Penetration Testing mailing list archives
Re: [PEN-TEST] Evaluating Auditors Abilities
From: "Meritt, Jim" <Jim.Meritt () WANG COM>
Date: Fri, 8 Sep 2000 09:59:12 -0400
CISSP isn't auditing. So why judge it for one? On the other hand, CISA (Certified Information Systems Auditor) is. Judge it as auditing (and not IS security). V/R Jim _______________________ The opinions expressed above are my own. The facts simply are and belong to none. James W. Meritt, CISSP, CISA Senior Information Systems Security and Audit Analyst, Information Assurance Center of Excellence Wang Government Services, Inc. -----Original Message----- From: Benjamin P. Grubin [mailto:bgrubin () GUARDENT COM] Sent: Thursday, September 07, 2000 4:28 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: Evaluating Auditors Abilities While certifications can be extremely important to showing mastery of conceptual material, which is essential for high-level tasks, they do very little to assess the true practical capabilities of the practitioner. In security, the CISSP is indeed a good set of guidelines for assessing familiarity with a broad range of security concepts, but in terms of determining the skill level of assessment or attack and intrusion personnel, these certifications do very little to judge skill level. The best ways to select potential auditing, assessment or attack & penetration people is to: a) obtain and check references b) generate a technical interview guide that covers the specific technologies that your company uses, and have a technical employee conduct the interviews c) reputation Cheers, Ben -------------------------------------------------- Benjamin P. Grubin bgrubin () guardent com Guardent, Inc. http://www.guardent.com "The world isn't run by weapons anymore, or energy, or money. It's run by little ones and zeros, little bits of data.. it's all just electrons."
-----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Tansey, Don Sent: Thursday, September 07, 2000 2:18 PM To: PEN-TEST () SECURITYFOCUS COM Subject: Re: Evaluating Auditors Abilities Derrick: This is just my $.02, the opinions are mine and mine alone. The major certification out there is a CISSP, from (ISC)<superscript>2; you can check them out at http://www.isc2.org. They have what I consider to be an excellent set of standards. That said, I don't think certification itself in _any_ discipline is a _guarantee_ of competence; but an indication of competence. (And yes, I do hold some certifications myself - and think IT Certification has tremendous value.) I would approach hiring a security consultant the same way I would approach any other outsourcing. Solicit proposals, select likely candidates, have them in to present what they're going to do and how they're going to do it, and then ask for and check _references_. In the end, there are no guarantees, but a process like this will winnow out much of the chaff. Also, in the unlikely event anyone ever made me management, I sure as heck would trust my employees over a third party consultant. If I couldn't count on the people that work for me, they wouldn't work for me for very long. Cheers, Don
Current thread:
- Re: [PEN-TEST] Evaluating Auditors Abilities Emeigh, Mike (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities topher hughes (Sep 08)
- <Possible follow-ups>
- Re: [PEN-TEST] Evaluating Auditors Abilities Tansey, Don (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Benjamin P. Grubin (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Kuss, Kenneth (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Edward Slusarski (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities David Hopkins (Sep 07)
- Re: [PEN-TEST] Evaluating Auditors Abilities Khan, Mansoor (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Meritt, Jim (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Dunker, Noah (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Gallicchio, Florindo (2282) (Sep 08)
- Re: [PEN-TEST] Evaluating Auditors Abilities Hill, Mark (Sep 08)