[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] RSA Blog: Who Sets The Audit Standards? (John Madelin)
Die IT-Sicherheitsleute sind gerade dabei, sich professionelle Standards
zu geben, angelehnt an Juristen, Wirtschaftsprüfer und ähnliche Berufe.
Der Titel "CISSP" verliert dagegen offenbar an Wert.
Welcome to the "Institute of Information Security Professionals".
(Gute kritische Lektüre zum Thema Auditing: Michael Power: The Audit
Society - Rituals of Verification.)
Ich habe die drei Posts hier mal zusammen eingefügt, daher ist die Mail
Who Sets The Audit Standards? Part 1 of 3
A. Introduction -- Audit Standards and "Professionalism"
The conversational noise levels have been building slowly to the point
where it is now hard to ignore the hubbub on the subject of public policy,
standards, regulation, and professionalism. The latest development for me
culminated in an audit standards panel session in which I participated at
the RSA Conference. Surprisingly it was very well attended, with standing
Why is the whole question of audit standards and the associated theme of
The panel was chaired by Mary Ann Davidson, the CSO from Oracle, who asked
us all the question: "Audit Standards:- Why, What, Who, When and How?",
which was an appropriately broad approach to an apparently "small"
subject. Unsurprisingly we quickly extended the discussion to incorporate
the whole question of professionalism and the "fabric of trust" that IT
Security is an arcane subject, requiring a degree of knowledge and
experience vested in a small handful of deeply-specialised individuals,
where the risk of poor quality has wide-reaching implications, is costly,
and of profound impact to society.
Now substitute "legal profession" or "medical profession" for the first
word of "security" in the previous paragraph and you quickly see why
security has the potential to be deserving of a degree of
"professionalism" hitherto reserved for lawyers, accountants, and doctors.
(You might even include architects, since - if there were no professional
standards - more buildings would collapse etc. etc.; but I would argue
that this is dropping below the "impact to society" radar of the big "P"
professional bodies. But you get the point.)
So the discussion quickly floated up to the whole question of
"professionalism" as these things tend to do these days, which was just as
well, because in preparation for the panel I had started to think about
how the professional accounting body, of which I am a member, came about.
B. Ancient Accounting and Subsequent Audit -- an Analogy for the Security
It Started with the right Environmental Conditions
First of all the foundation of auditing is rooted in accounting. Audit is
really all about managing and controlling the delicate balance between the
art and science of numbers, and the associated underlying value and its
reflection in the public domain. In considering why accounting developed
in 14th century Italy instead of ancient Greece or Rome, accounting
scholar A. C. Littleton describes seven "key ingredients" which led to its
* Private property: The power to change ownership, because
book-keeping is concerned with recording the facts about property and
* Capital: Wealth productively employed, because otherwise commerce
would be trivial and credit would not exist
* Commerce: The interchange of goods on a widespread level, because
purely local trading in small volume would not create the sort of press of
business needed to spur the creation of an organized system to replace the
existing hodgepodge of record-keeping
* Credit: The present use of future goods, because there would have
been little impetus to record transactions completed on the spot
* Writing: A mechanism for making a permanent record in a common
language, given the limits of human memory
* Money: The "common denominator" for exchanges, since there is no
need for book-keeping except as it reduces transactions to a set of
* Arithmetic: A means of computing the monetary details of the deal
Although many of the individual components did exist prior to the 15th
century they did not coalesce in a form, strength, or combination until
this particular epoch. Once they had done so the establishment of a
coherent accounting system and the subsequent audit standards and
"professional bodies" became inevitable.
Accounting; the Foundation of the Audit Profession -- Summa; the
Foundation of Accounting
The innovative Italians of the Renaissance were widely acknowledged to
have elevated trade and commerce to new levels, and Luca Pacioli was a
true Renaissance man. He had knowledge of literature, art, mathematics,
business and the sciences, fully developed during his 50 years, at which
point he wrote his fifth book: "Summa de Arithmetica, Geometria,
Proportioni, et Proportionalita" ("Everything about Arithmetic, Geometry,
It was written as a digest of mathematical knowledge, and accounting was
only one of five sections covered, containing 36 short chapters on
book-keeping entitled, "De Computis et Scripturis" ("Of Reckonings and
The Summa had instant impact on the whole subject of accounting and a
standardised professional approach -- thanks to its publication coinciding
with the environmental conditions of extreme "readiness" outlined above.
As a curious aside - it's interesting to note that the roots of both
security and accounting are historically so firmly embedded in the
From Accounting, Audit and Professionalism was an inevitable development
For those interested in pursuing the story you can find more details here.
Suffice to say that the gradual evolution of accounting, reporting,
professional training and government charter were now an inevitable
corollary, and by 1880 the professional bodies had merged globally.
Who Sets The Audit Standards? Part 2 of 3
Did you miss Part 1 of John Madelin's Who Sets the Audit Standards?
C. The Perfect Storm -- IT Conditions Conspire To Create a State of Readiness
We can see similar environmental factors conspiring together today to
re-enforce the need for professionalism in the fabric of trust supported
through "good security" in its broadest sense.
The major environmental factors coalescing to create a perfect storm (in
the context of profound commercial, social, cultural and economic impact)
-- and re-enforcing the need for a "professional body" -- might reasonably
be considered as follows:
Booz Allen Hamilton Graphic
(from a Booz Allen Hamilton report commissioned by the Alliance for
Enterprise Security Risk Management.)
We can argue that this list is not exhaustive. For example, on the
apparently simple question of Device Proliferation (another facet directly
associated with questions of security and accountability) the normally
restrained investment bank Jefferies Broadview is quoted as follows:
"We believe we are poised for a wealth creation opportunity that is
as powerful as the Internet and an order of magnitude more pervasive.
Untethering and distributing the Internet to the myriad mobile devices
from phones to iPods to Blackberries is an even more powerful wave than
the internetworking of the computing world in the 90's."
That is rather uncharacteristic hyperbole from an investment banker, but
quite appropriate to the sheer scale and importance of device
proliferation and its impact on all of us. Other examples of similar
importance and magnitude might include high capacity network availability,
mobile working and a whole list of other "mega trends" all of which have a
direct correlation with risk, trust, control and accountability. Finally,
and not to labour the point too heavily, all of these elements seem to be
occurring simultaneously and coalescing in a form, strength, and
combination that characterises our epoch as one of great change.
The analogy between the birth of the accounting and audit profession, and
the birth of security as a profession seems to have substance in that we
now see a security profession evolving and emerging, albeit in an ad hoc
and piecemeal fashion. I can list the following "security bodies" just off
the top of my head, I am sure a quick trawl of Google would unearth many more:
* SANS Institute
* CERTIFIED MAIL ITGI
Furthermore, as demand for security specialists increases we see a growing
community of self-trained individuals specialising in one or other
particular facet of security and with no real accreditation. The CISSP
qualification is being somewhat de-valued, because rather than
re-enforcing years of experience with the stamp of "letters after your
name" there is a growing breed of aspiring security specialists cramming
to pass the exam with little or no real experience.
An old colleague of mine, Yves Le Roux (representing both (ISC)2 and
ISACA) tells me that the Institute of Information Security Professionals
was discussed in both (ISC)2 European Advisory Board and ISACA/ITGI
Security Management Advisory Committee recently. In common with others
among the professional bodies listed above, many of whom were actively
involved in the long process of establishing the IISP, these two important
bodies recognise the good foundations, the synergy, the quality and weight
of key players sponsoring the initiative, and that ISACA and (ISC)2 should
continue to be involved with the IISP since many ISACA and (ISC)2 members
were involved with the formation of the group. It was also recommended
that members should individually join the IISP.
The world has changed so comprehensively thanks to the conditions
outlined, that complexity, control, accountability, responsibility, trust
and risk have become much more challenging and fluid concepts. IT, and in
particular Information Security, are now more significant in establishing
a fabric of trust than almost any other discipline, including accounting
and law. To quote Alun Michael, the UK Minister of State for Industry:
"The department has long recognised the critical importance of
information security as a discipline that underlines trust in the
D. What Constitutes a "Professional Body"?
Continuing from the dual themes -- of "many bodies, each with a
perspective", and an immediate acknowledgement that the training and
professionalism of security specialists is paramount - leads us to
consider the whole question of what other specific components could be
included to constitute a "professional body". Some of those referred to
are technical; some are educational; some are government departments
publishing on security issues and recognising such issues to be of public
importance; some of them are communities for information sharing. Of all
of these various points, which are the most important ingredients of a
body that could be described as "professional"?
This is a subject nicely covered in the IISP Blueprint, introducing the
following basic elements common to most professions and between them
constituting the main ingredients of our trust in lawyers and accountants:
* a community of practitioners and theoreticians
* a formal education process
* an intellectual domain/common body of knowledge
* a tradition
* a communications network for the members
* entry requirements and concomitant barriers to entry
* a recognition of public responsibility amongst the members
* a willingness to act with restraint for the common good by the members
* adoption of a code of good conduct
* Legal charter/recognition
In other words, a profession must be consistent, responsibly-behaved,
current, and have "teeth".
