Re: researching job of "security auditor"
Date: 12/15/03

Date: 15 Dec 2003 08:23:47 -0800

My company (financial) hired an auditor as a Security Analyst. We
also host regular audits by the Federal Reserve Board and other
entities (at least twice yearly). (walterbyrd) wrote in message news:<>...
> What qualifications are generally required?

CPA, CISSP, anything else beneficial to the field you intend to
specialize in (HIPPA for example if you work for JCAHO).

> Who hires security auditors?

Anyone who wants to ensure compliance with regulations that might
otherwise cost them more in fines and reputation. Anyone who wants to
be an auditing entity would have a staff of auditors ready for hire.

> Do most work as consultants, or regular employees?

Hard to say. FRB uses permanent staff, and we have an audit
department in our corporate offices. But I've also hosted SAS-70
audits, which are contracted.

> How long does a security audit generally take? Is it usually done by
> one person, or a team?

There should be a team depending on the scope of the audit. We host
no less than two auditors dedicated to security policies, one for
cryptography, two for IT systems. Audits that go well can last less
than a week for a mid-sized company. But I have heard stories of
audits lasting months in poorly run shops.

> Is there much demand for security auditors?

I believe so with the ever-increasing regulation and control over
digital information. As more companies must comply with regulation,
more audits must be performed to ensure compliance. And audits are
repeated one or more times a year to ensure compliance is maintained.

Relevant Pages

  • Re: Grizzly and ISO 9000. Was: Disturbing Trend
    ... To answer your first question ("If half of your engineers and ... technicians are tied up chasing insignificant issues, ... The one benefit to the audits was that the host ... Part of the issue is that with paid outside auditors (or government ...
  • Adding a second summary field/page?/Merging summary report
    ... I am using Access 2002 and I need some help on my report. ... I use a footer called Completed to get all the completed audits by ... audits not completed by Auditors and the type of audit. ...
  • Re: NHS this time...
    ... audits. ... You'll have whole cupboards full of paper trails, ... what we should know and what we should say to the auditors. ...