How many controls?
So to get onto this path, one must understand the organization's ability to rationally quantify the amount of controls. How many controls does a Fortune sized organization need? - Lets elaborate this a bit.
a) Have controls been classified into Information domains- eg Access Management controls versus Customer information protection based controls
b)Is there a suitable control range ?
c)Does one information domain need more controls than the other, due to its size/ complexity / native weakness?
d) Are there seasonal controls? - eg additional approvals for system changes during approaching holiday cycles?
e) What looks good and what looks like an overkill?
f) What drivers enabled this control domain to evolve over a period of time?
Very interesting questions! And no unique answers yet!
Due to Sarbanes Oxley and other regulations, some companies have been quick to put in tremendous effort at defining /documenting controls in virtually every facet of their organization. For example does each phase of a Software Development lifecycle become a control?. Probably yes, to some - then again others would argue that only the design and testing phases are true controls.
Also what about the opportunities in reducing the repeated effort and cost that go in year on year in validating certain controls?
So what does one do about all this? These days there are efforts within the industry around "controls consolidation initiatives".
This may be a solution to the above issues; however it is a path that can also end up in having thin controls in some areas versus others. Defining a consolidation/ selection criteria and understanding the true needs per information domain will definitely help. Undertaking a formal assessment around the scope, context and objectives of this exercise will additionally help.
Ultimately it is all about having a trade-off between getting an IRM initiative done lightly and quickly versus having a comprehensive process that takes much longer. Striking the balance between the two is dependent on the amount and quality of the available pre-audit controls.
And something to think about further!
Comments
Hi ramshankar ramdattan,
This is vinod from chennai,i work as a information security analyst here in chennai,i m new to this IT culture and specifically talking about my interest and passion for information security in technical perspective., i understand that we need to have a balance for both the technical and the manangement,i mean the process oriented work too.and i m actually getting involved into ISO 27001 and SAS 70 these days, and i m glad to see that your post is of real good to us and boosting for young new people in this field.thank you...,if possible and if time permits,can u write a post on how to evaluate the metrics for the controls that we have in the compliance driven organisation.Though i have lil worked on this,I still feel i havent come to a comfortable zone on this,hope to see your post again on this.Thanks.
vinod
Posted by: vinod | February 20, 2008 08:25 AM
I am taking my ITIL v2 tomo ! :D that made me point to your blog :) Nice blog anyway.., keep posting :) wonderful work
Posted by: vinod | February 20, 2008 08:28 AM