Re: researching job of "security auditor"
Date: 12/15/03

Date: 15 Dec 2003 08:23:47 -0800

My company (financial) hired an auditor as a Security Analyst. We
also host regular audits by the Federal Reserve Board and other
entities (at least twice yearly). (walterbyrd) wrote in message news:<>...
> What qualifications are generally required?

CPA, CISSP, anything else beneficial to the field you intend to
specialize in (HIPPA for example if you work for JCAHO).

> Who hires security auditors?

Anyone who wants to ensure compliance with regulations that might
otherwise cost them more in fines and reputation. Anyone who wants to
be an auditing entity would have a staff of auditors ready for hire.

> Do most work as consultants, or regular employees?

Hard to say. FRB uses permanent staff, and we have an audit
department in our corporate offices. But I've also hosted SAS-70
audits, which are contracted.

> How long does a security audit generally take? Is it usually done by
> one person, or a team?

There should be a team depending on the scope of the audit. We host
no less than two auditors dedicated to security policies, one for
cryptography, two for IT systems. Audits that go well can last less
than a week for a mid-sized company. But I have heard stories of
audits lasting months in poorly run shops.

> Is there much demand for security auditors?

I believe so with the ever-increasing regulation and control over
digital information. As more companies must comply with regulation,
more audits must be performed to ensure compliance. And audits are
repeated one or more times a year to ensure compliance is maintained.