Infrastructure Services are definitely undergoing a major transformation. How does one navigate the web of emerging technology trends and stay ahead of the game? Read on to learn more on our Infra Matters blog.

Main | The Matrix of Corporate Meetings »

Your word versus mine

Last month I was speaking at the CSI Net Sec 2007 conference around Identity and Access Management a key topic within IRM domains. Overall this was a very well attended event featuring various themes and topics.

It dawned on me during the show, that fundamentally what was happening was a very well structured collaboration forum. People coming in and sharing a range of experiences in different industries, initiatives and focused content.

Much of this has parallels with the manner in which an Information Risk Management (IRM) engagement is structured.

When we seek to evaluate the risk to a particular control, there are differing opinions on the nature of the risk, the actual impact to the asset and the business drivers that influence the risk.

Consider the following scenario

During the annual controls assessment, it was discovered that there were a couple of mid-level employees who had full access to product specs and supplier sourcing information. However it is not clear from the available documentation, if a review of their accesses was being done periodically by their manager. This is immediately flagged as a significant control failure.

When the issue is brought up for remediation, the technology folks pointed to the 35-day password reset in built into the application and the manual check of access levels put into place the week before. So as it turned out, much of the assessment was focused on reviewing the documentation and not on talking and learning from the folks who work with the process

How can pre-audit or technology folks have an opinion that is consistent with each other's viewpoint? The key word in this case has got to be 'collaboration'. Unless one is able to partner with the other side, spend some time in understanding the issues, and discuss the points of contention, a one sided view will not go very far. We end up into a ‘Your word versus mine’ mode.

Can one group conduct an independent controls assessment without seeking the inputs of the target groups? How do they gather the right levels of information / evidence? Who owns the remediation process? How can remediation steps be completed on time?

Once you inject the changing regulations and the dynamic business environment, it becomes all the more certain that a one sided view of Information Risk will be quite shortlived.

Lastly what comes down to as the biggest case for collaboration is that since it is people who man various business processes, they are quite likely to change the processes in small or big measures.


This reminds me of an RCA that I worked on at IBM. There was a no regulation/IT Security audit in place to monitor Access levels, 3rd party access & risk acceptance etc on client servers. Every time this application hung, people would reboot the server! The level of detail captured in the server audit trail wasn't significant to trace the culprit as it was a generic UID. It took several sev1 incidents on the same server, and a detailed RCA avoid recurrence & to bring about an awareness about concepts like CBN & QEV.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Please key in the two words you see in the box to validate your identity as an authentic user and reduce spam.

Subscribe to this blog's feed

Follow us on

Blogger Profiles

Infosys on Twitter