Last month I was speaking at the CSI Net Sec 2007 conference around Identity and Access Management a key topic within IRM domains. Overall this was a very well attended event featuring various themes and topics.
It dawned on me during the show, that fundamentally what was happening was a very well structured collaboration forum. People coming in and sharing a range of experiences in different industries, initiatives and focused content.
Much of this has parallels with the manner in which an Information Risk Management (IRM) engagement is structured.
When we seek to evaluate the risk to a particular control, there are differing opinions on the nature of the risk, the actual impact to the asset and the business drivers that influence the risk.
Consider the following scenario
During the annual controls assessment, it was discovered that there were a couple of mid-level employees who had full access to product specs and supplier sourcing information. However it is not clear from the available documentation, if a review of their accesses was being done periodically by their manager. This is immediately flagged as a significant control failure.
When the issue is brought up for remediation, the technology folks pointed to the 35-day password reset in built into the application and the manual check of access levels put into place the week before. So as it turned out, much of the assessment was focused on reviewing the documentation and not on talking and learning from the folks who work with the process
How can pre-audit or technology folks have an opinion that is consistent with each other's viewpoint? The key word in this case has got to be 'collaboration'. Unless one is able to partner with the other side, spend some time in understanding the issues, and discuss the points of contention, a one sided view will not go very far. We end up into a ‘Your word versus mine’ mode.
Can one group conduct an independent controls assessment without seeking the inputs of the target groups? How do they gather the right levels of information / evidence? Who owns the remediation process? How can remediation steps be completed on time?
Once you inject the changing regulations and the dynamic business environment, it becomes all the more certain that a one sided view of Information Risk will be quite shortlived.
Lastly what comes down to as the biggest case for collaboration is that since it is people who man various business processes, they are quite likely to change the processes in small or big measures.