Comments on: 10 Things Your Auditor Isn’t Telling You http://daveshackleford.com/?p=211 Musings on Security & Other Stuff Wed, 08 Sep 2010 10:33:27 -0700 http://wordpress.org/?v=2.9.2 hourly 1 By: Penetration Tester http://daveshackleford.com/?p=211&cpage=1#comment-251 Penetration Tester Thu, 10 Sep 2009 10:36:34 +0000 http://daveshackleford.com/?p=211#comment-251 To a skilled practitioner checklists are gold to make sure things aren't missed. It also gives your interviews more structure. In the hands of an untrained consultant, they are poison. I loved making the transition from auditor to security consultant. You gain a lot more respect as a trusted advisor, not someone just looking to nit pick and point the finger. To a skilled practitioner checklists are gold to make sure things aren’t missed. It also gives your interviews more structure. In the hands of an untrained consultant, they are poison. I loved making the transition from auditor to security consultant. You gain a lot more respect as a trusted advisor, not someone just looking to nit pick and point the finger.

]]> By: Jos http://daveshackleford.com/?p=211&cpage=1#comment-176 Jos Mon, 13 Jul 2009 14:54:50 +0000 http://daveshackleford.com/?p=211#comment-176 Great article, and it highlights a lot of the issues extant today with the audit industry, particularly as traditional finance-style audit companies attempt to take on PCI and SOX auditing, where you can't just have a little IT knowledge and follow a checklist, you really need to understand the technology. #5, for example, is really bad when coupled with #2, which allows companies that are good at snow-jobbing their auditors to get away with stuff. This, in turn, creates problems for companies that really do have legitimate compensating controls in place (sometimes this *is* OK, after all). RE:hating your auditors, one of the things I like to remind customers is that they shouldn't hate me, if I'm doing my job right. If my report is good, then the customer looks good. If the report is bad, it's a chance for the customer to use the report to justify the fixes to their environment that they've had trouble justifying to management on their own. The only time they might really hate me is when they're actually not doing what they're supposed to, and that's really no one's fault but their own, isn't it? Great article, and it highlights a lot of the issues extant today with the audit industry, particularly as traditional finance-style audit companies attempt to take on PCI and SOX auditing, where you can’t just have a little IT knowledge and follow a checklist, you really need to understand the technology. #5, for example, is really bad when coupled with #2, which allows companies that are good at snow-jobbing their auditors to get away with stuff. This, in turn, creates problems for companies that really do have legitimate compensating controls in place (sometimes this *is* OK, after all).

RE:hating your auditors, one of the things I like to remind customers is that they shouldn’t hate me, if I’m doing my job right. If my report is good, then the customer looks good. If the report is bad, it’s a chance for the customer to use the report to justify the fixes to their environment that they’ve had trouble justifying to management on their own. The only time they might really hate me is when they’re actually not doing what they’re supposed to, and that’s really no one’s fault but their own, isn’t it?

]]> By: John Abraham http://daveshackleford.com/?p=211&cpage=1#comment-174 John Abraham Sat, 11 Jul 2009 04:03:30 +0000 http://daveshackleford.com/?p=211#comment-174 As a security audit company we understand the sad truth is that Dave is right on. Now we have a new data point for the list: we were recently notified that we were being "reviewed" by a security company review site that is really just a front for a company that sells IT audits. So not only do you need to really do some due-diligence to select a good audit firm, now you even have to question your sources when you are doing your research. Here is what we found. http://www.redspin.com/blog/2009/07/10/taking-the-ethical-out-of-hacker/ As a security audit company we understand the sad truth is that Dave is right on. Now we have a new data point for the list: we were recently notified that we were being “reviewed” by a security company review site that is really just a front for a company that sells IT audits. So not only do you need to really do some due-diligence to select a good audit firm, now you even have to question your sources when you are doing your research. Here is what we found.

http://www.redspin.com/blog/2009/07/10/taking-the-ethical-out-of-hacker/

]]> By: An Information Security Place » Blog Archive » An Information Security Place Podcast – Episode 21 http://daveshackleford.com/?p=211&cpage=1#comment-173 An Information Security Place » Blog Archive » An Information Security Place Podcast – Episode 21 Thu, 09 Jul 2009 11:50:41 +0000 http://daveshackleford.com/?p=211#comment-173 [...] 10 Things Your Auditor Isn’t Telling Your – Link Here [...] [...] 10 Things Your Auditor Isn’t Telling Your – Link Here [...]

