Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] RSA Blog: Who Sets The Audit Standards? (John Madelin)

Die IT-Sicherheitsleute sind gerade dabei, sich professionelle Standards zu geben, angelehnt an Juristen, Wirtschaftsprüfer und ähnliche Berufe. Der Titel "CISSP" verliert dagegen offenbar an Wert.
Welcome to the "Institute of Information Security Professionals".
(Gute kritische Lektüre zum Thema Auditing: Michael Power: The Audit Society - Rituals of Verification.) Ich habe die drei Posts hier mal zusammen eingefügt, daher ist die Mail recht lang.

Who Sets The Audit Standards? Part 1 of 3
John Madelin

A. Introduction -- Audit Standards and "Professionalism"

The conversational noise levels have been building slowly to the point where it is now hard to ignore the hubbub on the subject of public policy, standards, regulation, and professionalism. The latest development for me culminated in an audit standards panel session in which I participated at the RSA Conference. Surprisingly it was very well attended, with standing room only.

Why is the whole question of audit standards and the associated theme of professionalism blossoming?

The panel was chaired by Mary Ann Davidson, the CSO from Oracle, who asked us all the question: "Audit Standards:- Why, What, Who, When and How?", which was an appropriately broad approach to an apparently "small" subject. Unsurprisingly we quickly extended the discussion to incorporate the whole question of professionalism and the "fabric of trust" that IT security implies.

Security is an arcane subject, requiring a degree of knowledge and experience vested in a small handful of deeply-specialised individuals, where the risk of poor quality has wide-reaching implications, is costly, and of profound impact to society.

Now substitute "legal profession" or "medical profession" for the first word of "security" in the previous paragraph and you quickly see why security has the potential to be deserving of a degree of "professionalism" hitherto reserved for lawyers, accountants, and doctors. (You might even include architects, since - if there were no professional standards - more buildings would collapse etc. etc.; but I would argue that this is dropping below the "impact to society" radar of the big "P" professional bodies. But you get the point.)

So the discussion quickly floated up to the whole question of "professionalism" as these things tend to do these days, which was just as well, because in preparation for the panel I had started to think about how the professional accounting body, of which I am a member, came about.

B. Ancient Accounting and Subsequent Audit -- an Analogy for the Security Industry.

It Started with the right Environmental Conditions

First of all the foundation of auditing is rooted in accounting. Audit is really all about managing and controlling the delicate balance between the art and science of numbers, and the associated underlying value and its reflection in the public domain. In considering why accounting developed in 14th century Italy instead of ancient Greece or Rome, accounting scholar A. C. Littleton describes seven "key ingredients" which led to its creation:

* Private property: The power to change ownership, because book-keeping is concerned with recording the facts about property and property rights * Capital: Wealth productively employed, because otherwise commerce would be trivial and credit would not exist * Commerce: The interchange of goods on a widespread level, because purely local trading in small volume would not create the sort of press of business needed to spur the creation of an organized system to replace the existing hodgepodge of record-keeping * Credit: The present use of future goods, because there would have been little impetus to record transactions completed on the spot * Writing: A mechanism for making a permanent record in a common language, given the limits of human memory * Money: The "common denominator" for exchanges, since there is no need for book-keeping except as it reduces transactions to a set of monetary values
    * Arithmetic: A means of computing the monetary details of the deal

Although many of the individual components did exist prior to the 15th century they did not coalesce in a form, strength, or combination until this particular epoch. Once they had done so the establishment of a coherent accounting system and the subsequent audit standards and "professional bodies" became inevitable.

Accounting; the Foundation of the Audit Profession -- Summa; the Foundation of Accounting

The innovative Italians of the Renaissance were widely acknowledged to have elevated trade and commerce to new levels, and Luca Pacioli was a true Renaissance man. He had knowledge of literature, art, mathematics, business and the sciences, fully developed during his 50 years, at which point he wrote his fifth book: "Summa de Arithmetica, Geometria, Proportioni, et Proportionalita" ("Everything about Arithmetic, Geometry, and Proportion").

It was written as a digest of mathematical knowledge, and accounting was only one of five sections covered, containing 36 short chapters on book-keeping entitled, "De Computis et Scripturis" ("Of Reckonings and Writings").

The Summa had instant impact on the whole subject of accounting and a standardised professional approach -- thanks to its publication coinciding with the environmental conditions of extreme "readiness" outlined above. As a curious aside - it's interesting to note that the roots of both security and accounting are historically so firmly embedded in the mathematical firmament.

