Former ISACA Head: SAS 70 Changes Coming

Marios Damianides, a partner in Ernst & Young's technology and security risk services group and past president of ISACA's board of directors, expects changes for SAS 70 and more collaboration between security and non-security management groups

The conventional wisdom of recent years is that security must be approached as a business function rather than a separate, distracting entity. As such, security organizations must start collaborating with groups outside the security realm, according to Marios Damianides, a partner in Ernst & Young's technology and security risk services group and past president of ISACA's board of directors.

Damianides, a member of ISACA (Information Systems Audit and Control Association) since 1992 and its international president from 2003 to 2005, has helped numerous Fortune 100 companies design and implement security management systems and has watched the line between security and other business functions evaporate.

In this Q&A, he discusses impending changes for the SAS 70 auditing standard, ISACA's collaboration with ASIS International (ASIS) and the Information Systems Security Association (ISSA); and opportunities he sees for security and other groups to work together for the common good.

An update on SAS 70 is brewing, yes? Comment on how that auditing instrument needs to evolve, and how it might serve security purposes better, with the understanding that it isn't technically a "security" standard?

Marios Damianides: SAS 70 is becoming a broader tool. Talks are happening around the idea of creating general-purpose SAS 70s where you could define to some extent the environment you'll be auditing against and then design and test that environment. This could apply to security.

How so? ISO 17799 (the international standard code of practice for information security management) over time to reflect the growing convergence between them.

Companies need to show customers that their security environment is sound, so a general-purpose SAS 70 would define the security environment and the controls that would be audited. That kind of a SAS 70 could then be distributed to customers who signed an agreement with the company in question, so they know that the measures are being followed. I also believe SAS 70 will be more closely aligned with

Looking at today's threat landscape and the skills security professionals need to succeed, has anything changed since your time as ISACA's president, or are the skill sets needed basically the same?

The fundamentals are the same. The security professional needs to have the business acumen to be relevant to the corporation. That has always been the case. Is it more significant today than three or four years ago? Absolutely. The business side of being a good security professional is taking a more prominent role today than before. The technological aspects of security have become more accepted as day-to-day operating procedure. It's more of a commodity now. What's more challenging is for security professionals to show how the policies are relevant in making a difference to the business side.

ISACA has a formal working relationship with ASIS and ISSA. How did that come about?

Some years back the then-president of ISSA and I were speaking at a conference in L.A. and we met afterwards and agreed there was a lot of commonality between what the two groups were doing. We also agreed there was a convergence happening between the physical and the logical security worlds, and we ultimately invited the ASIS folks to join us in the discussion. That's how our alliance was born.

What specifically have the three groups achieved together?

We've brought together the various professionals at the management level of organizations, the technical security practitioners who aspire to be managers, and the physical security leadership. We issued several joint studies, including a convergence study a couple years ago and we have set up security councils.

What's the next step?

We're talking to groups more focused on program management to see if they would consider a closer working relationship with us, and we want to expand how we look at security convergence beyond our individual boundaries. We want to look at security in a broader form than what the three of us are focused on.

The functions represented by these organizations all have an obvious connection to the "risk management" function, i.e. the Risk and Insurance Management Society (RIMS) and the insurance world. Have you approached them? What might be achieved by working with those folks?

We have approached them. We considered if there was a broader risk framework that could be deployed and thought that since RIMS has some of those elements taken care of it could be framework we could adopt, adapt and develop a common methodology. We've had discussions. It's something that's in progress.

There's been a lot of turmoil in the banking sector of late, especially with the FBI investigating several lenders for mortgage fraud. Talk about the affect this has had, if any, on how security, audit, loss prevention and related functions/fields need to work together.

The problems in this sector are leading to more changes around compliance. In some instances, there was either no policy or policies that were not in tune with the speed and functionality of today's environment. The policies were written when there was more time to do analysis and to take into account everything out there, and when the speed of information picked up, analysts started cutting corners to keep up. So policies are being revised to make sure corners are not being cut when system data is reviewed.

Which specific compliance issues are companies having to pay more attention to now? Sarbanes-Oxley Act took effect, the emphasis was on controls being placed around financial systems. Less attention was given to controls around the operational systems behind that, so that is an area that will be getting more focus. Complying with Sarbanes-Oxley meant having good financial controls. Operationally, however, there are issues with how the back end is managed. Operational problems with the rating companies led to some of today's problems. And so a lot of compliance efforts, specifically in the banking and mortgage sector, are starting to focus on better security around the operational controls as well as what was put in place for the financial controls.

If you look back several years to when the

CSO: In your daily duties at Ernst & Young, what are the security and control issues that are making you lose the most sleep these days?

My biggest concerns are the ones related to me by our customers: issues surrounding user access and provisioning, segregation of duties, privacy and data classification. Those items come up all the time, specifically the question of how best to achieve these things. One non-technical issue I hear about all the time concerns the best way to communicate with upper management and demonstrate the return on investment for security measures that are being taken.

Copyright © 2008 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!