Wealth management firm AMP has rejected established auditing and security frameworks for a procedure list hand-drawn by its own head of security.
John O'Driscoll, who heads AMP's IT risk and security division, drew on his 25 years experience in IT auditing and security to design the framework, and cherry-picked sections from the widely adopted Control Objectives for Information and related Technology (COBIT) best practice guidelines, the ISO 17799 security standard and the Information Technology and Infrastructure Library (ITIL).
O'Driscoll claims the existing standards could not translate IT into metrics that were useful to AMP’s business managers. “I couldn't find anything in Cobit or the [ISO 17799] standard that suited my accountability,” O'Driscoll told Computerworld.
“Audit talks Cobit, and security talks ISO 17799, but I felt that business managers would have to take my word for it if I used these frameworks.”
O'Driscoll's framework, which he designed in his own time, covers management of incidents, operations, identity and access, resources and threats and vulnerabilities, and governance. It has also been adopted by the Commonwealth Bank, where O'Driscoll worked previously, and is currently going live through AMP.
He described the initial framework development stages as akin to “eating an elephant”. “[AMP] was great at ad-hoc response but the process wasn't repeatable. It took months to get the framework together but now we can do an assessment on all areas of the framework.”
“The first time our team had a punt at describing what we do, we all came up with different opinions, which was an enlightening experience,” O'Driscoll said, adding that roles, standards and interpretations lists were agreed to and complied.
Within three months of taking the job, O'Driscoll began ripping out the security and auditor jargon from AMP's security procedures to create meaningful reports for business managers and the company's 35,000 staff. “We had to work out the scope of security and communicate it in a logical way with useful metrics,” he said.
As part of the process, “stale” security policy documents were turned into a video game and distributed to end users to educate them about the need for IT security, while a mandatory 20 minute exam was created to test user awareness and knowledge. The 100-page security policy was also condensed into a single page, dictating brief bullet points on entitlement management, physical security, systems lifecycle, IT operations and incident response.