From Accounting, Audit and Professionalism was an inevitable development

For those interested in pursuing the story you can find more details here. Suffice to say that the gradual evolution of accounting, reporting, professional training and government charter were now an inevitable corollary, and by 1880 the professional bodies had merged globally.


Who Sets The Audit Standards? Part 2 of 3
John Madelin

Did you miss Part 1 of John Madelin's Who Sets the Audit Standards?

C. The Perfect Storm -- IT Conditions Conspire To Create a State of Readiness
We can see similar environmental factors conspiring together today to re-enforce the need for professionalism in the fabric of trust supported through "good security" in its broadest sense.

The major environmental factors coalescing to create a perfect storm (in the context of profound commercial, social, cultural and economic impact) -- and re-enforcing the need for a "professional body" -- might reasonably be considered as follows:

Booz Allen Hamilton Graphic

(from a Booz Allen Hamilton report commissioned by the Alliance for Enterprise Security Risk Management.)

We can argue that this list is not exhaustive. For example, on the apparently simple question of Device Proliferation (another facet directly associated with questions of security and accountability) the normally restrained investment bank Jefferies Broadview is quoted as follows:

"We believe we are poised for a wealth creation opportunity that is as powerful as the Internet and an order of magnitude more pervasive. Untethering and distributing the Internet to the myriad mobile devices
from phones to iPods to Blackberries is an even more powerful wave than
the internetworking of the computing world in the 90's."

That is rather uncharacteristic hyperbole from an investment banker, but quite appropriate to the sheer scale and importance of device proliferation and its impact on all of us. Other examples of similar importance and magnitude might include high capacity network availability, mobile working and a whole list of other "mega trends" all of which have a direct correlation with risk, trust, control and accountability. Finally, and not to labour the point too heavily, all of these elements seem to be occurring simultaneously and coalescing in a form, strength, and combination that characterises our epoch as one of great change.

The analogy between the birth of the accounting and audit profession, and the birth of security as a profession seems to have substance in that we now see a security profession evolving and emerging, albeit in an ad hoc and piecemeal fashion. I can list the following "security bodies" just off the top of my head, I am sure a quick trawl of Google would unearth many more:

    * SANS Institute
    * ISACA
    * (ISC)2
    * NIST
    * ASIS
    * ISSA
    * DTI
    * SAINT
    * BSI
    * OECD
    * CCEVS
    * CIAC
    * ISF

Furthermore, as demand for security specialists increases we see a growing community of self-trained individuals specialising in one or other particular facet of security and with no real accreditation. The CISSP qualification is being somewhat de-valued, because rather than re-enforcing years of experience with the stamp of "letters after your name" there is a growing breed of aspiring security specialists cramming to pass the exam with little or no real experience.

An old colleague of mine, Yves Le Roux (representing both (ISC)2 and ISACA) tells me that the Institute of Information Security Professionals was discussed in both (ISC)2 European Advisory Board and ISACA/ITGI Security Management Advisory Committee recently. In common with others among the professional bodies listed above, many of whom were actively involved in the long process of establishing the IISP, these two important bodies recognise the good foundations, the synergy, the quality and weight of key players sponsoring the initiative, and that ISACA and (ISC)2 should continue to be involved with the IISP since many ISACA and (ISC)2 members were involved with the formation of the group. It was also recommended that members should individually join the IISP.

The world has changed so comprehensively thanks to the conditions outlined, that complexity, control, accountability, responsibility, trust and risk have become much more challenging and fluid concepts. IT, and in particular Information Security, are now more significant in establishing a fabric of trust than almost any other discipline, including accounting and law. To quote Alun Michael, the UK Minister of State for Industry:

"The department has long recognised the critical importance of information security as a discipline that underlines trust in the information age."

D. What Constitutes a "Professional Body"?
Continuing from the dual themes -- of "many bodies, each with a perspective", and an immediate acknowledgement that the training and professionalism of security specialists is paramount - leads us to consider the whole question of what other specific components could be included to constitute a "professional body". Some of those referred to are technical; some are educational; some are government departments publishing on security issues and recognising such issues to be of public importance; some of them are communities for information sharing. Of all of these various points, which are the most important ingredients of a body that could be described as "professional"?

This is a subject nicely covered in the IISP Blueprint, introducing the following basic elements common to most professions and between them constituting the main ingredients of our trust in lawyers and accountants:

    * a community of practitioners and theoreticians
    * a formal education process
    * an intellectual domain/common body of knowledge
    * a tradition
    * a communications network for the members
    * entry requirements and concomitant barriers to entry
    * a recognition of public responsibility amongst the members
    * a willingness to act with restraint for the common good by the members
    * adoption of a code of good conduct
    * Legal charter/recognition

In other words, a profession must be consistent, responsibly-behaved, current, and have "teeth".

