.

Auditing Standards

<<

oleDB

User avatar

Recruiters
Recruiters

Posts: 236

Joined: Thu Jul 20, 2006 8:58 am

Location: HOA

Post Fri Nov 17, 2006 10:04 am

Auditing Standards

I've never worked as an auditor, however I've been participant to several SOX and PCI audits. One thing that I never understood correctly was all the various frameworks and how they overlapped. I listened to a presentation on audits last night and couldn't get a straight answer from the presenter either, so I decided to start googling. This is what I found

-COBIT For IT Governance And Control
-ITIL For Service Delivery And Support
-ISO 17799 For Security Mgmt


This document lays it out in exstensive detail
http://www.itsmf.com/images/news/ITIL-COBiT.pdf
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Fri Nov 17, 2006 12:29 pm

Re: Auditing Standards

I'm not an auditor, but here's what I've come to understand:

One thing to keep in mind when it comes to regulations like SOX and HIPAA is that, although they are the law, they are very vague when it comes to details on how exactly to accomplish certain goals. The frameworks are sets of guidelines that are not set in stone or required by law. So what most companies do is pick and choose from each one and make a policy that suits their business. Once they have their own in written form, that becomes the baseline they use for dealing with audits.

Here's an example that will make your head spin. For lack of a good analogy, let's just use a numbering system with 100 being perfect. If Company A sets their goal as 75 but only reach 65 while Comapny B sets their goal at 45 and attains 50, who passes an audit?

Since Company A has an overall higher score, one would think Company A did better in their audit. Not so. Company A would fail while Company B would pass with flying volors. It's all based on the goals you set for yourself. It's almost like having to choose wireless plans with the right amount of minutes.

Go figure.

Then again, this is a maturing field, and I'm sure wrinkles will be worked out eventually. At least it has us all thinking about security, and that's a good thing. So, although clearly not a perfect system, it's better than nothing.

Don

PS - Please correct me if I'm wrong.
CISSP, MCSE, CSTA, Security+ SME
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Sun Nov 26, 2006 10:21 pm

Re: Auditing Standards

Although not specifically for security, the IT Infrastructure Library (ITIL) is a framework for constructing efficient systems. In it's current edition, it contains 9 volumes down from 44 in the late 80s and early 90s. Here's a really good intro article to ITIL in PDF format from InfoWorld:

ITIL Crash Course

Look for ITIL v3 sometime in mid-2007.

Hope this helps,
Don
CISSP, MCSE, CSTA, Security+ SME

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software