Compliance with standards, assurance and audit: does this equal security?

Managing information security is a challenge. Traditional checklist approaches to meeting standards may well provide compliance, but do not guarantee to provide security assurance. The same might be said for audit. The complexity of IT relationships must be acknowledged and explicitly managed by recognising the implications of the self-interest of each party involved. We show how tensions between these parties can lead to a misalignment of the goals of security and what needs to be done to ensure this does not happen.

[1]  Heather M. Rinkenbaugh Annual Security Report , 2014 .

[2]  Lev M. Timoshenko,et al.  On the Use of Checklists in Auditing: A Commentary , 2014 .

[3]  David J. Pym,et al.  Developing a Conceptual Framework for Cloud Security Assurance , 2013, 2013 IEEE 5th International Conference on Cloud Computing Technology and Science.

[4]  Industrial Strategy Information security breaches survey , 2013 .

[5]  Frank Piessens,et al.  A security analysis of next generation web standards , 2011 .

[6]  David J. Pym,et al.  Semantics for structured systems modelling and simulation , 2010, SimuTools.

[7]  David J. Pym,et al.  Structured Systems Economics for Security Management , 2010, WEIS.

[8]  David J. Pym,et al.  Algebra and logic for resource-based systems modelling , 2009, Math. Struct. Comput. Sci..

[9]  Deborah S. Archambeault,et al.  The Need for an Internal Auditor Report to External Stakeholders to Improve Governance Transparency , 2008 .

[10]  David F. Midgley,et al.  Building and assurance of agent-based models: An example and challenge to the field , 2007 .

[11]  Thomas McGibbon,et al.  Software Security Assurance: A State-of-Art Report (SAR) , 2007 .

[12]  Syed Naqvi,et al.  Security assurances for intelligent complex systems , 2007, SPIE Defense + Commercial Sensing.

[13]  S. Zeff The SEC rules historical cost accounting: 1934 to the 1970s , 2007 .

[14]  Simon Shiu,et al.  Using assurance models to aid the risk and governance life cycle , 2007 .

[15]  R. Moeller Managing internal auditing in a post-SOA world , 2004 .

[16]  S. Ramamoorti Internal Auditing: History, Evolution, and Prospects , 2003 .

[17]  Arnold M. Wright,et al.  Corporate Governance and the Audit Process , 2002 .

[18]  Miklos A. Vasarhelyi,et al.  Feasibility and Economics of Continuous Assurance , 2002 .

[19]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[20]  George T. Willingmyre Section 11. International standards at the crossroads , 1997, STAN.

[21]  Peter G. Neumann,et al.  Computer-related risks , 1994 .