14 February, 2008

Year of SoD

From a security perspective

If '00 and '01 were years of the worm;

'02 through '04 the years of SoX, Compliance, and executive oversight

'05 through '07 the years of organized crime and Identity theft

Then

In the Security Realm these will be the years of Segregation of Duty.

Why?

7 Billion Dollars
Wall Street Journal
http://online.wsj.com/article/SB120168827173528415.html?mod=googlenews_wsj
CNN
http://www.cnn.com/2008/WORLD/europe/01/30/french.bank.ap/
Reuters
http://www.reuters.com/article/businessNews/idUSWEB304120080124
Bloomberg
http://www.bloomberg.com/apps/news?pid=20601085&sid=aSy8ZDtkdcow&refer=europe

On the Sub-Prime Side
Guardian
http://www.guardian.co.uk/business/2008/jan/30/subprimecrisis.creditcrunch?gusrc=rss&feed=networkfront
Financial News
http://www.financialnews-us.com/?page=ushome&contentid=2449684760

Information Security has a unique role that it can play in protecting a company from these issues. That role is due to the convergence of information. The information security team is the only location that all of the data exists that can be used to properly control for these types of complex issues.

Addressing them requires the proper combination of ID management, Roles Based Controls, and Analytic Business intelligence. (the latter is the primary reason I championed the Analytic Environment standards over a year ago).

This is an area that Info Security can not only serve as a minimum barrier to prevent downtime or confidentiality loss but can also add legitimate value to the business in the form of information, reports and preventative controls to enable increased trust to the actual people performing the real day to day work without the risk of a massive failure.

On the opposite end SoD control failures are massive and systemic. Not only do they result in dramatic items like the ones mentioned above but also ubiquitous often unintentional losses. From system down time to improperly placed orders or paid claims the incremental small losses exist in every organization.

The real question now is can we position ourselves so that we are ready as these waves break?

No comments: