Wealth management firm AMP has rejected established auditing and security frameworks for a procedure list hand-drawn by its own head of security.
John O'Driscoll, who heads AMP's IT risk and security division, drew on his 25 years experience in IT auditing and security to design the framework, and cherry-picked sections from the widely adopted Control Objectives for Information and related Technology (COBIT) best practice guidelines, the ISO 17799 security standard and the Information Technology and Infrastructure Library (ITIL).
O'Driscoll claims the existing standards could not translate IT into metrics that were useful to AMP’s business managers. “I couldn't find anything in Cobit or the [ISO 17799] standard that suited my accountability,” O'Driscoll told Computerworld.
“Audit talks Cobit, and security talks ISO 17799, but I felt that business managers would have to take my word for it if I used these frameworks.”
O'Driscoll's framework, which he designed in his own time, covers management of incidents, operations, identity and access, resources and threats and vulnerabilities, and governance. It has also been adopted by the Commonwealth Bank, where O'Driscoll worked previously, and is currently going live through AMP.
He described the initial framework development stages as akin to “eating an elephant”. “[AMP] was great at ad-hoc response but the process wasn't repeatable. It took months to get the framework together but now we can do an assessment on all areas of the framework.”
“The first time our team had a punt at describing what we do, we all came up with different opinions, which was an enlightening experience,” O'Driscoll said, adding that roles, standards and interpretations lists were agreed to and complied.
Within three months of taking the job, O'Driscoll began ripping out the security and auditor jargon from AMP's security procedures to create meaningful reports for business managers and the company's 35,000 staff. “We had to work out the scope of security and communicate it in a logical way with useful metrics,” he said.
As part of the process, “stale” security policy documents were turned into a video game and distributed to end users to educate them about the need for IT security, while a mandatory 20 minute exam was created to test user awareness and knowledge. The 100-page security policy was also condensed into a single page, dictating brief bullet points on entitlement management, physical security, systems lifecycle, IT operations and incident response.
Read up on the latest ideas and technologies from companies that sell hardware, software and services. Look before you leap | Key considerations for moving to 802.11n
Controlling storage costs with Oracle database 11g
How to improve employee productivity in small and medium businesses
The state of Middleware
Making the Business Case for IT Consolidation
The Case for an Untethered Enterprise
IT Service Management Needs and Adoption Trends: An Analysis of a Global Survey of IT Executives
Zones provide focussed content from Computerworld and leading technology partners.
Discover how SOA can create smarter outcomes for your business.
Attend and learn:
- How SOA is helping leading companies to become more agile
- Where you should be applying SOA processes in your company
- The top SOA implementation mistakes to avoid
Click here for more information.
- +
Computerworld Live Podcast #97: The Future of Enterprise Networking 25/07/2008 09:45:36
This week CW Live chats with Mark Thompson, global sales and marketing manager for HP ProCurve, on the future of the enterprise networking. Mark discusses the trends we can expect to see in the near future and how the right infrastructure can ensure your enterprise network is secure. - +
Computerworld Live Podcast #96: Security at the Edge 11/06/2008 09:22:22
CW Live speaks with Amol Mitra, HP ProCurve Director of Marketing for Asia Pacific and Japan. Today's topic: how enterprises are starting to shift away from simply controlling security via server logins, firewalls and moving to more adaptive security frameworks. - +
Data Management Edition #10: Multi-Petascale Systems 02/05/2008 09:12:33
This week we look at sustainability and the development of multicore technologies to build multi-petascale systems. - +
IT Security Edition #11: How to poison the Storm botnet 01/05/2008 08:51:55
This week CW Live presents a case study on how to poison the notorious Storm botnet . Plus we take a look at Cisco's plans for Ironport. - +
IT Security Edition #10: Cyber-battles fought and won 24/04/2008 11:09:47
Vendors bow to end user pressure to improve product security, and we take a look at the latest concepts shaping the cyber-battlefield of the future.
Fortinet November Threatscape Report Shows Calm Before Holiday Storm 2008-12-05 16:00:00+11
Epicor® Cited as an Order Management Solutions Leader by Independent Research Firm 2008-12-05 15:52:00+11
F-Secure: Growth In Internet Crime Calls For Growth In Punishment 2008-12-05 13:00:00+11
International researchers gather in Sydney to preview the clever web 2008-12-05 09:48:00+11
Borderless corporate networks to shift focus to secure content management in Australia in 2009 2008-12-04 16:06:00+11
Everything you need to know about email and web security (but were afraid to ask)
What you don’t know can destroy your business. It’s hard to imagine modern business without the internet but in the last few years it has become fraught with danger. Read on to discover how internet security can give your business a competitive advantage.
Buying Guides
Buying Guides
