Who's Watching the Watchers?

By Linkous, John | Risk Management, October 2008 | Go to article overview

Who's Watching the Watchers?


Linkous, John, Risk Management


"QUIS CUSTODIET IPSOS CUSTODES?"

"WHO WILL WATCH THE WATCHERS?"

--Juvenal, Roman poet and satirist

Browse any major newspaper, industry journal or security blog today, and it is evident that the number of significant data breaches--from credit card information to health records--is rapidly increasing. Organizations must improve their information assurance capabilities, but the gap between recognizing the problem and developing a solution to address it can be daunting.

Many organizations respond by throwing more technology and personnel at the problem. While this can help, the true answer lies in ensuring that the three core IT teams responsible for information assurance--network operations, security and risk operations and audit/compliance--have the necessary independence to identify, evaluate and implement the right solutions to reduce risk to the organization.

In the most traditional model of information assurance, which is implemented in many organizations today, network and security operations are tethered together. Similarly, audit (which frequently includes compliance management) is also often placed within the IT governance model under the auspices of being an independent entity, despite still being under the same reporting umbrella as the organization they are supposed to audit. Unfortunately, in today's IT environment, an estimated 70% of all security breaches resulting in over $100K in losses come from inside the organization. These challenges prevent each IT team from performing their jobs independently, effectively and efficiently.

[ILLUSTRATION OMITTED]

Independence: The Business Case

As Juvenal's famous quote indicates, the concern over too much concentrated control (in his case, by the Roman government) left the distinct impression on the populace that they needed assurances to keep those with power in check. In today's world of technology, the problem remains essentially the same: who will watch over IT teams to ensure that they make the right decisions? The answer, too, is similar: they must watch themselves.

In technology, as in politics, the concept of separation of duty is used to enforce independence across different groups that support the same business goal while providing a valuable system of checks and balances to ensure that each group operates with some degree of peer oversight. In the case of IT, the network, security and audit teams are most effective when controls are established to ensure that each group functions independently, yet still works collaboratively to support the business.

The idea of keeping IT network, security and audit groups independent from each other is not a new concept; in the past decade, a range of federal regulations, best practices and IT security management frameworks (including Sarbanes-Oxley, NIST 800-53, ISO 17799/27002 and COBIT, among others) have been established that either explicitly state or imply the need to keep certain technology-related groups separate to reduce the likelihood of conflicts of interest, inappropriate collusion and even fraud.

Often, this separation is automated at a granular level within IT systems. Role-based access controls, for example, are often used to differentiate persons who have access to different parts of critical systems, such as enterprise resource planning or customer relationship management. Operationally, however, separation of duty also makes sense within IT governance, as a means of ensuring real independence among those groups responsible for information assurance--for example, separating development and production environments for software developers and database administrators.

In the realm of information assurance, a similar compartmentalization of roles leads to more independent and effective technology governance. The benefits of this independence are significant: each group has the authority to review and comment on the efforts of the other two, ensuring that planning efforts are reviewed with a critical eye. …

The rest of this article is only available to active members of Questia

Already a member? Log in now.

Notes for this article

Add a new note
If you are trying to select text to create highlights or citations, remember that you must now click or tap on the first word, and then click or tap on the last word.
One moment ...
Default project is now your active project.
Project items

Items saved from this article

This article has been saved
Highlights (0)
Some of your highlights are legacy items.

Highlights saved before July 30, 2012 will not be displayed on their respective source pages.

You can easily re-create the highlights by opening the book page or article, selecting the text, and clicking “Highlight.”

Citations (0)
Some of your citations are legacy items.

Any citation created before July 30, 2012 will labeled as a “Cited page.” New citations will be saved as cited passages, pages or articles.

We also added the ability to view new citations from your projects or the book or article where you created them.

Notes (0)
Bookmarks (0)

You have no saved items from this article

Project items include:
  • Saved book/article
  • Highlights
  • Quotes/citations
  • Notes
  • Bookmarks
Notes
Cite this article

Cited article

Style
Citations are available only to our active members.
Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

(Einhorn, 1992, p. 25)

(Einhorn 25)

1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

Cited article

Who's Watching the Watchers?
Settings

Settings

Typeface
Text size Smaller Larger Reset View mode
Search within

Search within this article

Look up

Look up a word

  • Dictionary
  • Thesaurus
Please submit a word or phrase above.
Print this page

Print this page

Why can't I print more than one page at a time?

Help
Full screen

matching results for page

    Questia reader help

    How to highlight and cite specific passages

    1. Click or tap the first word you want to select.
    2. Click or tap the last word you want to select, and you’ll see everything in between get selected.
    3. You’ll then get a menu of options like creating a highlight or a citation from that passage of text.

    OK, got it!

    Cited passage

    Style
    Citations are available only to our active members.
    Buy instant access to cite pages or passages in MLA, APA and Chicago citation styles.

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn, 1992, p. 25).

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences." (Einhorn 25)

    "Portraying himself as an honest, ordinary person helped Lincoln identify with his audiences."1

    1. Lois J. Einhorn, Abraham Lincoln, the Orator: Penetrating the Lincoln Legend (Westport, CT: Greenwood Press, 1992), 25, http://www.questia.com/read/27419298.

    Cited passage

    Thanks for trying Questia!

    Please continue trying out our research tools, but please note, full functionality is available only to our active members.

    Your work will be lost once you leave this Web page.

    Buy instant access to save your work.

    Already a member? Log in now.

    Oops!

    An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.