Many of the bodies outlined have a number of the elements suggested, but
none have everything.
...It's Technical, Isn't It?
Most people in our industry immediately associate security professionalism
with good technical capability, either in the development process itself,
or in the architectures and solutions.
A quick straw poll of random people in the few weeks running up to the RSA
Conference, when asked what I meant by "professional body", concluded that
NIST already provides for such standards. I was encouraged chatting with
Mathew Scholl from NIST immediately before the panel to hear him
emphatically acknowledge both the need for professionalism and the fact
that - in its broadest sense -- it wasn't something he associated with
NIST. Mathew was quite clear that NIST has a responsibility for doing one
piece (the technical piece) very well, but that this doesn't incorporate
the broader knowledge capital, charter, training and other "people,
process, strategy" facets outside the realm of the technical.
I can't emphasise this piece enough -- that most people instantly
associate "audit standards" (in relation to information security) as being
just about technical standards. Security is so much more: with most
threats acknowledged as coming from the inside; with a growing recognition
that social engineering is the weakest link; with "brand" and "trust"
blending in so many consumer-facing models; and with complexity
translating to more human error of greater impact on our lives -- to name
but a few.
Can't We Just Hand the Problem to the Auditors to Deal With?
Another common suggestion I had was that audit firms could simply broaden
the scope of their audit.
Well, I can certainly talk from the perspective of a solid understanding
of the scope here, since I am a qualified auditor with years of hands-on
experience in the early stage of my career.
Accounting is an extensive, arcane and important subject that affects
every one of us both directly and indirectly. It took me four-and-a-half
years to qualify, during which time I was completing my formally
accredited "on the job experience"; and a further two years to upgrade
from an "ACCA" (meaning that I passed the exams) to an "FCCA" (a
"professional" accountant/auditor), during which time I was expected to
continue to demonstrate growth and "relevant" experience. To maintain the
audit certificate one must continue to earn professional points through an
ongoing process of accredited professional education.
There are whole ecosystems of subject material in the qualification,
incorporating taxation, financing and leveraging, stock valuation,
intangibles such as brand, work in progress, manufacturing, and so on.
Each of these elements reflects a broad and intellectually challenging
area in its own right just at the mechanical level. Beyond the mechanics
of how each component works we extend to the auditablity and judgement of
any one of these issues individually, but more importantly, combining them
together in a living and breathing business ecosystem requires great depth
To think that one might conveniently add "security" to the curriculum is
at best unrealistic. I have spent 10 years in the security industry, and
as members of the Jericho Forum sometimes remind me -- I am a relative
beginner. How appropriate is it to conveniently append a huge and highly
specialised additional industry to the existing remit of "accounting-based
audit" -- thereby risking the dilution in effectiveness of both sides of
4/9/2006 6:00:18 PM
Who Sets The Audit Standards? Part 3 of 3
Did you miss Part 1 or Part 2 of John Madelin's Who Sets the Audit Standards?
E. What Do the Members and Stakeholders get from the Professional Body?
A primary driver is to be able to demonstrate that those responsible for
security are fit for the job that they are undertaking. A secondary driver
is the need for organisations to be sure that they are applying sound
practice. The stakeholders are therefore the individual members of the
professional body, the organisations that benefit from their services, and
the wider community at large—for whom a fabric of trust would ensure
confidence in transactions and online behaviours.
Once again, drawing from the IISP blueprint…
Members of a professional body or institute in information security would
benefit in many ways including:
* Members would be able to demonstrate that they possess an
industry-recognised level of knowledge, experience and integrity
* Members would have a high level of trust and confidence in the
ability and integrity of other members
* Members would have access to a source of reference and advice which
would help them in their day-to-day work
* Members would have greater clarity regarding interfaces with other
aspects of security such as physical security, operational risk and
* Members would have confidence in applying best practices approved
by the professional body
* Senior members would have confidence that more junior members had a
broad level of understanding of information security as a whole
* Members would have confidence that they are doing the right things
where their actions are supported by the standards and practices of the
* Members would be able to site the standards of the professional
body to support their actions
* Members would have an authoritative interface with government,
enabling dialogue on key regulatory issues
* Members would be supported in their personal and professional
* Members would be able to participate in a Forum for sharing
knowledge, and have access to senior members who have expertise in
There are also wider benefits to be gained from the establishment of a
professional institute by organisations such as regulators, employers and
suppliers. These benefits include:
* A member's organisation will be able to show to regulators,
auditors, shareholders and other stakeholders that security is being
addressed by appropriately skilled and knowledgeable individuals
* Business, Government and society at large would have an increased
level of trust and confidence that information security was being
addressed in an appropriate, professional manner
* The professional body would be able to make authoritative rulings
on key issues
* A professional body would raise the recognition of those engaged in
information security to a par with those of other professions such as
lawyers, accountants and surveyors
F. What's Next for us to Continue to Support Professionalism in
Going back to my RSA Conference panel experience—my feedback shows that
there was an absolute consensus that a professional body, in a form
reflected by the IISP, is a requirement.
