When I was working atMCI
WorldCom- nowVerizon- at the end of 2004, talking
to yet another auditor about controls, I did not think that I would
ever be looking back with nostalgia.
After working with one group of auditors as we were going into
and coming out of
Chapter 11
bankruptcy, we then had another group of auditors to work with
as we prepared for a
Sarbanes Oxley (Sox) audit, then another group of auditors as
we had the actual Sox auditor.
Each group of auditors came in with little or no idea of the
processes and policies we had to cover in the various areas of
information security we spent several hours with each new group
explaining how we did things and why.
But although this all took an immense amount of time, and
explaining things with several different auditors over six months
was tedious, nevertheless there was a development that I found
useful, hence my nostalgia now.
There were several new initiatives that I was trying to
introduce to complement our processes for removing access for
leavers these initiatives revolved around getting administrators to
add a list of their users to a database and getting the human
resources department to include the database in their leavers
process.
What I was trying to get was an automated process whereby a
leaver's notification would be matched against a user name on the
database and the relevant administrator advised by e-mail that one
of the users on his application may be leaving.
A relatively simple process, and by the time I left the
organisation a large number of applications formed part of the
database, but that was some years after I first started pushing the
concept of the database.
Although everyone thought that any steps to reduce leavers still
having access to our systems were worth taking, actually getting
administrators to take part and add their user lists to the
database floundered, not on any security concerns but on budget.
Unless I had budget for their time - I did not - they would not put
in the time.
And then along came Sarbanes Oxley, and I returned to the
administrators. What a change. Now, at the mere mention that the
leavers process formed part of the work towards Sox, the
administrators provided the required user lists.
I am now working in the charity sector, which does not have a
driver such as Sox. However you much you explain and supply backing
material, trying to promote improvements in information security as
"industry best practice" just does not cut it.
Just at the beginning of this year, though, I found my driver -
the Payment Card
Industry Data Security Standard for those organisations
processing debit and credit card payments, and it worked just as
well as Sox does. Being able to say "this is what is needed, this
is why, this is what will happen if we do not comply" concentrates
the mind.
Since PCI is an ongoing standard, our processes need to
encompass not just existing methods of handling debit and credit
card details, but also future projects that may manage these
details. PCI impacts on project management and developers.
Having worked in regulated and less regulated areas, I find from
experience that having a regulatory or legislative driver achieves
much more than mere "best practice".
Brian Shorten, CISSP, is BCP risk and security manager with
Cancer Research UK