Download our in-depth report: The Ultimate Guide to IT Security VendorsIt is not insurance companies that underwrite business risk insurance, that include security on the checklist of overall company health as part of a standard process or are driving the risk assessment business. The insurance reviews are quick and usually not considered strategic. Instead, it is the overall heightened awareness of security on the part of business managers that is driving information security risk assessment from the major auditing firms such as KPMG, according to Mark T. Lindig, a KPMG partner.
"There is a distinction between what an insurance company is requiring and what managers are asking us to do," says Lindig.
Lindig is the national partner in charge of KPMG's Information Risk Management practice. He has more than 19 years of experience in providing risk management services to clients in multiple industries.
Another strong driver of information security risk assessment is increasing federal regulation of certain industries, including a looming January 2004 deadline for security certifications now being required by the Federal Energy Regulatory Commission of the gas, pipeline and electrical utility providers.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i And with a deadline of March 2004, the Sarbanes-Oxley Act requires that management of public companies listed on the stock exchange and regulated by the SEC certify the quality of their controls over financial reporting, one of which is information security.
"If you have a system that is not well controlled from a security perspective, you really cannot rely on the other controls in that system," Lindig suggests.
Typical vulnerabilities KPMG's auditors find when they perform an information security risk assessment include:
"The customer has to tune the monitoring platform for everything they want to monitor," Lindig advises.