"There is a distinction between what an insurance company is requiring and what managers are asking us to do," says Lindig.
Lindig is the national partner in charge of KPMG's Information Risk Management practice. He has more than 19 years of experience in providing risk management services to clients in multiple industries.
Another strong driver of information security risk assessment is increasing federal regulation of certain industries, including a looming January 2004 deadline for security certifications now being required by the Federal Energy Regulatory Commission of the gas, pipeline and electrical utility providers.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i And with a deadline of March 2004, the Sarbanes-Oxley Act requires that management of public companies listed on the stock exchange and regulated by the SEC certify the quality of their controls over financial reporting, one of which is information security.
"If you have a system that is not well controlled from a security perspective, you really cannot rely on the other controls in that system," Lindig suggests.
Typical vulnerabilities KPMG's auditors find when they perform an information security risk assessment include:
"The customer has to tune the monitoring platform for everything they want to monitor," Lindig advises.