Facing the business end of the ‘scope.
Why should you audit your security folks?
Note that this is different from an audit of your organization’s security; I’m talking about auditing the folks who do the securing.
Besides the whole quis custodiet thing, there are other reasons why it’s a good idea: if you’re running your security program as a business, as many people say you should, you need to audit your business.
- Are the security staff being effectively utilized?
- Are they keeping proper records and documenting important processes?
- Are they maintaining a proper separation of duties themselves?
- Are they abusing their überpowers (assuming they have any)? Are they only monitoring within documented and approved limits?
- Are they properly negotiating and managing contracts?
- Are they making the right purchases and managing their budget properly?
- Are they enforcing policies equally and fairly?
- Does the security program cover all appropriate areas, and is it being diligently applied?
- Are they securing their own information?
- In other words, are you getting the right value for the money you’re spending on those people?
Remember, there is just as much potential for fraud, waste and abuse within a security group as there is anywhere else—perhaps more, because they’re typically in a trusted position. So audit not, lest ye be audited!
Posted by shrdlu on Friday, May 23, 2008
(1) Comments • Permalink •
