Agreed.
What we 'try' to do is assign Primary and Contributory accountabilities.
Meaning, we ask a business person to be the primary accountable person for
ensuring their data is adequately secured. At the same time we assign a
contributory accountability to the IT department because they play an
important role in ensuring systems are patched, configurations are
appropriate for the application, etc. It is easy to fall into the blame
trap, to address this issue, we ask for hand-offs between the business and
IT to be clear. Like everything else, it is work in progress.
-- kathy
"Andrew Shore"
<andrew.shore@hol
istic.it> To
"Brad Bemis"
<bradleyb@bradleyb.net>,
Mon 04/03/2006 <security-management@securityfocus.
08:42 AM com>
cc
Subject
RE: Culture of Accountability
The issue of accountability equates to blame, the problem then is that
when something goes wrong some one is left to carry the can. This leads
to a culture of people covering up to dodge the blame, this in turn
means that when a security failure occurs it is very difficult to find
out what went wrong and how to stop it again.
This is the theory used by the aviation industry.
It's better to find out what went wrong than it is to point the finger,
that way we all learn from the mistakes.
That's not to say that the buck has to stop somewhere but in my
experience the buck will stop at the guy who is so far removed from the
"hands on and dirty" part of the job that he really can't be "blamed" ie
the VP for IT security can't check that every firewall rule is valid.
But yes, this should get an interesting thread going :-)
Just my 2c
Andy
________________________________
From: Brad Bemis [mailto:bradleyb@bradleyb.net]
Sent: 02 April 2006 21:19
To: security-management@securityfocus.com
Subject: Culture of Accountability
Security is a function of a strong control environment - and
accountability is one of its central themes. I am interested to hear
how some of you have approached the issue of accountability in your own
organizations... More from a practical implementation-oriented
standpoint and less on theories about how accountability SHOULD work...
Should be an interesting topic...
Brad Bemis, CISSP, CISA
Information Security Professional
(See attached file: C.htm)
The issue of accountability equates to
blame, the problem then is that when something goes wrong some one is left to
carry the can. This leads to a culture of people covering up to dodge the
blame, this in turn means that when a security failure occurs it is very
difficult to find out what went wrong and how to stop it again.
This is the theory used by the aviation
industry.
It’s better to find out what went
wrong than it is to point the finger, that way we all learn from the mistakes.
That’s not to say that the buck has
to stop somewhere but in my experience the buck will stop at the guy who is so
far removed from the “hands on and dirty” part of the job that he
really can’t be “blamed” ie the VP for IT security can’t
check that every firewall rule is valid.
But yes, this should get an interesting
thread going J
Just my 2c
Andy
From: Brad Bemis
[mailto:bradleyb@bradleyb.net]
Sent: 02 April 2006 21:19
To:
security-management@securityfocus.com
Subject: Culture of Accountability
Security is a function of a strong control
environment - and accountability is one of its central themes. I am
interested to hear how some of you have approached the issue of accountability
in your own organizations... More from a practical
implementation-oriented standpoint and less on theories about how
accountability SHOULD work...
Should be an interesting topic...
Information Security Professional
|
