Standards can help in communicating security issues to executives

The long view of security strategies for your network.

After I posted an article about Jeff Bardin, CISO of the Hanover Insurance Group, in February on the MSIA Portal, Bardin and I spoke about his work and he pointed me to an article he recently published about communicating with C-level executives that will interest readers. I wanted to expand on a couple of interesting points raised by Bardin in his article.

He wrote:

“Seek out a trusted sponsor - a person who can serve as a conduit to getting your message heard. At one firm, I found the VP of Internal Audit to be a great ally. Internal Audit has been trying for years to get companies to comply with their findings; they follow a code like you. Your efforts will only help their cause. Align your information security pitch with their internal controls-oriented message, adding specifics relevant to the 10 domains of ISO17799 or CISSP Common Body of Knowledge.”

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

After I posted an article about Jeff Bardin, CISO of the Hanover Insurance Group, in February on the MSIA Portal, Bardin and I spoke about his work and he pointed me to an article he recently published about communicating with C-level executives that will interest readers. I wanted to expand on a couple of interesting points raised by Bardin in his article.

He wrote:

“Seek out a trusted sponsor - a person who can serve as a conduit to getting your message heard. At one firm, I found the VP of Internal Audit to be a great ally. Internal Audit has been trying for years to get companies to comply with their findings; they follow a code like you. Your efforts will only help their cause. Align your information security pitch with their internal controls-oriented message, adding specifics relevant to the 10 domains of ISO17799 or CISSP Common Body of Knowledge.”

Readers will find useful resources bearing on this point at the following Web sites:

The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, defines internal controls as follows (quoting directly from the site):

Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

* Effectiveness and efficiency of operations.
* Reliability of financial reporting.
* Compliance with applicable laws and regulations.

The page continues with “Key Concepts” as follows:

* Internal control is a process. It is a means to an end, not an end in itself.
* Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
* Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
* Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

The complete ISO17799 2005 standards can be purchased as a downloadable file or on paper.

The (ISC)2 Common Body of Knowledge is described here. The 10 domains are listed as follows:

* Access Control Systems and Methodology.
* Applications and Systems Development Security.
* Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP).
* Cryptography.
* Law, Investigation and Ethics.
* Operations Security.
* Physical Security.
* Security Architecture and Models.
* Security Management Practices.
* Telecommunications and Network Security.

Having external validation of the points you want to make with upper management can increase your credibility. Remember, many of our colleagues have little or no knowledge of the professional standards underlying information assurance and may erroneously assume that we are making up rules as we go. Being able to point to industry and international standards can make a real difference in acceptance of our proposals.

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.