[Owasp-leaders] Question on ISACA

[James.McGovern at thehartford.com (McGovern, James F. (eBusiness))]

My thought was a little different than thinking of this as an
educational activity. My thinking says this is more about how groups
such as OWASP should "JOINTLY" publish with groups such as ISACA. On the
radar of most enterprisey types are emerging legislation such as Mass
Privacy will have audit-specific criteria within the legislation. In the
same sense that OWASP had a win by having PCI mention us, we could
accomplish something similar by working with the audit community. 

-----Original Message-----
From: owasp-leaders-bounces at lists.owasp.org
[mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of kuai
hinojosa
Sent: Wednesday, November 04, 2009 11:18 AM
To: owasp-leaders at lists.owasp.org
Cc: sc-l at securecoding.org
Subject: Re: [Owasp-leaders] Question on ISACA


On Nov 4, 2009, at 11:11 AM, Dan Cornell wrote:

> I've worked with a number of IT auditors in the past and that is a 
> fair characterization, based on my experiences.  Most of the folks in 
> that job function I have worked with are, at best, infrastructure 
> security folks who have moved to IT audit, but many are CPAs by 
> background or have other non-IT experience bases.
>
> The majority of the time I have worked with IT auditors it has been 
> helping them to translate their audit requirement into reasonable 
> technical measures that can be taken that meet those requirements and 
> then helping them to interpret the results of Threat Models, code and 
> application scans, etc so they can determine if they feel comfortable 
> that their audit requirements have been met.
>
> As for what OWASP can do I think the manager-focused documentation for

> the OWASP Top 10, etc is helpful in translating fairly technical 
> information to the level of business risk.  There was work done a 
> while back on ISO 17799 mappings and resurrecting that and providing 
> further application-level guidance for these compliance/audit regimes 
> might be helpful.

I believe this is one of the initiatives of the Global Education
Committee, we are planning on structuring and "translating" documents
for different target audience, managers being one.

> Have other folks on the list fielded questions from IT auditors who 
> were looking for further direction?
>
> Thanks,
>
> Dan
> ________________________________________
> From: owasp-leaders-bounces at lists.owasp.org 
> [owasp-leaders-bounces at lists.owasp.org
> ] On Behalf Of McGovern, James F. (eBusiness) 
> [James.McGovern at thehartford.com ]
> Sent: Wednesday, November 04, 2009 9:38 AM
> To: owasp-leaders at lists.owasp.org; sc-l at securecoding.org
> Subject: [Owasp-leaders] Question on ISACA
>
> John Morency of Gartner just finished giving a presentation to our IT 
> executives and one of the observations is that IT auditors have zero 
> clue as to how to audit a secure coding practice. IT audit right now 
> is limited to simply looking at "control" documents and viewing things

> through the lens of "infrastructure". Is there something we as a 
> community should be doing to make auditors smarter?
>
> ************************************************************
> This communication, including attachments, is for the exclusive use of

> addressee and may contain proprietary, confidential and/or privileged 
> information.  If you are not the intended recipient, any use, copying,

> disclosure, dissemination or distribution is strictly prohibited.  If 
> you are not the intended recipient, please notify the sender 
> immediately by return e-mail, delete this communication and destroy 
> all copies.
> ************************************************************
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
************************************************************
This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, 
confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, 
dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender 
immediately by return e-mail, delete this communication and destroy all copies.
************************************************************