Q&A

Former ISACA Head: SAS 70 Changes Coming

Marios Damianides, a partner in Ernst & Young's technology and security risk services group and past president of ISACA's board of directors, expects changes for SAS 70 and more collaboration between security and non-security management groups

By Bill Brenner, Senior Editor

July 25, 2008 — CSO —

The conventional wisdom of recent years is that security must be approached as a business function rather than a separate, distracting entity. As such, security organizations must start collaborating with groups outside the security realm, according to Marios Damianides, a partner in Ernst & Young's technology and security risk services group and past president of ISACA's board of directors.

Marios Damianides

Damianides, a member of ISACA (Information Systems Audit and Control Association) since 1992 and its international president from 2003 to 2005, has helped numerous Fortune 100 companies design and implement security management systems and has watched the line between security and other business functions evaporate.

In this Q&A, he discusses impending changes for the SAS 70 auditing standard, ISACA's collaboration with ASIS International (ASIS) and the Information Systems Security Association (ISSA); and opportunities he sees for security and other groups to work together for the common good.

An update on SAS 70 is brewing, yes? Comment on how that auditing instrument needs to evolve, and how it might serve security purposes better, with the understanding that it isn't technically a "security" standard?
Marios Damianides: SAS 70 is becoming a broader tool. Talks are happening around the idea of creating general-purpose SAS 70s where you could define to some extent the environment you'll be auditing against and then design and test that environment. This could apply to security.

How so?
Companies need to show customers that their security environment is sound, so a general-purpose SAS 70 would define the security environment and the controls that would be audited. That kind of a SAS 70 could then be distributed to customers who signed an agreement with the company in question, so they know that the measures are being followed. I also believe SAS 70 will be more closely aligned with ISO 17799 (the international standard code of practice for information security management) over time to reflect the growing convergence between them.

Looking at today's threat landscape and the skills security professionals need to succeed, has anything changed since your time as ISACA's president, or are the skill sets needed basically the same?
The fundamentals are the same. The security professional needs to have the business acumen to be relevant to the corporation. That has always been the case. Is it more significant today than three or four years ago? Absolutely. The business side of being a good security professional is taking a more prominent role today than before. The technological aspects of security have become more accepted as day-to-day operating procedure. It's more of a commodity now. What's more challenging is for security professionals to show how the policies are relevant in making a difference to the business side.