Many of the bodies outlined have a number of the elements suggested, but none have everything.

...It's Technical, Isn't It?
Most people in our industry immediately associate security professionalism with good technical capability, either in the development process itself, or in the architectures and solutions.

A quick straw poll of random people in the few weeks running up to the RSA Conference, when asked what I meant by "professional body", concluded that NIST already provides for such standards. I was encouraged chatting with Mathew Scholl from NIST immediately before the panel to hear him emphatically acknowledge both the need for professionalism and the fact that - in its broadest sense -- it wasn't something he associated with NIST. Mathew was quite clear that NIST has a responsibility for doing one piece (the technical piece) very well, but that this doesn't incorporate the broader knowledge capital, charter, training and other "people, process, strategy" facets outside the realm of the technical.

I can't emphasise this piece enough -- that most people instantly associate "audit standards" (in relation to information security) as being just about technical standards. Security is so much more: with most threats acknowledged as coming from the inside; with a growing recognition that social engineering is the weakest link; with "brand" and "trust" blending in so many consumer-facing models; and with complexity translating to more human error of greater impact on our lives -- to name but a few.

Can't We Just Hand the Problem to the Auditors to Deal With?
Another common suggestion I had was that audit firms could simply broaden the scope of their audit.

Well, I can certainly talk from the perspective of a solid understanding of the scope here, since I am a qualified auditor with years of hands-on experience in the early stage of my career.

Accounting is an extensive, arcane and important subject that affects every one of us both directly and indirectly. It took me four-and-a-half years to qualify, during which time I was completing my formally accredited "on the job experience"; and a further two years to upgrade
from an "ACCA" (meaning that I passed the exams) to an "FCCA" (a
"professional" accountant/auditor), during which time I was expected to continue to demonstrate growth and "relevant" experience. To maintain the audit certificate one must continue to earn professional points through an ongoing process of accredited professional education.

There are whole ecosystems of subject material in the qualification, incorporating taxation, financing and leveraging, stock valuation, intangibles such as brand, work in progress, manufacturing, and so on. Each of these elements reflects a broad and intellectually challenging area in its own right just at the mechanical level. Beyond the mechanics of how each component works we extend to the auditablity and judgement of any one of these issues individually, but more importantly, combining them together in a living and breathing business ecosystem requires great depth and professionalism.

To think that one might conveniently add "security" to the curriculum is at best unrealistic. I have spent 10 years in the security industry, and as members of the Jericho Forum sometimes remind me -- I am a relative beginner. How appropriate is it to conveniently append a huge and highly specialised additional industry to the existing remit of "accounting-based audit" -- thereby risking the dilution in effectiveness of both sides of the equation?


4/9/2006 6:00:18 PM
Who Sets The Audit Standards? Part 3 of 3
John Madelin

Did you miss Part 1 or Part 2 of John Madelin's Who Sets the Audit Standards?

E. What Do the Members and Stakeholders get from the Professional Body?
A primary driver is to be able to demonstrate that those responsible for security are fit for the job that they are undertaking. A secondary driver is the need for organisations to be sure that they are applying sound practice. The stakeholders are therefore the individual members of the professional body, the organisations that benefit from their services, and the wider community at large—for whom a fabric of trust would ensure confidence in transactions and online behaviours.

Once again, drawing from the IISP blueprint…

Members of a professional body or institute in information security would benefit in many ways including:

* Members would be able to demonstrate that they possess an industry-recognised level of knowledge, experience and integrity * Members would have a high level of trust and confidence in the ability and integrity of other members * Members would have access to a source of reference and advice which would help them in their day-to-day work * Members would have greater clarity regarding interfaces with other aspects of security such as physical security, operational risk and investigations * Members would have confidence in applying best practices approved by the professional body * Senior members would have confidence that more junior members had a broad level of understanding of information security as a whole * Members would have confidence that they are doing the right things where their actions are supported by the standards and practices of the professional body * Members would be able to site the standards of the professional body to support their actions * Members would have an authoritative interface with government, enabling dialogue on key regulatory issues * Members would be supported in their personal and professional development * Members would be able to participate in a Forum for sharing knowledge, and have access to senior members who have expertise in particular areas

There are also wider benefits to be gained from the establishment of a professional institute by organisations such as regulators, employers and suppliers. These benefits include:

* A member's organisation will be able to show to regulators, auditors, shareholders and other stakeholders that security is being addressed by appropriately skilled and knowledgeable individuals * Business, Government and society at large would have an increased level of trust and confidence that information security was being addressed in an appropriate, professional manner * The professional body would be able to make authoritative rulings on key issues * A professional body would raise the recognition of those engaged in information security to a par with those of other professions such as lawyers, accountants and surveyors

F. What's Next for us to Continue to Support Professionalism in Information Security? Going back to my RSA Conference panel experience—my feedback shows that there was an absolute consensus that a professional body, in a form reflected by the IISP, is a requirement.

