Dec 22 2009   7:09PM GMT

The Forest or The Trees – Part 2

Arian Eigen Heald Arian Eigen Heald Profile: Arian Eigen Heald

In a previous article, I talked about the issues faced by IT Security and financial auditors, in trying to come together. Financial auditors only care about financial systems and overall IT Security as well as non-IT security practices. IT Security, on the other hand, is focused on secure IT practices. Why don’t they meet in the middle?

The focus is different for both groups; auditors want secure IT practices only on financial systems (which is where they are allowed to look). IT Security will often push back when they ask for more, saying things like “out of scope.”

IT Security is mostly focused on production systems and network devices. It’s a constantly changing environment, where you have to move quickly to combat threats and intrusions. They’re focused on actions, not documentation and procedures. They’re not thrilled, for the most part, with endless requests for policies and procedures, as well as documentation of what they’re actually doing. They’re darn busy with a lot of trees in the forest.

The problem is, they’re both right, and both wrong. IT sees documentation as unimportant (i.e, “I’ll get to it when I can”), auditors see non-financial systems as unimportant (“Firewall? They have one, they’re fine).

The real problems come with the trees neither one of them looks at. That’s Part 3.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: