Monday, June 08, 2009

Information Security and Conflicts of Interest

I used to handle both Information Security and Auditor, I know but it happened because our Internal Auditor left.

I know I can perform both but the situation is really conflict of interest. Now that we have an Internal Auditor, other conflicting roles came out to the surface

Conflict of interests mostly uncovered were roles that doesn't adhere to segregation of duties. I know many banks who have a listed Information Security Officer just to comply with BSP mandate but the personnel is actually doing another function.

Information Security needs to be independent from IT or Operations and needs to report to management directly. Any InfoSec officer or IT security officer is not a good one if he's reporting to the IT head.

Independence is the key!

1 comment:

  1. Take your role and career as an information security professional to a higher level. Be certified as lead auditor on Information Security Management System- ISMS (ISO/IEC 27001).