Q&A

Former ISACA Head: SAS 70 Changes Coming

Marios Damianides, a partner in Ernst & Young's technology and security risk services group and past president of ISACA's board of directors, expects changes for SAS 70 and more collaboration between security and non-security management groups

By Bill Brenner, Senior Editor

July 25, 2008

The conventional wisdom of recent years is that security must be approached as a business function rather than a separate, distracting entity. As such, security organizations must start collaborating with groups outside the security realm, according to Marios Damianides, a partner in Ernst & Young's technology and security risk services group and past president of ISACA's board of directors.

Marios Damianides

Damianides, a member of ISACA (Information Systems Audit and Control Association) since 1992 and its international president from 2003 to 2005, has helped numerous Fortune 100 companies design and implement security management systems and has watched the line between security and other business functions evaporate.

In this Q&A, he discusses impending changes for the SAS 70 auditing standard, ISACA's collaboration with ASIS International (ASIS) and the Information Systems Security Association (ISSA); and opportunities he sees for security and other groups to work together for the common good.

An update on SAS 70 is brewing, yes? Comment on how that auditing instrument needs to evolve, and how it might serve security purposes better, with the understanding that it isn't technically a "security" standard?
Marios Damianides: SAS 70 is becoming a broader tool. Talks are happening around the idea of creating general-purpose SAS 70s where you could define to some extent the environment you'll be auditing against and then design and test that environment. This could apply to security.

How so?
Companies need to show customers that their security environment is sound, so a general-purpose SAS 70 would define the security environment and the controls that would be audited. That kind of a SAS 70 could then be distributed to customers who signed an agreement with the company in question, so they know that the measures are being followed. I also believe SAS 70 will be more closely aligned with ISO 17799 (the international standard code of practice for information security management) over time to reflect the growing convergence between them.

Looking at today's threat landscape and the skills security professionals need to succeed, has anything changed since your time as ISACA's president, or are the skill sets needed basically the same?
The fundamentals are the same. The security professional needs to have the business acumen to be relevant to the corporation. That has always been the case. Is it more significant today than three or four years ago? Absolutely. The business side of being a good security professional is taking a more prominent role today than before. The technological aspects of security have become more accepted as day-to-day operating procedure. It's more of a commodity now. What's more challenging is for security professionals to show how the policies are relevant in making a difference to the business side.

RESOURCE CENTER
Loading...
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Maximizing Site Visitor Trust Using Extended Validation SSL

VeriSignNow with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.

» Read the Paper

Featured Sponsors
Sponsored Links

Using Likewise to Comply with PCI Data Security Standard

Efficient - Flexible - Compliant

Envision Identity-Based Access Control for the Datacenter

Simplify your data center with Juniper Networks. View the webcast

Managing SSL Security in Multi-Server Environments

The Latest Advancements in SSL Technology

How to Offer the Strongest SSL Encryption

Forrester Total Economic Impact (TEI) report: Save Millions in Fraud Losses.

Get in Compliance With Government Data Regulations

Taking the Botnet Threat Seriously

Any company can promise identity protection. Only Debix can prove it

Welcome to the age of Service-Oriented Security (SOS)

Enabling Compliance with Converged Mainframe Security and Storage

5 Steps to Secure Outsourced Application Development

CA's IT Security centralizes your identity management to turn security into a proactive, business-building tool

How Are Open Source Development Communities Embracing Security Best Practices?

Digital Identity Protection and Data Security Get Personal

When Customer Relationship is Everything, Businesses Bank on SSL Solutions

The Case for Business Software Assurance ~ Securing Your Applications

Maximizing Site Visitor Trust Using Extended Validation SSL

Solving Online Credit Fraud Using Device Reputation

Understanding Data Location is Imperative for Data Loss Prevention

Secure your virtual and physical environments with the same software

Manage your IT more effectively

IDC Defines an Identity and Access Management Submarket

IDC Defines an Identity and Access Management Submarket for Managing Privileged User Accounts and Meeting GRC Requirements

Everything Today's CISO Needs to Know About Using SSO to Succeed in the Web 2.0 Era