What is the relationship between your Information Security department and the Internal Audit? Is it a friendly work together relationship or is there resentment between the two teams?
Both the Information Security and IT Internal Audit teams have similar goals. Make sure the company’s data is properly protected from inadvertent disclosure, modification, or inappropriate access. However the attitudes displayed by each of the teams and their members can go a long way to helping build a constructive, working relationship.
Since I have worked both sides in the same company…moving from Internal Audit to the Information Security team, I can provide some information of this subject. Clear lines need to be drawn as to the responsibility of each team when the areas might start to come together. For example, if a project for an upgrade of an application that falls under the Sarbanes-Oxley (SOX) umbrella. Both teams are going to interested in it…Information Security will probably be more interest in the details of a set of criteria for new applications, while Internal Audit is probably more interested only in those controls pertaining to SOX. However, a lack of understand as to the other team’s responsibilities could lead to ill thoughts about the other team.
I believe each team can provide some level of assistance to the other team, there needs to be a defined separation of duties and each team member of both teams needs to understand where their responsibilities begin and, more importantly where their responsibilities end.