk services group and past president of ISACA's board of directors, expects changes for SAS 70 and more collaboration between security and non-security management groups

By Bill Brenner, Senior Editor

Page 3

Which specific compliance issues are companies having to pay more attention to now?
If you look back several years to when the Sarbanes-Oxley Act took effect, the emphasis was on controls being placed around financial systems. Less attention was given to controls around the operational systems behind that, so that is an area that will be getting more focus. Complying with Sarbanes-Oxley meant having good financial controls. Operationally, however, there are issues with how the back end is managed. Operational problems with the rating companies led to some of today's problems. And so a lot of compliance efforts, specifically in the banking and mortgage sector, are starting to focus on better security around the operational controls as well as what was put in place for the financial controls.

CSO: In your daily duties at Ernst & Young, what are the security and control issues that are making you lose the most sleep these days?
My biggest concerns are the ones related to me by our customers: issues surrounding user access and provisioning, segregation of duties, privacy and data classification. Those items come up all the time, specifically the question of how best to achieve these things. One non-technical issue I hear about all the time concerns the best way to communicate with upper management and demonstrate the return on investment for security measures that are being taken.