Who Sets The Audit Standards? Part 3 of 3

by John Madelin on 4/9/2006

Did you miss Part 1 or Part 2 of John Madelin's Who Sets the Audit Standards?

E. What Do the Members and Stakeholders get from the Professional Body?
A primary driver is to be able to demonstrate that those responsible for security are fit for the job that they are undertaking. A secondary driver is the need for organisations to be sure that they are applying sound practice. The stakeholders are therefore the individual members of the professional body, the organisations that benefit from their services, and the wider community at large—for whom a fabric of trust would ensure confidence in transactions and online behaviours.

Once again, drawing from the IISP blueprint…

Members of a professional body or institute in information security would benefit in many ways including:

• Members would be able to demonstrate that they possess an industry-recognised level of knowledge, experience and integrity
• Members would have a high level of trust and confidence in the ability and integrity of other members
• Members would have access to a source of reference and advice which would help them in their day-to-day work
• Members would have greater clarity regarding interfaces with other aspects of security such as physical security, operational risk and investigations
• Members would have confidence in applying best practices approved by the professional body
• Senior members would have confidence that more junior members had a broad level of understanding of information security as a whole
• Members would have confidence that they are doing the right things where their actions are supported by the standards and practices of the professional body
• Members would be able to site the standards of the professional body to support their actions
• Members would have an authoritative interface with government, enabling dialogue on key regulatory issues
• Members would be supported in their personal and professional development
• Members would be able to participate in a Forum for sharing knowledge, and have access to senior members who have expertise in particular areas

There are also wider benefits to be gained from the establishment of a professional institute by organisations such as regulators, employers and suppliers. These benefits include:

• A member's organisation will be able to show to regulators, auditors, shareholders and other stakeholders that security is being addressed by appropriately skilled and knowledgeable individuals
• Business, Government and society at large would have an increased level of trust and confidence that information security was being addressed in an appropriate, professional manner
• The professional body would be able to make authoritative rulings on key issues
• A professional body would raise the recognition of those engaged in information security to a par with those of other professions such as lawyers, accountants and surveyors

F. What's Next for us to Continue to Support Professionalism in Information Security?
Going back to my RSA Conference panel experience—my feedback shows that there was an absolute consensus that a professional body, in a form reflected by the IISP, is a requirement.

Those of you who have been reading the IT press will see that the launch of the IISP made front page news in Computing Magazine recently.

There is still a long way to go, not least of which will be for us to collectively establish a common agreement over what “information security” means. The subject extends out in every direction to an increasingly distant and somewhat ambiguous boundary. Most people recognise the three key words of information security

• Confidentiality
• Availability
• Integrity… of information

but beyond that there are many different approaches to the inclusion of business continuity, the place of insurance and risk management, physical and logical security convergence and so on.

In the same way that the audit and accounting professions publish “standards” on subjects of great relevance and importance, the Institute will need to decide the framework of issues and approaches on the key topics within the definition.

Another highly topical example as a case in point—biometrics. This is unquestionably of great sensitivity and importance and falls squarely into the scope of “security”. I am grateful to Bori Toth of Deloitte in showing me a window into the world of this important subject.

There is certainly a lot of published material to choose from in deciding the general frameworks and standards. Britain's ISO 17799 is a ready-made framework and comprehensive in the pieces that it covers. Furthermore, it is gaining traction on a world-wide basis. A quick snapshot of the main headings of ISO 17799 demonstrates its breadth, and anything that avoids re-inventing too much of the wheel unnecessarily has to be a good thing:

ISO 17799 Headings

1. Business Continuity Plan
2. System Access Control
3. System Development and Maintenance
4. Physical and Environmental
5. Compliance
6. Personnel Security
7. Security Organisation
8. Computer and Operations Management
9. Asset Classification and Control
10. Security and Policy

On top of this, one or two people during the RSA Conference panel asked the practical question of how they might start setting a Board-level audit outline for their businesses (recognising that IISP is in its early dawn). As well as referring them to the ISO I also drew their attention to a useful document: Information Security Governance—Top Actions for Security Managers that can be found here. It is a publication prepared by the IT Governance Institute and designed for Certified Information Security Managers (CISMs), Chief Information Security Officers (CISOs) and information security managers to use as action steps in addressing the questions posed by another ITGI publication: Information Security Governance: Guidance for Boards of Directors and Executive Management.
G. Conclusion
The need for professionalism in a subject of such great importance and relative complexity as information security is now widely-accepted.

As I concluded at my RSA Conference panel, this is not a time for partisan approaches covering areas of limited relevance in a piecemeal fashion.

If this is of as much importance to you as it is to me then I encourage you to join the IISP. I have taken out an individual membership, and RSA Security is now going through the process of completing the “founder members” application together with many of our competitors, government departments, representatives from academia, start-ups, systems integrators, and a whole variety of individuals in their own right.

On a practical point you can find more details here.

Supporting professionalism and a common non-partisan approach to good practice in information security is now about sponsoring and supporting IISP in all their endeavours to help lead the information security profession to a point at which it can support all the stakeholders in the wider business ecosystem. This is a key ingredient in helping us all ensure that the “fabric of trust” so profoundly important to tomorrow's information-centric world can quickly become a consistent and meaningful reality.

In closing I would like to thank the following individuals and their organisations for the encouragement, support and information they provided me with during the long process of considering the big and evolving subject of Information Security Audit Standards and professionalism:-

Arjen van Zanten	KPMG
Bori Toth	Deloitte
Yves Le Roux	CA and ISACA
Professor Fred Piper	Royal Holloway University
Neil Stevenson	ACCA
Mary Ann Davidson	Oracle
Mathew Scholl	NIST
Richard Starnes	ISSA
Greg Bell	KPMG
Alan Stanley	ISF
Nick Coleman	SAINT
Ian Williams	Formerly Datamonitor
Jeff Loeb	Brabeion
David Birch	Consult Hyperion
Uri Ran	BMC