Re: auditing courses

["Mehmedovic, Jenny" <jmehmedo () KU EDU>]

Well, speaking as a former auditor (and someone who likes to not only find problems but also suggest solutions), 
hopefully you will find yourself working with auditors who not only are problem-finders, but are also helpful & 
facilitative.  

Ideally, they should be folks who are in the auditing business because they are interested in helping YOUR business.  

Jenny Mehmedovic 
Assistant to the Provost 
University of Kansas 
(785) 864-9600 
jmehmedo () ku edu 

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Theresa 
Semmens
Sent: Thursday, May 28, 2009 1:26 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] auditing courses

I have to jump into this conversation.  I agree with Keith.  If you are
planning to do an assessment, then some auditing courses and seminars are a
good choice. However, if you plan to audit, then you would be creating a
conflict of interest with your position and its related duties.  Assessment
and audit are two different animals (my personal opinion). Assessment
describes and defines what level you are at and helps you to determine how
to get to the next level.  Auditing looks for violations of policy and
problems - you don't want to do that, you already know what your problems
and issues are. 

Take advice from a former IS auditor - you would much rather not do the
auditing.  You want to be a helper and a facilitator.  Auditor's, depending
on their personality, can be their own worst nightmare.

Just my two cents...

Theresa

Theresa Semmens, CISA
NDSU Chief IT Security Officer
PO Box 6050
North Dakota State University
Fargo, ND 58108
Phone: 701-231-5870
FAX: 701-231-8541
Theresa.Semmens () ndsu edu

"Opportunity is missed by most people because it is dressed in overalls and
looks like work."  Thomas Edison 


-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Keith Schoenefeld
Sent: Thursday, May 28, 2009 12:35 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] auditing courses

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This isn't an answer to the question you asked, but I can't resist
commenting.

If possible in your organization, I'd recommend that you (as an
Information Technology Security Engineer) stay as far away from auditing
as possible.  In my opinion, security engineers and officers should be
not be auditors.  It's Security's job to ensure that appropriate risk
mitigation strategies are put in place when system guidelines and/or
requirements are created, and an auditor's job to take those guidelines
and requirements and examine whether a computer or set of computers
adheres to those guidelines.  We, as security engineers, analysts, and
officers, spend way to much time trying to be the officer, the
prosecutor, and the judge.

- -- KS

Youngquist, Jason R. wrote:
> It?s budget time, and I?m looking for an auditing course to take.  I?d
> like to be able to audit various departments within our organization to
> make sure information is being properly protected.  I?ve looked at SANS
> Audit 410, but does anyone else have any recommendations for other
> auditing courses to take?
>
>  
>
>  
>
> Thanks.
>
> Jason Youngquist
>
> Information Technology Security Engineer, Security+
>
> Technology Services
>
> Columbia College
>
> 1001 Rogers Street, Columbia, MO  65216
>
> (573) 875-7334
>
> jryoungquist () ccis edu
>
> http://www.ccis.edu
>
>  
>
>  
>
>  


- --
Keith Schoenefeld
Network Security Officer
Office of Privacy and Information Assurance
University of Illinois
(217) 333-4332
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoey1AACgkQdQwgufanQJomyQCfQc3UkXdkE6t0AZKZJm6C+88v
d6UAn2eAWzUGSKqGl59s7WC8/OF647iW
=k3v7
-----END PGP SIGNATURE-----