By Tim Ferguson
Published: Friday 21 September 2007
Email story to a Friend | Report Abuse
Name
David L. Dann
Location
New Zealand
Occupation
IT audit controller
Comment
I see this as a training and an insufficient resource problem. IT auditors are frequently called to audit applications and systems of which they have little familiarity. This has probably been the case since the days when it was called EDP auditing. Management does not feel remiss in not providing in-depth training of these systems for its staff. Still, those applications are professionally audited. But looking at a system to see that it has edit validation checks for user inputs is not quite the same as auditing perimeter defence such as firewalls and IDS where new vulnerabilities and threats are constantly emerging. Mgmt. also depends too much on auditors with general knowledge where subject matter experts are in order. Finally, audit staffs are hard pressed to keep up with the demands of government regulatory mandates such as SOX and industry self enforcement standards like PCI. Compliance with these does not equate to an enterprise having a better IT security posture.
I see this as a training and an insufficient resou...
David L. Dann
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
RSS Feeds
The Round-Up The Weekly Round-Up: 03.12.09 'Ere guv, you'll never guess who I had in the back of my cab the other day…'
Stuart Roberts Shared services - how to get it right in your business Recession boosts uptake