Those of you who have been reading the IT press will see that the launch
of the IISP made front page news in Computing Magazine recently.
There is still a long way to go, not least of which will be for us to
collectively establish a common agreement over what “information security”
means. The subject extends out in every direction to an increasingly
distant and somewhat ambiguous boundary. Most people recognise the three
key words of information security
* Integrity… of information
but beyond that there are many different approaches to the inclusion of
business continuity, the place of insurance and risk management, physical
and logical security convergence and so on.
In the same way that the audit and accounting professions publish
“standards” on subjects of great relevance and importance, the Institute
will need to decide the framework of issues and approaches on the key
topics within the definition.
Another highly topical example as a case in point—biometrics. This is
unquestionably of great sensitivity and importance and falls squarely into
the scope of “security”. I am grateful to Bori Toth of Deloitte in showing
me a window into the world of this important subject.
There is certainly a lot of published material to choose from in deciding
the general frameworks and standards. Britain's ISO 17799 is a ready-made
framework and comprehensive in the pieces that it covers. Furthermore, it
is gaining traction on a world-wide basis. A quick snapshot of the main
headings of ISO 17799 demonstrates its breadth, and anything that avoids
re-inventing too much of the wheel unnecessarily has to be a good thing:
ISO 17799 Headings
1. Business Continuity Plan
2. System Access Control
3. System Development and Maintenance
4. Physical and Environmental
6. Personnel Security
7. Security Organisation
8. Computer and Operations Management
9. Asset Classification and Control
10. Security and Policy
On top of this, one or two people during the RSA Conference panel asked
the practical question of how they might start setting a Board-level audit
outline for their businesses (recognising that IISP is in its early dawn).
As well as referring them to the ISO I also drew their attention to a
useful document: Information Security Governance—Top Actions for Security
Managers that can be found here. It is a publication prepared by the IT
Governance Institute and designed for Certified Information Security
Managers (CISMs), Chief Information Security Officers (CISOs) and
information security managers to use as action steps in addressing the
questions posed by another ITGI publication: Information Security
Governance: Guidance for Boards of Directors and Executive Management.
The need for professionalism in a subject of such great importance and
relative complexity as information security is now widely-accepted.
As I concluded at my RSA Conference panel, this is not a time for partisan
approaches covering areas of limited relevance in a piecemeal fashion.
If this is of as much importance to you as it is to me then I encourage
you to join the IISP. I have taken out an individual membership, and RSA
Security is now going through the process of completing the “founder
members” application together with many of our competitors, government
departments, representatives from academia, start-ups, systems
integrators, and a whole variety of individuals in their own right.
On a practical point you can find more details here.
Supporting professionalism and a common non-partisan approach to good
practice in information security is now about sponsoring and supporting
IISP in all their endeavours to help lead the information security
profession to a point at which it can support all the stakeholders in the
wider business ecosystem. This is a key ingredient in helping us all
ensure that the “fabric of trust” so profoundly important to tomorrow’s
information-centric world can quickly become a consistent and meaningful
In closing I would like to thank the following individuals and their
organisations for the encouragement, support and information they provided
me with during the long process of considering the big and evolving
subject of Information Security Audit Standards and professionalism:-
Arjen van Zanten KPMG
Bori Toth Deloitte
Yves Le Roux CA and ISACA
Professor Fred Piper Royal Holloway University
Neil Stevenson ACCA
Mary Ann Davidson Oracle
Mathew Scholl NIST
Richard Starnes ISSA
Greg Bell KPMG
Alan Stanley ISF
Nick Coleman SAINT
Ian Williams Formerly Datamonitor
Jeff Loeb Brabeion
David Birch Consult Hyperion
Uri Ran BMC
To unsubscribe, e-mail: infowar -
- infopeace -
For additional commands, e-mail: infowar -
- infopeace -