I simplify to my clients like this:
- A security assessment is a measurement of your organization against best
practices
- A security AUDIT is a meansurement and validation of your posture against
your own implemented practices.
Best,
Steve
-----Original Message-----
From: MCOHEN_at_calfed.com [mailto:MCOHEN_at_calfed.com]
Sent: Friday, September 14, 2001 2:48 PM
To: pen-test_at_securityfocus.com
Subject: RE: Industry Definitions... possible? was Re: Security Audit
All,
As someone that works as an internal IT Auditor, I need
to make a quick point.
The term security audit is extremely misused. This all
started when the Big 5 firms began to perform security
assessments. Next thing you knew, all the boutique firms
where selling "security audits"
Audits, at least in the US, should be governed by the
rules of the AICPA, IIA, ISACA and the standards of
COSO and COBIT. Other wise what is being performed
is an assessment.
Audits focus on risks and controls. Security is
one of many components that are reviewed. Audits
use tests to determine if a control is functioning
properly.
Much the way Architects and Engineers and trying to
preserve the professional requirements of these titles
from the computer industry, I'm trying to do the same
for Auditors.
Regards,
Michael
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Received on Sep 17 2001
Intro
