After I posted an article about Jeff Bardin, CISO of the Hanover Insurance Group, in February on the MSIA Portal, Bardin and I spoke about his work and he pointed me to an article he recently published about communicating with C-level executives that will interest readers. I wanted to expand on a couple of interesting points raised by Bardin in his article.

He wrote:

“Seek out a trusted sponsor - a person who can serve as a conduit to getting your message heard. At one firm, I found the VP of Internal Audit to be a great ally. Internal Audit has been trying for years to get companies to comply with their findings; they follow a code like you. Your efforts will only help their cause. Align your information security pitch with their internal controls-oriented message, adding specifics relevant to the 10 domains of ISO17799 or CISSP Common Body of Knowledge.”

Readers will find useful resources bearing on this point at the following Web sites:

The Committee of Sponsoring Organizations of the Treadway Commission, or COSO, defines internal controls as follows (quoting directly from the site):

Internal control is a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

* Effectiveness and efficiency of operations.
* Reliability of financial reporting.
* Compliance with applicable laws and regulations.

The page continues with “Key Concepts” as follows:

* Internal control is a process. It is a means to an end, not an end in itself.
* Internal control is effected by people. It’s not merely policy manuals and forms, but people at every level of an organization.
* Internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
* Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.

The complete ISO17799 2005 standards can be purchased as a downloadable file or on paper.

The (ISC)2 Common Body of Knowledge is described here. The 10 domains are listed as follows:

* Access Control Systems and Methodology.
* Applications and Systems Development Security.
* Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP).
* Cryptography.
* Law, Investigation and Ethics.
* Operations Security.
* Physical Security.
* Security Architecture and Models.
* Security Management Practices.
* Telecommunications and Network Security.

M. E. Kabay, PhD, CISSP-ISSMP, is Program Director of the Master of Science in Information Assurance program at Norwich University.