Security Procedure

PROGRAM CHANGE:
Accounting, Audit, Governance, Policies, Procedures, Regulatory Compliance, Revenue Assurance, Risk Assessment
ACCESS CONTROL:
Awareness & Training, Fraud & Phishing, Incident Management, Internet Security, Security, Service Management, Spam
COMPUTER OPERATION:
Backup & Restore, Contingency, Data Center, Disaster Recovery, Environmental Exposures, System Log
STANDARD:
British Standard, Certification, Cobit, Financial Institution, ISO Standard, ITIL, NIST-SP, Oil & Gas, Sarbanes Oxley, Standard, US Standard
FREE TOOLS:
Anti Phishing, Anti Spam, Anti Spyware, Anti Virus, Audit Tools, Data Removal, Encryption, Firewall, Forensics, Password, Secure Connection

User login

Who's new

The truth about IT security policy

in

"…IT security policy for IT auditor day to day perspective.."

I've been working for the IT security policy and procedures making for the last four years. And my main responsibility for that period is doing consulting services for the company who need to comply with some kind of security standard such as Sarbanes Oxley, ISO 27001 or event just some guidelines from our government.

Security policy and procedures are my main deliverables. So if you see my client you will see that in their office, there are a lot of policy and procedures that created by many prestigious company, my company is also contributed there. They took international standard such as COBIT or ITIL to ensure that the company confidential data is keep secure.

However the policy and procedures mostly for cosmetic purpose or just to face the audit requirement only. Yes, this is true, that mostly the IT auditor job only prepares for the documentation or prepare to written document that only used for administration only.

Did not agree? Ok then just see a recent study released on Monday 23 June 2008 by the Ponemon Institute. Its show us the fact that:

30% of marketing execs said they don't place any limits on the data they share with third parties, such as e-mail marketing agencies or online advertisers.
75% of privacy officers believe that their companies limit the sharing of customer data.
80% of marketers said their organizations share e-mail addresses with third parties, compared with 47% of security and privacy officers. Other examples
65% of marketers said they would distribute a customer's cellphone number
47% of privacy execs said their companies allowed the data to be shared.
45% of marketers believe their companies shared credit card data, compared with
32% of privacy officers, and 29% of marketers believe their firms distribute social security numbers, compared with 7% of privacy professionals.
44% of marketers surveyed believe their organizations were in compliance with the CAN-SPAM act, a law that requires marketers to request permission to send email messages, disclose the messages' source and offer an opt-out function.
40% of marketing execs who responded weren't sure whether their companies followed the law.
40% of all breach incidents were a result of a third party's handling of data

So who need IT security policy at this time? Based on my experience to enact the IT security especially for non IT person is quite difficult. No I mean also more difficult since the IT person which has the knowledge also tend to by pass the security.

Any opinion? The others auditor in the world maybe?

Bookmark/Search this post with: