encrypted tapes
Richard Stiennon
richard at stiennon.com
Thu Jun 9 10:44:26 EDT 2005
I spent several years as such a security auditor for PwC. While yes, they
do hire a bunch of kids out of MBA school they also have extremely
experienced senior managers supervising them. We always delved into
business processes as well as using "off the shelf" tools. Invariably I
would find major flaws in the way security was implemented at utilities,
railroads, major banks, and computer manufacturers.
At Gartner I always advised my clients that if the purpose of the audit was
to find a bunch of stuff and fix it then you should select a local boutique
firm who will do a faster, more in-depth assessment and give you
actionable items to address at a very reasonable cost. If your purpose in
doing a security audit is to convince the board of directors that you need
to invest more in security then go with a big audit firm because their
opinion holds much more weight.
Stiennon
blog: www.threatchaos.com
At 10:14 AM 6/8/2005, Perry E. Metzger wrote:
>astiglic at okiok.com writes:
> > One thing that irritates me is that most security audits (that verify
> > compliance with regulations) are done by accountants. No disrespect for
> > accountants here, they are smart people, but most of them lack the
> > security knowledge needed to really help with the security posture of a
> > company, and often they don't work with a security expert. I saw allot of
> > requirements by security auditors that looked pretty silly.
> > I believe a mix of accountants with security experts should be used for
> > security audits
>
>It is worse than that. At least one large accounting company sends new
>recruits to a "boot camp" where they learn how to conduct "security
>audits" by rote. They then send these brand new 23 year old "security
>auditors" out to conduct security "audits", with minimal supervision
>from a partner or two. The audits are inevitably of the lowest
>possible quality -- they run automated security scanners no better
>than open source ones you could download on your own, and they run
>through checklists. If an automated tool doesn't say there is a
>problem, or if you obey the mindless checklist items, you pass.
>
>Of course, for all the good such an "audit" does, you would as well
>roll dice and claim that the output was somehow correlated with the
>quality of your security infrastructure. Such an "audit" is totally
>worthless except as a bureaucratic dodge. "We hired a world class
>accounting company to check our security!" the executives can cry, "so
>these security problems aren't our fault!" (Would that "fiduciary
>responsibility" was not so often equated with "make sure there is
>enough window dressing that we can't be blamed.")
>
>By the way, selling such "audits" is extremely profitable, given the
>discrepancy between the pay for the kids doing the audits and the
>price the customer is charged. What is pathetic is not that companies
>would try to foist such worthless services upon their customers, but
>that their customers would willingly buy.
>
>Incidently, my understanding is that at least some accounting
>companies use similar techniques for doing audits of the bookkeeping
>practices at their customers, which makes them at least somewhat
>consistent, if nearly useless to relying parties. When you hear things
>to the effect that accounting audits can only detect unintended bad
>process and not deliberate malfeasance, that's part of the reason why.
>
>Perry
>
>
>
>---------------------------------------------------------------------
>The Cryptography Mailing List
>Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
Richard Stiennon
The blog: http://www.threatchaos.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list