Facing the business end of the ‘scope.
Why should you audit your security folks?
Note that this is different from an audit of your organization’s security; I’m talking about auditing the folks who do the securing.
Besides the whole quis custodiet thing, there are other reasons why it’s a good idea: if you’re running your security program as a business, as many people say you should, you need to audit your business.
- Are the security staff being effectively utilized?
- Are they keeping proper records and documenting important processes?
- Are they maintaining a proper separation of duties themselves?
- Are they abusing their überpowers (assuming they have any)? Are they only monitoring within documented and approved limits?
- Are they properly negotiating and managing contracts?
- Are they making the right purchases and managing their budget properly?
- Are they enforcing policies equally and fairly?
- Does the security program cover all appropriate areas, and is it being diligently applied?
- Are they securing their own information?
- In other words, are you getting the right value for the money you’re spending on those people?
Remember, there is just as much potential for fraud, waste and abuse within a security group as there is anywhere else—perhaps more, because they’re typically in a trusted position. So audit not, lest ye be audited!
Looking at method, opportunity, and motives, your security staff has all of them except for maybe the last one. In other words, the only thing protecting you from rogue agents inside your staff is this little gray area called “ethics”.
I sense a Stalinistic purge of the IT security staff is forthcoming. Just be sure to get some entertainment value out of the show trials.
http://www.guerilla-ciso.com/archives/202