Home > Peak Performance > Security pros need help from HR, internal audit and some unusual suspects

Security pros need help from HR, internal audit and some unusual suspects

In an earlier post, I wrote this, but one of the greatest security advisors of our time (IMHO) added his thoughts.

[securitydreamer] “

A CISO at a Fortune 500 telecommunications company in the US said his organization is improving three classes of security activity: prevention, detection and corrective action.  In a phone conversation he reminded me that a few years ago, data classification was all the rage.  But the point was well taken, he said.  We all needed to step back and say "wait a minute. What are we really trying to protect here?"  One key to success he discovered was asking his legal department for help.  "Take a look at the records retention guidelines that legal departments crank out.  You’ll find an excellent starting point for identifying the most important information in your organization."  It is just a start, but it’s better than most IT security folks can do by themselves. “

[commentator] Law departments, like accounting departments, have their own agenda.  Law will tell you to “never save anything!”  Their logic is collecting and saving too many documents which can bite you in the ass makes the discovery process in litigation a veritable time bomb—cigarette companies agree!   

On the other hand, the lower you are in an organization the more important the proofs are of your operational metrics, accomplishments, and disappointments, and most of these are documents.

My point is adequately assessing the risks and creating an effective records retention policy requires “agenda soup”—a combination of perspectives from Law, Human Resources, Corporate Communications, Accounting, and Audit departments.

[Thanks P.R.]

Categories: Peak Performance
  1. March 31, 2008 at 8:35 am

    Just ask the people on the Enron engagement team at Arthur Anderson for their thoughts about document retention (and destruction) policies! Seriously though, the “agenda soup” described above makes great sense in theory, and certainly all opinions should always be considered, but I think the practicality is that one policy (or set of policies) will be unlikely to satisfy that entire group. The real test will be the CSO or CISO’s ability to gather all input, define policies fair to all and sell them to all interested parties. Sort of like getting a bill through Congress……

  2. ISO 9000
    October 3, 2011 at 10:55 pm

    I appreciate your post. I also wrote that SMS advertising provides a cost effective method of targeting promotions to specific customer profiles. You might want to remind customers of specific events or promotions, but for whatever reasons, SMS allows you to pass information directly to the right customer at very affordable prices and fast delivery.
    iso 9000

  3. nabh7
    October 5, 2011 at 6:21 am

    It was a awe-inspiring post and it has a significant meaning and thanks for sharing the information.Would love to read your next post too……


    ISO 9001

  4. ISO 9001
    October 19, 2011 at 3:21 am

    Very good post, I was really searching for this topic, as I wanted this topic to understand completely and it is also very rare in internet, that is why it was very difficult to understand.

    Thank you for sharing this.

    ISO 9001

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: