CRIME Good article on hiring auditors

From: Andrew Plato (aplato@private)
Date: Tue Mar 25 2003 - 11:00:43 PST

  • Next message: Zot O'Connor: "Re: CRIME Microsoft helps universities write secure code"

    Great article on how to hire auditor. 
    
    http://www.infosecuritymag.com/2003/mar/watchingwatchers.shtml
    
    Excerpt:
    
    ------
    
    Hiring an Auditor
    You may be tempted to rely on an audit by internal staff. Don't be. Keeping up with patches, making sure OSes and applications are securely configured, and monitoring your defense systems is already more than a full-time job. And no matter how diligent you are, outsiders may well spot problems you've missed.
    
    Technical audits identify risks to the technology platform by reviewing not only the policies and procedures, but also network and system configurations. This is a job for computer security professionals. Consider these points in the hiring process:
    
    Look at the auditing team's real credentials. Don't be influenced by an alphabet soup of certification letters. Certifications don't guarantee technical competence. Make sure the auditor has actual work experience in the security field acquired by years of implementing and supporting technology.
    
    Résumés of the auditors should detail security projects--not just audits--they have worked on, including references. Real-world experience implementing and supporting security technology gives an auditor insight into subtle issues that could reveal serious security exposures. Any published works should be included to demonstrate the auditor's expertise.
    
    And don't be impressed by people who call themselves "ethical hackers." Many so-called ethical hackers are just script-kiddies with a wardrobe upgrade. Do your homework. Network with people you know and trust in the industry. Find out what they know about prospective auditing firms. See if you can track down clients who have used the firms but are not on their reference list.
    
    Find the right fit. Meet with a range of auditing firms. Consider the small firms specializing in security, along with the Big 4 accounting firms to see which best meets your needs. An auditing firm needs to know if this is a full-scale review of all policies, procedures, internal and external systems, networks and applications, or a limited scope review of a specific system.
    
    Smaller firms may choose not to bid on a large-scale project, and larger companies may not want to bother with a review of one system, because they're reluctant to certify a system without looking at the entire infrastructure.
    
    Insist on the details. Some firms may be reluctant to go into great detail about their methods without a contract. They may simply slide a sales brochure across the table and say, "Our record speaks for itself." Don't be hoodwinked by this; while it's nice to know they have a combined 200 years of security expertise, that doesn't tell you a lot about how they plan to proceed with the audit.
    
    If they're serious about bidding for your business, the auditors will put together a statement of work (SOW), which details how they plan to meet your objectives--the methodologies and deliverables for the engagement. The devil is in the details, and a good SOW will tell you a lot about what you should expect. The SOW will be the basis for a project plan.
    
    The SOW should include the auditor's methods for reviewing the network. If they balk, saying the information is proprietary, they may simply be trying to hide poor auditing methods, such as simply running a third-party scanner with no analysis. While auditors may protect the source of any proprietary tools they use, they should be able to discuss the impact a tool will have and how they plan to use it. Most good auditors will freely discuss their methods and accept input from your organization's staff. Basic methodology for reviewing systems includes research, testing and analysis.
    
    Agree on the appropriate payment plan. The bottom line for the bid is how much it will cost and what you're getting for your money. Some auditing firms quote a flat rate in return for a report detailing their findings and recommendations. Others may estimate the number of days an audit will take, with both sides agreeing to a flexible cost, within limits. 
    
    For a complex audit of an entire company, many unanticipated issues could arise requiring extensive time from the auditors, making a flat rate more attractive for the contracting organization. If the organization has good documentation or if the scope is limited, a flexible rate may be more economical.
    
    -------------
    
    ___________________________________
    Andrew Plato, CISSP
    President / Principal Consultant
    Anitian Corporation
    
    Enterprise Security &
    Infrastructure Solutions
     
    503-644-5656 Office
    503-644-8574 Fax
    503-201-0821 Mobile
    www.anitian.com 
    ___________________________________
    



    This archive was generated by hypermail 2b30 : Tue Mar 25 2003 - 11:29:17 PST