Rakesh et al,
As in the original post, Big 6 has brand but it seems that is all they
have. I welcome some of the lurkers from the Big 6 firm to speak up and
state that they have a 'bonafide' certification program that indeed trains
their people on how to go about conducting a security audit, perform one
and actually produce results that the customer can use to implement
change.
I agree that the organizations you list below are well known entities that
offer seminars, classes and certification programs. But as you have
stated the Big 6 has the brand, and brand sells. But who is to say that
their brand is the best for a particular customer??
/mht
On Mon, 16 Feb 1998, RAKESH GOYAL wrote:
> Dear Jeffrey,
> (Jeffrey Loewenstein
> edpaudit @
i-2000 .
com)
>
> I understand your sentiments and endorse the same. Big 6 has the brand. Brand sells. But, it is not difficult for you too. There is market for every ware and services. It is up to you, what you offer, how you define the product and package it. You can create your brand. It needs some more marketing efforts.
>
> CERTIFICATION :
>
> Regarding certifying Systems Audit / System Security professionals - there are at least 4 organisations, which are doing the certification. These are -
>
> 1. International Information System Security Certification Consortium (visit isc2.org). Certifies Certified Information Systems Security Professional (CISSP).
> 2. Computer Security Institute (visit gocsi.com) - promotor of isc2.
> 3. Information Systems Audit and Control Association (visit isaca.org) certifies Certified Information Systems Auditor (CISA).
> 4. National Centre for Research in Computer Crimes (visit ncrcc.org) Certifies Certified Computer Crimes Investigator (CCCI).
>
> There may be more. You need to search and please let me know also.
>
> Rakesh Goyal
>
> ----------
> From: edpaudit @
i-2000 .
com
> Sent: Monday, February 16, 1998 12:53 AM
> To: firewalls-digest @
GreatCircle .
COM
> Subject: Certtfying Auditors
>
> I have been an EDP auditor for 17+ years. I make my living keeping up with all
> of the new technologies and performing reviews. I have most of the skill sets
> that you professional data processing and systems folks have. The Big 6 or 4
> depending on how you count them, perform a fraudulent act in performing these
> services and charge a great deal of money. People like myself who understand
> these technologies are paid miserably never are called until the gates are
> broken and damage assesment is needed (wounded get stabbed, and the innocent
> machine gunned down). Give your Internal EDP Auditors a break. The experienced
> ones do understand. If they want do get involved at the front end of a project
> like putting firewalls in give them a chance. The good ones will perhelp get
> resources that normally are not available if they write the right kind of
> report.
>
> Jeffrey Loewenstein
> edpaudit @
i-2000 .
com
> ____________________________________________________________________
> I recently worked with a large big six corporation that conducted a
> security audit/penetration review. I was astounded when I asked a couple
> of them how they were trained and they had stated to me that they had
> received no training. My question is who certifies them to ensure that the
> following: 1. Actually under what they are auditing? 2. Can interpret the
> results of an ISS/Ballista Scan and not just present the report 3. They
> attended training at one of the various vendors to understand how to use
> the tool.
>
> This situation concerned me since the customer was given the perception
> that the people conducting the work were actually bonafide "Certified"
> Security Auditors. Is this the common trend currently??
>
>
>
>
##########################################################
'Turn on, Boot Up, Jack in'
#########################################################
References:
|
|
