Penetration Testing mailing list archives
[PEN-TEST]
From: Mark Williams <mdwilliams_44 () YAHOO COM>
Date: Thu, 7 Sep 2000 13:23:01 -0700
end questions are these. How can companies decide which auditors really do a
decent job
and are worth their value ?
As an Auditor of some years experience, I would like to add my 2 cents worth. The biggest and best recommendation is from other auditees. If an auditor won't share his customer list or at least a selection of references get out quick!
Are there any certifications or Industry groups out
there or on
the horizon that will evaluate and endorse auditors ?
ISACA, the Information Systems Audit and Control Association, of which I am a member, sponsors the CISA designation (which I hold). Like all designations, they can only tell you so much. However the CISA shows that the auditor has at least 5 years of consistent audit and/or security practice experience. It also shows that they understand the concepts and procedures involved in auditing and controlling Information Systems. Unfortunately it is no guarantee of quality. As one wise auditor once told me "there are those who have 20 years of experience, and those who have one year of experience twenty times".
What is the best approach from a Network Admin
position to counter end
results delivered by auditors if they seem to be in
error ? First be in on the original discussions as to scope and expected results. Then make sure you are talking to the auditors and get their results before they show management. I for one always double check my findings with the admin crowd to avoid getting egg on my face as these auditors obviously have. (I should also mention that I have some years experience as both a System Admin and as a Director of Data Security so my experience may not be average).
Has anyone else been through this, and is destined
to get worse before
getting better ?
Getting worse? Probably. I hesitate to say it, but many large firms are realizing there is gold in IS Audit. With very few CISAs out there to troll, they are taking immature, often inexperienced auditors, and forcing them into the IS mold. But then the big 5 have always used their clients as a training ground for new hires. I think your only defense is to ensure that you know the quals and background of the Lead Auditor or Audit Manager assigned to your audit, and question his credentials before things begin. Make sure that he at least is CISA, and preferably all those working under him also (good luck).
Thanks for any thoughts or comments, Derrick
I am not sure this helped, but it is an opinion from someone with some years of experience. I now work as a consultant, so I can look back without the blinders on I think. Mark Williams, CISA secur-IT.com Inc markw () secur-it-now com __________________________________________________ Do You Yahoo!? Yahoo! Mail - Free email you can access from anywhere! http://mail.yahoo.com/
Current thread:
- [PEN-TEST] Mark Williams (Sep 08)