A higher standard of due care.DURING THE LAST SEVERAL YEARS, I HAVE NOTICED CERTIFIED public accounting (CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. ) firms harvesting specialized technology credentials. It is not uncommon for CPAs and other professionals at these firms to possess Certified Information Systems Security Professional Certified Information Systems Security Professional (CISSP) is a vendor-neutral certification governed by the non-profit International Information Systems Security Certification Consortium (commonly known as (ISC)²). or Certified Information Systems Auditor credentials for performing assessment, assurance, and attestation services in cyber-security and other technology-related areas. Addressing today's technology risks, however, requires expertise and extensive training, beyond just certification. Professionals who provide technology or other specialized attestation need to possess appropriate, expert-level qualifications--especially where the risks can be truly catastrophic. [ILLUSTRATION OMITTED] In the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , the standard of "due care" has risen dramatically since events such as the Sept. 11 attacks, the collapse of Enron, and the Iraq war. Greater consequences from risk events have led to increased control requirements and, subsequently, a higher standard of what truly constitutes due care. Cyber-security, bio-terrorism, and other threats have raised "proficiency" and "assurance" thresholds as well. Regulatory authorities--such as the U.S. Department of Homeland Security Noun 1. Department of Homeland Security - the federal department that administers all matters relating to homeland security Homeland Security executive department - a federal department in the executive branch of the government of the United States and the Securities and Exchange Commission--are also raising the standard. The Sarbanes-Oxley Act See SOX. of 2002 and Federal Information Security Management Act, for example, demand much higher levels of organizational vigilance and professional attestation. In light of the elevated regulatory climate regulatory climate The extent to which a regulated firm or industry is permitted to earn an adequate return on the stockholders' investment. This term is nearly always used in reference to utilities, which are required to obtain approval for rate changes. , as well as increased nonregulatory threats, professionals who conduct work outside their areas of expertise can expose the organization to significant harm and even subject themselves to litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. risk. To meet today's due care standards, organizations need to ensure that those who perform attestation work possess the right level of expertise. To address heightened cyber-security and other technology-related threats, for example, those performing IT and security assessments should ideally possess a software engineering degree or comparable background. Similarly, a bio-terrorism assessment should be conducted by a biologist with a doctorate-level foundation of expertise. Generally, technical or other highly specialized assessments should be handled by an expert with appropriate academic training and a professional license in the area under review. CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. magazine forewarns: "In 2010, information security will be much better than it is today. But between then and now, everything will get inconceivably worse." Despite this and other signs of increasing security challenges, one training firm currently offers to provide a cyber-security certificate in just seven days. Can individuals who obtain this type of certification truly provide the requisite "due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. " and "due care" in areas where they are not degreed de·greed adj. Having or requiring an academic degree: a degreed biologist; a degreed profession. or licensed? Superficial training and token credentials hardly seem adequate for the threats facing today's organizations. It is not sufficient to merely comply with established laws and requirements or give cursory treatment to risk areas. The security and overall health of the organization demand a much higher standard. To comment on this article, e-mail the author at ghutchins@theiia.org. The opinions expressed are solely those of the author. GREG HUTCHINS, PE |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion