I simplify to my clients like this: - A security assessment is a measurement of your organization against best practices - A security AUDIT is a meansurement and validation of your posture against your own implemented practices. Best, Steve -----Original Message----- From: MCOHENat_private [mailto:MCOHENat_private] Sent: Friday, September 14, 2001 2:48 PM To: pen-testat_private Subject: RE: Industry Definitions... possible? was Re: Security Audit All, As someone that works as an internal IT Auditor, I need to make a quick point. The term security audit is extremely misused. This all started when the Big 5 firms began to perform security assessments. Next thing you knew, all the boutique firms where selling "security audits" Audits, at least in the US, should be governed by the rules of the AICPA, IIA, ISACA and the standards of COSO and COBIT. Other wise what is being performed is an assessment. Audits focus on risks and controls. Security is one of many components that are reviewed. Audits use tests to determine if a control is functioning properly. Much the way Architects and Engineers and trying to preserve the professional requirements of these titles from the computer industry, I'm trying to do the same for Auditors. Regards, Michael ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 17 2001 - 11:14:56 PDT