AMP, Commonwealth Bank choose homegrown security

Wealth management firm AMP has rejected established auditing and security frameworks for a procedure list hand-drawn by its own head of security.

John O'Driscoll, who heads AMP's IT risk and security division, drew on his 25 years experience in IT auditing and security to design the framework, and cherry-picked sections from the widely adopted Control Objectives for Information and related Technology (COBIT) best practice guidelines, the ISO 17799 security standard and the Information Technology and Infrastructure Library (ITIL).

O'Driscoll claims the existing standards could not translate IT into metrics that were useful to AMP’s business managers. “I couldn't find anything in Cobit or the [ISO 17799] standard that suited my accountability,” O'Driscoll told Computerworld.

“Audit talks Cobit, and security talks ISO 17799, but I felt that business managers would have to take my word for it if I used these frameworks.”

O'Driscoll's framework, which he designed in his own time, covers management of incidents, operations, identity and access, resources and threats and vulnerabilities, and governance. It has also been adopted by the Commonwealth Bank, where O'Driscoll worked previously, and is currently going live through AMP.

He described the initial framework development stages as akin to “eating an elephant”. “[AMP] was great at ad-hoc response but the process wasn't repeatable. It took months to get the framework together but now we can do an assessment on all areas of the framework.”

“The first time our team had a punt at describing what we do, we all came up with different opinions, which was an enlightening experience,” O'Driscoll said, adding that roles, standards and interpretations lists were agreed to and complied.

Within three months of taking the job, O'Driscoll began ripping out the security and auditor jargon from AMP's security procedures to create meaningful reports for business managers and the company's 35,000 staff. “We had to work out the scope of security and communicate it in a logical way with useful metrics,” he said.

As part of the process, “stale” security policy documents were turned into a video game and distributed to end users to educate them about the need for IT security, while a mandatory 20 minute exam was created to test user awareness and knowledge. The 100-page security policy was also condensed into a single page, dictating brief bullet points on entitlement management, physical security, systems lifecycle, IT operations and incident response.

Page Break

O'Driscoll admits receiving industry flak about “trivialising” security but says it did not change his attitude — namely that “technical jargon should not leave the confines of IT”.

“My job is done when people take security seriously because they understand why, not because they have to,” O'Driscoll said.

O'Driscoll claims his big challenge was to achieve a balance between providing business departments with enough information to make decisions, but keep things straightforward and clear enough to have meaning to non-IT users.

“The CEO and audit want transparency with IT, and I want both [of them] off my back, so simplicity works.”

AMP and the Commonwealth Bank now both use employ a “colour tag” using green, orange and red to identification and grade security zones, access and devices based on potential risk.

O'Driscoll said AMP’s security shop is now busy shifting responsibility and risk back to business owners as much as possible. O'Driscoll said this forces business units to re-evaluate their needs and reduce risks within projects. “When they understood we weren't just going to rubber-stamp everything they put a lot more work into what they gave us,” he said.

O'Driscoll said Australia is increasingly becoming a target for hackers and online fraudsters, who see the country as a “softer” target compared to the United States and its hard-line disclosure laws.

“Compliance doesn't mean you're safe,” he said. “You can have lousy security and still be compliant.”

O'Driscoll was speaking at the ISACA Oceania CACS2008 conference in Sydney this week.