]]> By: An Information Security Place Podcast » Blog Archive » An Information Security Place Podcast – Episode 21 http://daveshackleford.com/?p=211&cpage=1#comment-172 An Information Security Place Podcast » Blog Archive » An Information Security Place Podcast – Episode 21 Thu, 09 Jul 2009 11:49:29 +0000 http://daveshackleford.com/?p=211#comment-172 [...] 10 Things Your Auditor Isn’t Telling Your – Link Here [...] [...] 10 Things Your Auditor Isn’t Telling Your – Link Here [...]

]]> By: Jim’s Bloggyness » Post Topic » An Information Security Place Podcast – Episode #21 http://daveshackleford.com/?p=211&cpage=1#comment-170 Jim’s Bloggyness » Post Topic » An Information Security Place Podcast – Episode #21 Thu, 09 Jul 2009 04:51:36 +0000 http://daveshackleford.com/?p=211#comment-170 [...] 10 Things Your Auditor Isn’t Telling Your – Link Here [...] [...] 10 Things Your Auditor Isn’t Telling Your – Link Here [...]

]]> By: Jestine http://daveshackleford.com/?p=211&cpage=1#comment-169 Jestine Wed, 08 Jul 2009 17:32:07 +0000 http://daveshackleford.com/?p=211#comment-169 <a href="#comment-154" rel="nofollow">@admin </a> Why doesn't anybody like us auditors??? Other than that, I agree with Garry on the need for checklists and the like. It's just that you mentioned that the subjective nature is a problem. The biggest thing about audit is called "professional judgment". At the end of the day, accounting and auditing standards and all the checklists in the world cannot be compehensive and exhaustive. They have to be weighed in with a whole lot of judgment, more than most people think. I know I just glorified my number crunching job but really, it is what it is. @admin

Why doesn’t anybody like us auditors???

Other than that, I agree with Garry on the need for checklists and the like. It’s just that you mentioned that the subjective nature is a problem. The biggest thing about audit is called “professional judgment”. At the end of the day, accounting and auditing standards and all the checklists in the world cannot be compehensive and exhaustive. They have to be weighed in with a whole lot of judgment, more than most people think.

I know I just glorified my number crunching job but really, it is what it is.

]]> By: 10 Things Your Auditor Isn’t Telling You « The Technology Side of GRC http://daveshackleford.com/?p=211&cpage=1#comment-168 10 Things Your Auditor Isn’t Telling You « The Technology Side of GRC Tue, 07 Jul 2009 01:13:44 +0000 http://daveshackleford.com/?p=211#comment-168 [...] 10 Things Your Auditor Isn’t Telling You [...] [...] 10 Things Your Auditor Isn’t Telling You [...]

]]> By: Network Security Blog » The Network Security Podcast, Episode 156 http://daveshackleford.com/?p=211&cpage=1#comment-163 Network Security Blog » The Network Security Podcast, Episode 156 Wed, 01 Jul 2009 00:19:43 +0000 http://daveshackleford.com/?p=211#comment-163 [...] Dave Shackleford on 10 things your auditor doesn’t want you to know. [...] [...] Dave Shackleford on 10 things your auditor doesn’t want you to know. [...]

]]> By: Network Security Podcast » Blog Archive » The Network Security Podcast, Episode 156 http://daveshackleford.com/?p=211&cpage=1#comment-161 Network Security Podcast » Blog Archive » The Network Security Podcast, Episode 156 Tue, 30 Jun 2009 23:01:49 +0000 http://daveshackleford.com/?p=211#comment-161 [...] Dave Shackleford on 10 things your auditor doesn’t want you to know. [...] [...] Dave Shackleford on 10 things your auditor doesn’t want you to know. [...]

]]>