Abstract
Have you ever been a participant in a conversation that goes something like this?
Auditor: Your controls are not complete.
IT Operations: What controls should I implement?
Auditor: Controls that meet business requirements and control objectives as outlined by COBIT?
IT Operations: But what specific controls should I implement?
Auditor: Go ask the CISO.
Or how about this?
CISO: We need to implement authentication and access control mechanisms.
IT Operations: Sounds good but why?
CISO: Because they are good things and Audit said so.
IT Operations: OK, what specifically do you want me to do?
CISO: Implement authentication and access control mechanisms in accordance with ISO:17799 and follow these 32 standards.
IT Operations: OK, what specifically do you want me to do?
CISO: Perhaps Audit can help you with some best practices.