Been Thinking about Control of IT Systems

I’ve been talking to myself lately(I do this a lot) about control in the IT environment. That is, change control and security of the information systems from an audit point of view. There are two viewpoints that seem to be discussed.

I’ve heard one viewpoint that says think about it like a manufacturing process where you put processes and controls in place to get a high-yield (or a low excursion rate) on control breakdowns. That is, you can’t achieve 100% control and just like a real-world manufacturing process, you are going to always have events that seem to be out of control. One will always find excursions, there will always be exceptions, there will always be special cases or emergencies where changes are made outside the normal control processes.

On the other hand, from an audit point of view, one should expect the assets to be ‘in control’ with no exceptions. Any excursion where someone has access they are not supposed to be have or a change is made outside of the normal change control processes is significant and should not happen. There is no yield concept and exceptions should never happen.

What do you think? What is the correct answer?

Realize that 100% perfection is hard to obtain and very expensive.

2 thoughts on “Been Thinking about Control of IT Systems”

  1. Funny I had the same general idea to write about this weekend and didn’t get around do it.

    I subscribe to the former viewpoint. However, I think it can really be shaped by the type and number of assets you have to protect. I might feel differently if I was in charge at a DOD contractor than I would if I was in charge of a small chain of restaurants. At some point you have to think we are “secure enough” and that looks different for different orgs. Once someone asked the Golden Gate bridge builder what he would change years after the completion of the bridge, “not a dang thing” he said. The reason: bridge building is centuries old, best practices are well known and we know what works and what doesn’t. That’s not true of information technology security, we are still having bridges fall down while we are learning.

    There are two other thoughts I have. One is even if you wanted to have 100% control is that even possible? It seems on the same level of our war on terror, with the consumer empowered like never before is it possible to keep them from doing something? I suspect not, short of maybe disconnecting from the internet completely and taking all cell phones upon entry to the building. Certainly impractical. Which brings me to my second thought which is “Never let the guy with the broom decide how many elephants should be in the parade”. That guy will always find a reason to limit the point of the parade, to have fun. Sometimes I feel like that is what corporate IT has become, the party of NO. In the end I think users just quit asking and wire around policies that we put in place. So my question is how to we work together with functional people to have their buy in, giving them the tools they want, yet protecting the assets?

    Sorry to hijack the post here just the same things mulling around in my head.

    1. Lots of thoughts here Phil.

      Your ‘secure enough’ point is valid, but if there is a weakness, then is it still in control? Certainly cost effectiveness and reasonableness plays a role in this discussion too.

      We don’t want IT to be the house of ‘NO.’

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s