In a previous article, I talked about the issues faced by IT Security and financial auditors, in trying to come together. Financial auditors only care about financial systems and overall IT Security as well as non-IT security practices. IT Security, on the other hand, is focused on secure IT practices. Why don’t they meet in the middle?
The focus is different for both groups; auditors want secure IT practices only on financial systems (which is where they are allowed to look). IT Security will often push back when they ask for more, saying things like “out of scope.”
IT Security is mostly focused on production systems and network devices. It’s a constantly changing environment, where you have to move quickly to combat threats and intrusions. They’re focused on actions, not documentation and procedures. They’re not thrilled, for the most part, with endless requests for policies and procedures, as well as documentation of what they’re actually doing. They’re darn busy with a lot of trees in the forest.
The problem is, they’re both right, and both wrong. IT sees documentation as unimportant (i.e, “I’ll get to it when I can”), auditors see non-financial systems as unimportant (“Firewall? They have one, they’re fine).
The real problems come with the trees neither one of them looks at. That’s Part 3.