encrypted tapes

Perry E. Metzger perry at piermont.com
Wed Jun 8 12:14:33 EDT 2005 

astiglic at okiok.com writes:
> One thing that irritates me is that most security audits (that verify
> compliance with regulations) are done by accountants.  No disrespect for
> accountants here, they are smart people, but most of them lack the
> security knowledge needed to really help with the security posture of a
> company, and often they don't work with a security expert.  I saw allot of
> requirements by security auditors that looked pretty silly.
> I believe a mix of accountants with security experts should be used for
> security audits

It is worse than that. At least one large accounting company sends new
recruits to a "boot camp" where they learn how to conduct "security
audits" by rote. They then send these brand new 23 year old "security
auditors" out to conduct security "audits", with minimal supervision
from a partner or two. The audits are inevitably of the lowest
possible quality -- they run automated security scanners no better
than open source ones you could download on your own, and they run
through checklists.  If an automated tool doesn't say there is a
problem, or if you obey the mindless checklist items, you pass.

Of course, for all the good such an "audit" does, you would as well
roll dice and claim that the output was somehow correlated with the
quality of your security infrastructure. Such an "audit" is totally
worthless except as a bureaucratic dodge. "We hired a world class
accounting company to check our security!" the executives can cry, "so
these security problems aren't our fault!" (Would that "fiduciary
responsibility" was not so often equated with "make sure there is
enough window dressing that we can't be blamed.")

By the way, selling such "audits" is extremely profitable, given the
discrepancy between the pay for the kids doing the audits and the
price the customer is charged. What is pathetic is not that companies
would try to foist such worthless services upon their customers, but
that their customers would willingly buy.

Incidently, my understanding is that at least some accounting
companies use similar techniques for doing audits of the bookkeeping
practices at their customers, which makes them at least somewhat
consistent, if nearly useless to relying parties. When you hear things
to the effect that accounting audits can only detect unintended bad
process and not deliberate malfeasance, that's part of the reason why.

Perry



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list