RE: Industry Definitions... possible? was Re: Security Audit

[MCOHEN () calfed com]

All,

As someone that works as an internal IT Auditor, I need
to make a quick point.

The term security audit is extremely misused.  This all
started when the Big 5 firms began to perform security
assessments.  Next thing you knew, all the boutique firms
where selling "security audits"

Audits, at least in the US, should be governed by the
rules of the AICPA, IIA, ISACA and the standards of
COSO and COBIT.  Other wise what is being performed 
is an assessment.

Audits focus on risks and controls.  Security is
one of many components that are reviewed.  Audits 
use tests to determine if a control is functioning
properly.

Much the way Architects and Engineers and trying to
preserve the professional requirements of these titles
from the computer industry, I'm trying to do the same
for Auditors.

Regards,
Michael


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/