Penetration Testing mailing list archives

RE: Industry Definitions... possible? was Re: Security Audit

From: "zamler" <zamler () home com>
Date: Mon, 17 Sep 2001 23:03:59 -0400

I think that one major point of fact is missing in your definition of an
assessment and an audit.  An audit is more concrete.  It is an attestation
of controls.  An audit means a third party has assessed the controls and
states an opinion on the environment and controls.  IT audits can range from
self selected controls review like a SAS70 or Section 5900 or a Systrust or
Webtrust which is predetermined...
my 2 cents anywho.


-----Original Message-----
From: Steve Goldsby [mailto:sgoldsby () integrate-u com]
Sent: Monday, September 17, 2001 7:06 AM
To: pen-test () securityfocus com
Subject: RE: Industry Definitions... possible? was Re: Security Audit


I simplify to my clients like this:

- A security assessment is a measurement of your organization against best
practices
- A security AUDIT is a meansurement and validation of your posture against
your own implemented practices.

Best,

Steve

-----Original Message-----
From: MCOHEN () calfed com [mailto:MCOHEN () calfed com]
Sent: Friday, September 14, 2001 2:48 PM
To: pen-test () securityfocus com
Subject: RE: Industry Definitions... possible? was Re: Security Audit


All,

As someone that works as an internal IT Auditor, I need
to make a quick point.

The term security audit is extremely misused.  This all
started when the Big 5 firms began to perform security
assessments.  Next thing you knew, all the boutique firms
where selling "security audits"

Audits, at least in the US, should be governed by the
rules of the AICPA, IIA, ISACA and the standards of
COSO and COBIT.  Other wise what is being performed
is an assessment.

Audits focus on risks and controls.  Security is
one of many components that are reviewed.  Audits
use tests to determine if a control is functioning
properly.

Much the way Architects and Engineers and trying to
preserve the professional requirements of these titles
from the computer industry, I'm trying to do the same
for Auditors.

Regards,
Michael


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

RE: Industry Definitions... possible? was Re: Security Audit MCOHEN (Sep 16)
- RE: Industry Definitions... possible? was Re: Security Audit Steve Goldsby (Sep 17)
  - RE: Industry Definitions... possible? was Re: Security Audit zamler (Sep 18)