× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. October 2002

Re: How do you become an security auditor?

check out www.sans.org for a wealth of info on security & security
profession
jim

----- Original Message -----
From: <steven.ryan@denso.com.au>
To: <midrange-l@midrange.com>
Sent: Thursday, October 24, 2002 7:20 PM
Subject: Re: How do you become an security auditor?


>
> Mike
>
> The first thing to realise is that an Auditor and a Security Auditor are
> completely different things.
>
> An Auditor is someone who comes in to make sure that make sure that the
> information the company release to the outside world, whether it be to the
> stock exchange or the Tax Authorities, is a true and accurate reflection
of
> the company.  For most companies, an annual audit is a legal requirement.
>
> Auditors check a whole range of things about the company to confirm the
way
> the company operates.  Examples are to randomly check stock levels, or
> ensure there are no 'phantom' employees.  They may also check invoices
> against stock movements, or that the number of cars on the books match
> what's parked out front.
>
> As well as checking what is, they also need to make sure that
> administrative systems exist to ensure that fraud or deceit in the future
> are minimised.  So they may check that two people need to sign the
> companies cheques, or that people can't steal the office supplies to open
> their own stationery store.
>
> As part of the 'preventative' checking, they also need to make sure that
> only the right people can get to the computer system, and that people can
> only do on that system what they should do.
>
> A full audit is a big undertaking, taking weeks and many people.  Computer
> system access is a tiny piece of this, so it tends to get the 'standard'
> treatment to get it out the road.  Things like 'Must have Random
> Passwords', 'Passwords must expire regularly', etc.  But don't forget that
> these people are mainly accountants, and so we can't really expect more
> than for them to follow a standard form.
>
>
> A security auditor is a whole different thing.  This is someone
specialised
> in the issues of security.  Also, the security auditor has nothing to do
> with a financial Audit.  Unlike a normal audit, there is no mandation to
> having a security audit.  A security auditor can be expected to better
> understand the issues, and also to educate the users as to appropriate
> behaviour.  But an audit of security DOES NOT mean you are dealing with a
> Security Auditor.
>
>
> There should be no expectation that an Auditor will understand security
> requirements above whatever is written on their standard pro forma of
> requirements.  Nor should there be any expectation that they are
interested
> in your arguments as to why it won't work, or is not the best solution.
If
> anything, the problems with Arthur Anderson is going to get Auditors to
> stick even more closely to the 'approved' methodology, so as to limit
their
> future liability should a problem arise.  No more 'short cuts' or 'turning
> a blind eye' on anything, least of all security.  It may be impractical or
> difficult, but the auditors concerns are not to make your job easy, but to
> stop fraud or misrepresentation and (nowadays) to protect themselves from
> law suits.
>
>
>
>                     "Wills, Mike N.
>                     (TC)"                      To:     "Midrange -
Midrange-L (E-mail)"
>                     <MNWills@taylorcorp        <MIDRANGE-L@midrange.com>
>                     .com>                      cc:
>                     Sent by:                   Subject:     How do you
become an security
>                     midrange-l-admin@mi        auditor?
>                     drange.com
>
>
>                     25/10/02 08:48
>                     Please respond to
>                     midrange-l
>
>
>
>
>
> Okay, since we are on this subject (sorry, should this be on another
> list?).
> Since I am only a two-year veteran in this field, I really don't
understand
> how these people can be so, ummm.... technology dumb (or is it common
> sense). Everyone on here has the tone where these people don't look at the
> basics just the complicated stuff. I don't see how anyone who knows the
> technology could ever forget that. I see passwords as the weakest link in
> security (which it is). If these auditors are really concerned. Why don't
> they educate the users? They are the ones who are the problems. Are these
> people really IT people or do they follow a book of rules (like some
> support
> people seem to use)?
>
> Mike Wills
> IT Corporate Support
> Taylor Corporation
> mnwills@taylorcorp.com
> Phone: (507) 386-3187
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>
>
>
>
>
>
############################################################################
#########
> Attention:
>
> The information contained in this message and or attachments is intended
only for the
> person or entity to which it is addressed and may contain confidential
and/or
> privileged material. Any review, retransmission, dissemination or other
use of, or
> taking of any action in reliance upon, this information by persons or
entities other
> than the intended recipient is prohibited. Opinions expressed in this
email and any
> attachment are those of the sender and not necessarily the opinions of
DENSO.  If you
> received this in error, please contact the sender and delete the material
> from any system and destroy any copies.
>
> The DENSO Australia Group of companies does not represent, warrant or
guarantee that
> the integrity of this communication has been maintained nor that the
communication is
> free of errors, virus or interference.
>
############################################################################
##########
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@midrange.com
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/cgi-bin/listinfo/midrange-l
> or email: MIDRANGE-L-request@midrange.com
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.