IT security policy model
O'Driscoll admits receiving industry flak about “trivialising” security but says it did not change his attitude — namely that “technical jargon should not leave the confines of IT”.
“My job is done when people take security seriously because they understand why, not because they have to,” O'Driscoll said.
O'Driscoll claims his big challenge was to achieve a balance between providing business departments with enough information to make decisions, but keep things straightforward and clear enough to have meaning to non-IT users.
“The CEO and audit want transparency with IT, and I want both [of them] off my back, so simplicity works.”
AMP and the Commonwealth Bank now both use employ a “colour tag” using green, orange and red to identification and grade security zones, access and devices based on potential risk.
O'Driscoll said AMP’s security shop is now busy shifting responsibility and risk back to business owners as much as possible. O'Driscoll said this forces business units to re-evaluate their needs and reduce risks within projects. “When they understood we weren't just going to rubber-stamp everything they put a lot more work into what they gave us,” he said.
O'Driscoll said Australia is increasingly becoming a target for hackers and online fraudsters, who see the country as a “softer” target compared to the United States and its hard-line disclosure laws.
“Compliance doesn't mean you're safe,” he said. “You can have lousy security and still be compliant.”
O'Driscoll was speaking at the ISACA Oceania CACS2008 conference in Sydney this week.