Brian et al,
At this point, if some of the Big N-1 organizations and some other
organizations are interested, I am more than willing to come in for a day
or two for a nominal fee (travel and expenses paid up front by whatever
firm) to come in and talk for a day, since for some reason establishing a
forum or a conference and/or agreeing on whether certifications are really
necessary is getting tiresome, so therefore I am willing to start helping
firms and try to fix the CHAOS that has developed within the security
For those who are interesting, please contact me offline via email
At 12:25 PM 2/18/98 -0500, BRIAN .
>E&Y has a training program that is based on a mentor program. When a new
>firm they are assigned a mentor/counselor. The mentor is a higher level
>with knowledge of firm
>practices and procedures. In this forum they are trained on security audit
>(managers and higher), etc... Once the person is in the firm for 3 months
>get to choose a new mentor
>that has the knowledge in the direction they would like to pursue.
>new hires are also sent to
>training to learn how to use our audit tools, knowledge web, audit
>knowledge transfer, technology,
>etc... It is true that we have many people here that come to us from other
>firms with different ideas, but that doesn't
>change our practice methodologies. Many ideas are stressed in our firm,
>especially knowledge transfer to
>our clients. Like it was said before, what did we get for our money? Your
>educated by us.
>This is only my observation so far... Because I have been with E&Y ISAAS less
>than a year.
net on 02/18/98 06:08:12 AM
>To: Brian E. Serra/Chicago/AUDIT/EYLLP/US @
>cc: firewalls @
>Subject: Re: Certifying Security Auditors
>I would like to have an answer on this one. If you like to discuss the
>training program that E&Y offers their people in the terms of how to
>conduct a security audit, write a proposal, etc. My observations over the
>last several months is that several people from another big six firm have
>just recently joined E&Y Security practice, therefore in my belief brought
>with them their experience and business methodology, which is then migrated
>into E&Y's practice thus really not allowing customers to see the
>difference between one big six firm and E&Y..
>If you like to explain the difference and the quality of work E&Y offers
>over other big six firms, I more than welcome that.
>At 01:02 PM 2/17/98 -0800, Bennett Todd wrote:
>>1998-02-17-20:42:14 Brian Serra:
>>> Let me set the record straight on this topic by saying:
>>> Not all big 6 firms are untrained in the security field!
>>I hope I haven't given the impression that I think they aren't.
>>After one bad experience --- with another firm --- we demanded quality,
>>and we got good offerings from two of the biggies. E&Y won our final
>>eval, and we got the best audit we've ever had from them.
>>I don't know if we'll be able to keep going back to them; I think the
>>internal audit group might want us to use different firms in rotation.
>>But last time we went 'round this eval process we liked E&Y the best,
>>and we went away happy with the results.
>>If other people could recommend companies who've given them good audits
>>that'd be a big help for me, as we're going to have to start shopping