RE: How do you become an security auditor? -- MIDRANGE-L

Thanks for clearing that up. I was confused in that thread why the auditor
people weren't thinking. I thought you were talking about a security
auditor, not an accounting auditor. Thus my question.

-----Original Message-----
From: steven.ryan@denso.com.au

The first thing to realise is that an Auditor and a Security Auditor are
completely different things.

An Auditor is someone who comes in to make sure that make sure that the
information the company release to the outside world, whether it be to the
stock exchange or the Tax Authorities, is a true and accurate reflection of
the company.  For most companies, an annual audit is a legal requirement.

Auditors check a whole range of things about the company to confirm the way
the company operates.  Examples are to randomly check stock levels, or
ensure there are no 'phantom' employees.  They may also check invoices
against stock movements, or that the number of cars on the books match
what's parked out front.

As well as checking what is, they also need to make sure that
administrative systems exist to ensure that fraud or deceit in the future
are minimised.  So they may check that two people need to sign the
companies cheques, or that people can't steal the office supplies to open
their own stationery store.

As part of the 'preventative' checking, they also need to make sure that
only the right people can get to the computer system, and that people can
only do on that system what they should do.

A full audit is a big undertaking, taking weeks and many people.  Computer
system access is a tiny piece of this, so it tends to get the 'standard'
treatment to get it out the road.  Things like 'Must have Random
Passwords', 'Passwords must expire regularly', etc.  But don't forget that
these people are mainly accountants, and so we can't really expect more
than for them to follow a standard form.


A security auditor is a whole different thing.  This is someone specialised
in the issues of security.  Also, the security auditor has nothing to do
with a financial Audit.  Unlike a normal audit, there is no mandation to
having a security audit.  A security auditor can be expected to better
understand the issues, and also to educate the users as to appropriate
behaviour.  But an audit of security DOES NOT mean you are dealing with a
Security Auditor.


There should be no expectation that an Auditor will understand security
requirements above whatever is written on their standard pro forma of
requirements.  Nor should there be any expectation that they are interested
in your arguments as to why it won't work, or is not the best solution.  If
anything, the problems with Arthur Anderson is going to get Auditors to
stick even more closely to the 'approved' methodology, so as to limit their
future liability should a problem arise.  No more 'short cuts' or 'turning
a blind eye' on anything, least of all security.  It may be impractical or
difficult, but the auditors concerns are not to make your job easy, but to
stop fraud or misrepresentation and (nowadays) to protect themselves from
law suits.



"Wills, Mike N.(TC)"
Okay, since we are on this subject (sorry, should this be on another
list?).
Since I am only a two-year veteran in this field, I really don't understand
how these people can be so, ummm.... technology dumb (or is it common
sense). Everyone on here has the tone where these people don't look at the
basics just the complicated stuff. I don't see how anyone who knows the
technology could ever forget that. I see passwords as the weakest link in
security (which it is). If these auditors are really concerned. Why don't
they educate the users? They are the ones who are the problems. Are these
people really IT people or do they follow a book of rules (like some
support
people seem to use)?