RE: Fwd: Why suing auditors won't solve the data breach epidemic



I don't see how you can reward the essential compliance failure of the
audited company.

Nick

-> -----Original Message-----
-> From: listbounce@xxxxxxxxxxxxxxxxx
-> [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of Barry Fawthrop
-> Sent: Monday, June 22, 2009 10:15 AM
-> To: pen-test@xxxxxxxxxxxxxxxxx
-> Cc: Security Focus
-> Subject: Re: Fwd: Why suing auditors won't solve the data breach
-> epidemic
->
-> To All,
->
-> I would agree that suing them is *not* the answer, that is only going
-> to force auditor/audit companies
-> to raise rates and thus make auditing more expensive and thus the
-> first thing dropped by companies
-> in a tight economy.
->
-> I would put forward the suggestion that the Auditors are paid a bonus
-> based on the number of *VALID* findings that they put in their
report.
->
-> As auditors we need to start reporting the below average incidents as
-> average, and list more valid findings.
-> But I must stress *VALID* findings, not just insignificant or
trivial.
->
-> Too often we overlook items and decide not to report them when they
-> should have.
->
-> my 2c
->
-> Barry Fawthrop BSc CISSP, CISA, GCIH
->
->
-> Jeffrey Walton wrote:
-> > From the folks at Attrition and the DataLossDB.
-> >
-> > ---------- Forwarded message ----------
-> > From: security curmudgeon <jericho@xxxxxxxxxxxxx>
-> > Date: Jun 4, 2009 2:23 PM
-> > Subject: Why suing auditors won't solve the data breach epidemic
-> > To: dataloss-discuss@xxxxxxxxxxxxxx, dataloss@xxxxxxxxxxxxxx
-> >
-> > http://www.betanews.com/article/Why-suing-auditors-wont-solve-the-
-> data-breach-
->
epidemic/1244068439?awesm=betane.ws_13&utm_campaign=betanews&utm_conte
-> nt=api&utm_medium=betane.ws-twitter&utm_source=direct-betane.ws
-> > or http://preview.tinyurl.com/pahfub
-> >
-> > Why suing auditors won't solve the data breach epidemic
-> > Something's got to be done, but this isn't necessarily it.
-> > By Angela Gunn | Published June 4, 2009, 10:26 AM
-> >
-> > The life of a security auditor has its high points, of course --
-> travel,
-> > getting paid to break stuff, and more travel -- but there's a lot
-> about
-> > that job that doesn't recommend it. You're going into someone
-> else's place
-> > of business and trying to figure out what they're doing wrong, so
-> you can
-> > write a big report that goes to their bosses? I don't care how
-> personable
-> > you are, this isn't on the Dale Carnegie list of How To Win
-> Friends.
-> >
-> > Nor, in a disturbing number of situations, is it on the list of
-> ways to
-> > Influence People. Take a pack of security auditors out for a beer
-> > sometime. (You will not have to ask twice, and if you get two
beers
-> in
-> > them they'll tell you about that mid-sized city whose network is
-> > end-to-end pwned right now and that international airport that has
-> an
-> > ongoing problem with stolen IDs -- no names, of course, but plenty
-> of
-> > other detail. After that, you'll want another beer just for
-> yourself.)
-> > When they're done scaring you, they'll start trading tales of
-> clients who
-> > simply refused to accept a bad audit.
-> >
-> > No one likes to be told that his IT operation has weaknesses, let
-> alone
-> > critical-stop problems. Some companies will retain a security firm
-> and,
-> > when bad results start coming back, terminate the contract and
send
-> > everyone home. Some companies will hire a crew and, when they get
-> there,
-> > manage to be so disorganized and cranky that the auditors spend
-> half their
-> > time attempting to simply get started. And some, presented with a
-> report
-> > saying that their company isn't security-compliant, will simply
ask
-> that
-> > the report be changed.
-> >
-> > [..]
-> > _______________________________________________
-> > Dataloss Mailing List (dataloss@xxxxxxxxxxxxxx)
-> >
-> > Get business, compliance, IT and security staff on the same page
-> with
-> > CREDANT Technologies: The Shortcut Guide to Understanding Data
-> Protection
-> > from Four Critical Perspectives. The eBook begins with
-> considerations
-> > important to executives and business leaders.
-> > http://www.credant.com/campaigns/ebook-chpt-one-web.php
-> >
-> >
--------------------------------------------------------------------
-> ----
-> > This list is sponsored by: InfoSec Institute
-> >
-> > Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
-> Instructor-Led and Online formats is the most concentrated exam prep
-> available. Comprehensive course materials and an expert instructor
-> means you pass the exam. Gain a laser like insight into what is
-> covered on the exam, with zero fluff!
-> >
-> >
http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
-> >
--------------------------------------------------------------------
-> ----
-> >
->
->
->
----------------------------------------------------------------------
-> --
-> This list is sponsored by: InfoSec Institute
->
-> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
-> Instructor-Led and Online formats is the most concentrated exam prep
-> available. Comprehensive course materials and an expert instructor
-> means you pass the exam. Gain a laser like insight into what is
-> covered on the exam, with zero fluff!
->
-> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
->
----------------------------------------------------------------------
-> --


This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message.
Thank you.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Fwd: Why suing auditors wont solve the data breach epidemic
    ... -> I would put forward the suggestion that the Auditors are paid a bonus ... -> Too often we overlook items and decide not to report them when they ... InfoSec Institute's CISSP Boot Camp in both ... -> means you pass the exam. ...
    (Pen-Test)
  • RE: Fwd: Why suing auditors wont solve the data breach epidemic
    ... -> I would put forward the suggestion that the Auditors are paid a bonus ... -> Too often we overlook items and decide not to report them when they ... InfoSec Institute's CISSP Boot Camp in both ... -> means you pass the exam. ...
    (Security-Basics)
  • Homeland Security=ineffective
    ... WASHINGTON - The Homeland Security Department has failed to meet even half ... of its performance expectations in the four years it has been in existence, ... Office report, which was to be released Thursday, particularly with the way ... auditors defined and measured progress. ...
    (rec.sport.pro-wrestling)
  • Re: Homeland Security=ineffective
    ... WASHINGTON - The Homeland Security Department has failed to meet ... Accountability Office report, which was to be released Thursday, ... particularly with the way auditors defined and measured progress. ... Auditors identified 171 performance expectations and found that the ...
    (rec.sport.pro-wrestling)
  • Re: Number of Questions on 70-298
    ... > You cannot be too precise in your preparation for exam number 70-298. ... > example one hundred and fifty will be present for a personal report when ... > majority-based decision. ... > The hard fact is that 700 never was an adequate score to pass a ...
    (microsoft.public.cert.exam.mcse)