|
midrange.com
Mike
The first thing to realise is that an Auditor and a Security Auditor are
completely different things.
An Auditor is someone who comes in to make sure that make sure that the
information the company release to the outside world, whether it be to the
stock exchange or the Tax Authorities, is a true and accurate reflection of
the company. For most companies, an annual audit is a legal requirement.
Auditors check a whole range of things about the company to confirm the way
the company operates. Examples are to randomly check stock levels, or
ensure there are no 'phantom' employees. They may also check invoices
against stock movements, or that the number of cars on the books match
what's parked out front.
As well as checking what is, they also need to make sure that
administrative systems exist to ensure that fraud or deceit in the future
are minimised. So they may check that two people need to sign the
companies cheques, or that people can't steal the office supplies to open
their own stationery store.
As part of the 'preventative' checking, they also need to make sure that
only the right people can get to the computer system, and that people can
only do on that system what they should do.
A full audit is a big undertaking, taking weeks and many people. Computer
system access is a tiny piece of this, so it tends to get the 'standard'
treatment to get it out the road. Things like 'Must have Random
Passwords', 'Passwords must expire regularly', etc. But don't forget that
these people are mainly accountants, and so we can't really expect more
than for them to follow a standard form.
A security auditor is a whole different thing. This is someone specialised
in the issues of security. Also, the security auditor has nothing to do
with a financial Audit. Unlike a normal audit, there is no mandation to
having a security audit. A security auditor can be expected to better
understand the issues, and also to educate the users as to appropriate
behaviour. But an audit of security DOES NOT mean you are dealing with a
Security Auditor.
There should be no expectation that an Auditor will understand security
requirements above whatever is written on their standard pro forma of
requirements. Nor should there be any expectation that they are interested
in your arguments as to why it won't work, or is not the best solution. If
anything, the problems with Arthur Anderson is going to get Auditors to
stick even more closely to the 'approved' methodology, so as to limit their
future liability should a problem arise. No more 'short cuts' or 'turning
a blind eye' on anything, least of all security. It may be impractical or
difficult, but the auditors concerns are not to make your job easy, but to
stop fraud or misrepresentation and (nowadays) to protect themselves from
law suits.
"Wills, Mike N.
(TC)" To: "Midrange - Midrange-L
(E-mail)"
<MNWills@taylorcorp <MIDRANGE-L@midrange.com>
.com> cc:
Sent by: Subject: How do you become
an security
midrange-l-admin@mi auditor?
drange.com
25/10/02 08:48
Please respond to
midrange-l
Okay, since we are on this subject (sorry, should this be on another
list?).
Since I am only a two-year veteran in this field, I really don't understand
how these people can be so, ummm.... technology dumb (or is it common
sense). Everyone on here has the tone where these people don't look at the
basics just the complicated stuff. I don't see how anyone who knows the
technology could ever forget that. I see passwords as the weakest link in
security (which it is). If these auditors are really concerned. Why don't
they educate the users? They are the ones who are the problems. Are these
people really IT people or do they follow a book of rules (like some
support
people seem to use)?
Mike Wills
IT Corporate Support
Taylor Corporation
mnwills@taylorcorp.com
Phone: (507) 386-3187
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@midrange.com
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
or email: MIDRANGE-L-request@midrange.com
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.
#####################################################################################
Attention:
The information contained in this message and or attachments is intended only
for the
person or entity to which it is addressed and may contain confidential and/or
privileged material. Any review, retransmission, dissemination or other use of,
or
taking of any action in reliance upon, this information by persons or entities
other
than the intended recipient is prohibited. Opinions expressed in this email and
any
attachment are those of the sender and not necessarily the opinions of DENSO.
If you
received this in error, please contact the sender and delete the material
from any system and destroy any copies.
The DENSO Australia Group of companies does not represent, warrant or guarantee
that
the integrity of this communication has been maintained nor that the
communication is
free of errors, virus or interference.
######################################################################################
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
