A couple posts on the role of internal audit in the information security controls of a company got me thinking.
First, Anton describes an auditor as "policing agent" model:
- InfoSec develops controls.
- Operations operationalizes them.
- Audit goes around with a checklist to make sure they got done
The issue I have with this model is that if what InfoSec develops are inadequate, they could still be well implemented. InfoSec should take ownership in the controls, and insure they are implemented and monitor their performance after they are implemented. When the auditor comes along, he or she should be looking not only at the implementation, but if the system as designed by InfoSec achieves the requisite goals of risk reduction acceptable to the board. Unlike the crime, systems development or drug prescription analogies, information security is an ongoing management process.
So I'm looking through rose colored glasses rather than my usual green eyeshade, but I'm not going to play Kavenaugh to bunch of Mackeys.