ITCi Journal

The IT Compliance Institute's journal should be on your reading list if compliance is on your radar screen. The Fall 2007 issue has good articles on ISO/IEC 27001 & 27002 vs. NISTs SP800 series, symmetric encryption key management and eDiscovery.

The piece 'Holding auditors accountable for data security' is not about making internal auditors accountable for the organization's information security, but rather about the obligations on external auditors to secure privileged information they obtain during the course of audits. For a while it seemed de rigeur for big name auditors to lose laptops containing confidential client information but I can't recall any similar breaches since about 18 months ago. Did the audit firms clean up their act, or are these stories no longer newsworthy? Being of a cynical nature, I suspect the latter. Anyway, the article advises great caution when handing highly sensitive business records to the auditors, for example requiring that they are reviewed on-site and not taken away. I can almost feel the wave of horror passing across any auditors in the audience! If the organization has a strong information security policy, perhaps in response to its compliance obligations under SOX and PCI DSS, management should indeed be extremely cautious about handing information to any third party. On the flip side, though, the auditors need to be able to do their jobs and won't appreciate (further) constraints, although I guess they may just 'add it to the bill'. It is not unreasonable to insist that security compliance, confidentiality and liability aspects are incorporated in suitable clauses in the audit contract, for example by insisting that the auditors should be ISO/IEC 27001 certified. In fact, why not have your CEO formally express the importance of information security to the audit team before they start work? That's one way to make an impression ...