Home page logo

pen-test logo Penetration Testing mailing list archives

From: Mark Williams <mdwilliams_44 () YAHOO COM>
Date: Thu, 7 Sep 2000 13:23:01 -0700

end questions are these.

How can companies decide which auditors really do a
decent job
and are worth
their value ?

As an Auditor of some years experience, I would like
to add my 2 cents worth. The biggest and best
recommendation is from other auditees. If an auditor
won't share his customer list or at least a selection
of references get out quick!

Are there any certifications or Industry groups out
there or on
the horizon
that will evaluate and endorse auditors ?

ISACA, the Information Systems Audit and Control
Association, of which I am a member, sponsors the CISA
designation (which I hold).  Like all designations,
they can only tell you so much. However the CISA shows
that the auditor has at least 5 years of consistent
audit and/or security practice experience. It also
shows that they understand the concepts and procedures
involved in auditing and controlling Information
Systems. Unfortunately it is no guarantee of quality.

As one wise auditor once told me "there are those who
have 20 years of experience, and those who have one
year of experience twenty times".

What is the best approach from a Network Admin
position to counter end
results delivered by auditors if they seem to be in
error ?

First be in on the original discussions as to scope
and expected results. Then make sure you are talking
to the auditors and get their results before they show
management. I for one always double check my findings
with the admin crowd to avoid getting egg on my face
as these auditors obviously have. (I should also
mention that I have some years experience as both a
System Admin and as a Director of Data Security so my
experience may not be average).

Has anyone else been through this, and is destined
to get worse before
getting better ?

Getting worse? Probably. I hesitate to say it, but
many large firms are realizing there is gold in IS
Audit. With very few CISAs out there to troll, they
are taking immature, often inexperienced auditors, and
forcing them into the IS mold. But then the big 5 have
always used their clients as a training ground for new

I think your only defense is to ensure that you know
the quals and background of the Lead Auditor or Audit
Manager assigned to your audit, and question his
credentials before things begin. Make sure that he at
least is CISA, and preferably all those working under
him also (good luck).

Thanks for any thoughts or comments,

I am not sure this helped, but it is an opinion from
someone with some years of experience. I now work as a
consultant, so I can look back without the blinders on
I think.

Mark Williams, CISA
secur-IT.com Inc

markw () secur-it-now com

Do You Yahoo!?
Yahoo! Mail - Free email you can access from anywhere!

  By Date           By Thread  

Current thread:
  • [PEN-TEST] Mark Williams (Sep 08)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]