Great Circle Associates Firewalls
(February 1998)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: Certfying Auditors
From: RAKESH GOYAL <sysman @ bom2 . vsnl . net . in>
Date: Mon, 16 Feb 1998 10:32:58 +0530
To: "firewalls-digest @ GreatCircle . COM" <firewalls-digest @ GreatCircle . COM>, "'edpaudit @ i-2000 . com'" <edpaudit @ i-2000 . com>
Cc: "'Patrice Rapalus'" <prapalus @ mfi . com>, "'ISACA-USA'" <certification @ isaca . org>, "'Rakesh Goyal - Sysman, Mumbai, India'" <sysman @ bom2 . vsnl . net . in>, "'mht @ clark . net'" <mht @ clark . net>, "'cbrenton @ sover . net'" <cbrenton @ sover . net>, "'Krause_MS @ exchange . phs . com'" <Krause_MS @ exchange . phs . com>

Dear Jeffrey,
(Jeffrey Loewenstein
 edpaudit @
 i-2000 .

I understand your sentiments and endorse the same. Big 6 has the brand. Brand sells. But, it is not difficult for you too. There is market for every ware and services. It is up to you, what you offer, how you define the product and package it. You can create your brand. It needs some more marketing efforts. 


Regarding certifying Systems Audit / System Security professionals - there are at least 4 organisations, which are doing the certification. These are -

1. International Information System Security Certification Consortium     (visit Certifies Certified Information Systems Security     Professional (CISSP). 
2. Computer Security Institute (visit - promotor of isc2.
3. Information Systems Audit and Control Association (visit        certifies Certified Information Systems Auditor (CISA).
4. National Centre for Research in Computer Crimes (visit     Certifies Certified Computer Crimes Investigator (CCCI).

There may be more. You need to search and please let me know also.

Rakesh Goyal

From: 	edpaudit @
 i-2000 .
Sent: 	Monday, February 16, 1998 12:53 AM
To: 	firewalls-digest @
 GreatCircle .
Subject: 	Certtfying Auditors

I have been an EDP auditor for 17+ years. I make my living keeping up with all 
of the new technologies and performing reviews. I have most of the skill sets 
that you professional data processing and systems folks have. The Big 6 or 4 
depending on how you count them, perform a fraudulent act in performing these 
services and charge a great deal of money. People like myself who understand 
these technologies are paid miserably never are called until the gates are 
broken and damage assesment is needed (wounded get stabbed, and the innocent 
machine gunned down). Give your Internal EDP Auditors a break. The experienced 
ones do understand. If they want do get involved at the front end of a project 
like putting firewalls in give them a chance. The good ones will perhelp get 
resources that normally are not available if they write the right kind of 

Jeffrey Loewenstein
edpaudit @
 i-2000 .
I recently worked with a large big six corporation that conducted a
security audit/penetration review.  I was astounded when I asked a couple
of them how they were trained and they had stated to me that they had
received no training.  My question is who certifies them to ensure that the
following: 1. Actually under what they are auditing? 2. Can interpret the
results of an ISS/Ballista Scan and not just present the report 3. They
attended training at one of the various vendors to understand how to use
the tool.  

This situation concerned me since the customer was given the perception
that the people conducting the work were actually bonafide "Certified"
Security Auditors.  Is this the common trend currently??

Indexed By Date Previous: Re: Certifiying Security Auditors -reply
From: mht @ clark . net
Next: Re: SQL*Net and TIS fwtk
From: Joel J Jensen <jjj @ lucifer . adams . edu>
Indexed By Thread Previous: No subject given
From: dnewman @ data . com
Next: RE: Certfying Auditors
From: Mark Teicher <mht @ clark . net>

Search Internet Search