Re: Where to get recognizable, 3rd party security audits?

[v b <r0cketgrl () yahoo com>]

I really have to laugh when I read things like this...

You have not mentioned what business silo in which
your company participates.
You cannot be "certified" against HIPAA.  There is no
recognized certification body for this type of
assessment.  Nor for COSO; nor for FISAAA, nor for
ISO17799.  These are all guidelines, not standards,
therefore, your company cannot be "certified" as being
in compliance; the auditor can only comment that your
operations appear to comply with the guidelines.

HIPAA is the US federal regulation for healthcare.
Whil e it is called a "standard" the guidance
ennumerated in the Act is so nebulous, it can hardly
be called a standard.  ISO17799 is the guideline,
based upon BS7799, directed primarily toward companies
involved in international trade.  COSO is the
guideline directed toward financial operations.  But,
they are NOT by any means, standards.

You may, however, have a firm perform a BS7799 or
SAS70 audit, which your organization may be
"certified" against (though again, these are
guidelines and there doesn't seem to be any cohesion
in the "certification" process).  Many companies have
a SAS70 performed on an annual basis prior to an
attestation audit to comment on their internal
controls associated with the organizations business
processes.

The organizations performing these audits themselves
must be recognized to perform either of those two
audits.  These are commonly financial statement
attestation organizations (read, accounting firms).

Regards.
--- Pigeon <fredit () charter net> wrote:

> Hello, I need to find a company that will do
> security testing on our  
> 5 or 6 servers to verify their security level. We
> will need a very  
> well recognized certificate from them.. AKA, I
> couldn't do the  
> security audit, and no Joe Blow (granted you might
> be awesome) can do  
> them. The reason for this is to show VERY large
> corporations our  
> credentials.
>
>
> So far, people have mentioned these certs:
> SAS type 2
> FISAAA
> HIPPA
> ISO7799
> COSO
>
>
> but I am unsure on these.. It appears like these
> could takes months  
> to prepare internally and then we submit the
> information to an  
> organization for review. Is this normal?
>
>
> thanks!
------------------------------------------------------------------------------
> This List Sponsored by: Lancope
>
> "Discover the Security Benefits of Cisco NetFlow"
> Learn how Cisco NetFlow enables cost-effective
> security across distributed 
> enterprise networks. StealthWatch, the veteran
> Network Behavior Analysis (NBA) 
> and Response solution, leverages Cisco NetFlow to
> provide scalable, 
> internal network security. 
> Download FREE Whitepaper "Role of Network Behavior
> Analysis (NBA) and Response 
> Systems in the Enterprise."
>
> http://www.lancope.com/resource/
------------------------------------------------------------------------------
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed 
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) 
and Response solution, leverages Cisco NetFlow to provide scalable, 
internal network security. 
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response 
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------