I think that one major point of fact is missing in your definition of an assessment and an audit. An audit is more concrete. It is an attestation of controls. An audit means a third party has assessed the controls and states an opinion on the environment and controls. IT audits can range from self selected controls review like a SAS70 or Section 5900 or a Systrust or Webtrust which is predetermined... my 2 cents anywho. -----Original Message----- From: Steve Goldsby [mailto:sgoldsby@integrate-u.com] Sent: Monday, September 17, 2001 7:06 AM To: pen-testat_private Subject: RE: Industry Definitions... possible? was Re: Security Audit I simplify to my clients like this: - A security assessment is a measurement of your organization against best practices - A security AUDIT is a meansurement and validation of your posture against your own implemented practices. Best, Steve -----Original Message----- From: MCOHENat_private [mailto:MCOHENat_private] Sent: Friday, September 14, 2001 2:48 PM To: pen-testat_private Subject: RE: Industry Definitions... possible? was Re: Security Audit All, As someone that works as an internal IT Auditor, I need to make a quick point. The term security audit is extremely misused. This all started when the Big 5 firms began to perform security assessments. Next thing you knew, all the boutique firms where selling "security audits" Audits, at least in the US, should be governed by the rules of the AICPA, IIA, ISACA and the standards of COSO and COBIT. Other wise what is being performed is an assessment. Audits focus on risks and controls. Security is one of many components that are reviewed. Audits use tests to determine if a control is functioning properly. Much the way Architects and Engineers and trying to preserve the professional requirements of these titles from the computer industry, I'm trying to do the same for Auditors. Regards, Michael ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Sep 18 2001 - 09:49:50 PDT