>> My question is who certifies them to ensure that the
>> following: 1. Actually under what they are auditing? 2. Can
>> results of an ISS/Ballista Scan and not just present the report 3.
>> attended training at one of the various vendors to understand how
>> the tool.
[Please note, I used to work for a big six public accounting firm in
the Information Security and Audit Division.]
"Training" in these firms occur through experience. Heavy reliance is
put on the tools given to the staff performing the audits. In
interests of high profitability, the lowest paid staff are generally
given this type of work. (Bill $1,000/hour but use a $25/hour staff.)
By posing the question of "what experience and training" the auditor
has recieved, you are doing what everyone of my clients should have
done. In places that they can get away with it, they will assign the
lowest common denominator to perform the job. (After all, the auditor
"knows" more than you do. So how are you supposed to figure out that
the auditor doesn't know anything?)
When you engage a big six firm, you are paying big money for the work.
You simply must ask these questions and demand a quality audit with
quality professionals. As a CPA, we are required in our professional
guidelines to understand the topic we are auditing or at least have
proper supervision by someone who understands it. If that is not
occurring, it is a direct violation of the CPA's code of business and
it should be reported.
In interests of the profession, this type of behavior should be
stopped and reported. A significant majority of CPAs are doing their
job appropriately and are adding value, however, it is the bad seeds
in pursuit of the $$ that give other CPAs a black eye.
>> This situation concerned me since the customer was given the
>> that the people conducting the work were actually bonafide
>> Security Auditors. Is this the common trend currently??
A "CISA" (Certified Information Systems Auditor) is a certification
that shows that the CISA is proficient in security concepts in
relation to information systems. It does not certify that CISAs have
the deep technical experience or knowledge of a specific platform.
The key thing to ask when engaging a big six firm for security review:
1) Who *actually* will be performing the work? Can I have a copy of
the resume detailing experience related to my technical platforms?
2) If a non-experienced staff will be performing the leg work, what
are the credentials and experience of the reviewer of the work. How
much time will I have of this individual to advise on security
weaknesses pointed out.
3) Lastly, what are you giving me that an automated scan cannot?
I hope this helps.
Googlyoogly, CPA, CISA, MCP
DO YOU YAHOO!?
Get your free @yahoo.com address at http://mail.yahoo.com