Those of you who have been reading the IT press will see that the launch of the IISP made front page news in Computing Magazine recently.

There is still a long way to go, not least of which will be for us to collectively establish a common agreement over what “information security” means. The subject extends out in every direction to an increasingly distant and somewhat ambiguous boundary. Most people recognise the three key words of information security

    * Confidentiality
    * Availability
    * Integrity… of information

but beyond that there are many different approaches to the inclusion of business continuity, the place of insurance and risk management, physical and logical security convergence and so on.

In the same way that the audit and accounting professions publish “standards” on subjects of great relevance and importance, the Institute will need to decide the framework of issues and approaches on the key topics within the definition.

Another highly topical example as a case in point—biometrics. This is unquestionably of great sensitivity and importance and falls squarely into the scope of “security”. I am grateful to Bori Toth of Deloitte in showing me a window into the world of this important subject.

There is certainly a lot of published material to choose from in deciding the general frameworks and standards. Britain's ISO 17799 is a ready-made framework and comprehensive in the pieces that it covers. Furthermore, it is gaining traction on a world-wide basis. A quick snapshot of the main headings of ISO 17799 demonstrates its breadth, and anything that avoids re-inventing too much of the wheel unnecessarily has to be a good thing:

ISO 17799 Headings

   1. Business Continuity Plan
   2. System Access Control
   3. System Development and Maintenance
   4. Physical and Environmental
   5. Compliance
   6. Personnel Security
   7. Security Organisation
   8. Computer and Operations Management
   9. Asset Classification and Control
  10. Security and Policy

On top of this, one or two people during the RSA Conference panel asked the practical question of how they might start setting a Board-level audit outline for their businesses (recognising that IISP is in its early dawn). As well as referring them to the ISO I also drew their attention to a useful document: Information Security Governance—Top Actions for Security Managers that can be found here. It is a publication prepared by the IT Governance Institute and designed for Certified Information Security Managers (CISMs), Chief Information Security Officers (CISOs) and information security managers to use as action steps in addressing the questions posed by another ITGI publication: Information Security Governance: Guidance for Boards of Directors and Executive Management.

G. Conclusion
The need for professionalism in a subject of such great importance and relative complexity as information security is now widely-accepted.

As I concluded at my RSA Conference panel, this is not a time for partisan approaches covering areas of limited relevance in a piecemeal fashion.

If this is of as much importance to you as it is to me then I encourage you to join the IISP. I have taken out an individual membership, and RSA Security is now going through the process of completing the “founder members” application together with many of our competitors, government departments, representatives from academia, start-ups, systems integrators, and a whole variety of individuals in their own right.

On a practical point you can find more details here.

Supporting professionalism and a common non-partisan approach to good practice in information security is now about sponsoring and supporting IISP in all their endeavours to help lead the information security profession to a point at which it can support all the stakeholders in the wider business ecosystem. This is a key ingredient in helping us all ensure that the “fabric of trust” so profoundly important to tomorrow’s information-centric world can quickly become a consistent and meaningful reality.

In closing I would like to thank the following individuals and their organisations for the encouragement, support and information they provided me with during the long process of considering the big and evolving subject of Information Security Audit Standards and professionalism:-

Arjen van Zanten	KPMG
Bori Toth		Deloitte
Yves Le Roux		CA and ISACA
Professor Fred Piper	Royal Holloway University
Neil Stevenson		ACCA
Mary Ann Davidson	Oracle
Mathew Scholl		NIST
Richard Starnes		ISSA
Greg Bell		KPMG
Alan Stanley		ISF
Nick Coleman		SAINT
Ian Williams		Formerly Datamonitor
Jeff Loeb		Brabeion
David Birch		Consult Hyperion
Uri Ran			BMC

To unsubscribe, e-mail: infowar -
de-unsubscribe -!
- infopeace -
For additional commands, e-mail: infowar -
de-help -!
- infopeace -