<article>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#article09_06_04_0413211</id>
	<title>Should Auditors Be Liable For Certifications?</title>
	<author>samzenpus</author>
	<datestamp>1244105940000</datestamp>
	<htmltext><a href="http://www.channelinsider.com/" rel="nofollow">dasButcher</a> writes <i>"Enterprises and mid-size business rely on auditors and service providers to certify their systems as compliant with such security regs and standards as PCI-DSS or SOX. But, as Larry Walsh speculates, a lawsuit filed by a bank against an auditor/managed service provider could change that. The bank wants to <a href="http://blogs.channelinsider.com/secure\_channel/content/data\_security/breach\_lawsuit\_could\_reset\_security\_liabilities\_to\_service\_providers.html">hold the auditor liable</a> for a breach at its credit card processor because the auditor certified the processor as PCI compliant. If the bank wins, it could change the standards and liabilities of auditors and service providers in the delivery of security services."</i></htmltext>
<tokenext>dasButcher writes " Enterprises and mid-size business rely on auditors and service providers to certify their systems as compliant with such security regs and standards as PCI-DSS or SOX .
But , as Larry Walsh speculates , a lawsuit filed by a bank against an auditor/managed service provider could change that .
The bank wants to hold the auditor liable for a breach at its credit card processor because the auditor certified the processor as PCI compliant .
If the bank wins , it could change the standards and liabilities of auditors and service providers in the delivery of security services .
"</tokentext>
<sentencetext>dasButcher writes "Enterprises and mid-size business rely on auditors and service providers to certify their systems as compliant with such security regs and standards as PCI-DSS or SOX.
But, as Larry Walsh speculates, a lawsuit filed by a bank against an auditor/managed service provider could change that.
The bank wants to hold the auditor liable for a breach at its credit card processor because the auditor certified the processor as PCI compliant.
If the bank wins, it could change the standards and liabilities of auditors and service providers in the delivery of security services.
"</sentencetext>
</article>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</id>
	<title>Oh, this sounds like a good idea...</title>
	<author>Anonymous</author>
	<datestamp>1244110020000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>4</modscore>
	<htmltext>TFA makes a very good point: <p><div class="quote"><p>What will be interesting about this lawsuit is how the court assigns responsibility for a breach at a certified business. Audits, by their very nature, are point-in-time or snapshot checks. They cannot account for the dynamic variables of business and IT operations that may weaken security over the long-haul.</p></div><p>If they win this lawsuit, they're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security, and can potentially be held liable for stupid user errors by users of that system.</p></div>
	</htmltext>
<tokenext>TFA makes a very good point : What will be interesting about this lawsuit is how the court assigns responsibility for a breach at a certified business .
Audits , by their very nature , are point-in-time or snapshot checks .
They can not account for the dynamic variables of business and IT operations that may weaken security over the long-haul.If they win this lawsuit , they 're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security , and can potentially be held liable for stupid user errors by users of that system .</tokentext>
<sentencetext>TFA makes a very good point: What will be interesting about this lawsuit is how the court assigns responsibility for a breach at a certified business.
Audits, by their very nature, are point-in-time or snapshot checks.
They cannot account for the dynamic variables of business and IT operations that may weaken security over the long-haul.If they win this lawsuit, they're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security, and can potentially be held liable for stupid user errors by users of that system.
	</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28217749</id>
	<title>This just in:</title>
	<author>Anonymous</author>
	<datestamp>1244128740000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Being PCI compliant does not make you invulnerable, it just means that you meet PCI standards.  PCI-compliant organizations get compromised on a regular basis.  The auditor isn't auditing to say "this organization is secure".  They are auditing to say "this organization met the requirements of PCI standards compliance at the time the audit was conducted".  That's a HUGE difference, and the point where liability effectively is shifted back from the auditor to the auditee.</p></htmltext>
<tokenext>Being PCI compliant does not make you invulnerable , it just means that you meet PCI standards .
PCI-compliant organizations get compromised on a regular basis .
The auditor is n't auditing to say " this organization is secure " .
They are auditing to say " this organization met the requirements of PCI standards compliance at the time the audit was conducted " .
That 's a HUGE difference , and the point where liability effectively is shifted back from the auditor to the auditee .</tokentext>
<sentencetext>Being PCI compliant does not make you invulnerable, it just means that you meet PCI standards.
PCI-compliant organizations get compromised on a regular basis.
The auditor isn't auditing to say "this organization is secure".
They are auditing to say "this organization met the requirements of PCI standards compliance at the time the audit was conducted".
That's a HUGE difference, and the point where liability effectively is shifted back from the auditor to the auditee.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28212099</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>mattwarden</author>
	<datestamp>1244140740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The auditor's customers will always be liable for the cost, not matter the outcome. The only question is whether they pay the compensation directly to those damaged or via higher prices for audits.</p></htmltext>
<tokenext>The auditor 's customers will always be liable for the cost , not matter the outcome .
The only question is whether they pay the compensation directly to those damaged or via higher prices for audits .</tokentext>
<sentencetext>The auditor's customers will always be liable for the cost, not matter the outcome.
The only question is whether they pay the compensation directly to those damaged or via higher prices for audits.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28211195</id>
	<title>This was an eye-opener for me</title>
	<author>Punk CPA</author>
	<datestamp>1244136780000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Payment Card Industry Data Security Standards seem kind of weak to me.  Here are just some of the issues:
<ul> <li> <em>Independence</em> PCI DSS auditors are permitted to audit companies where the auditor sold, installed, configured, or has rights to the security software being used.  Also, if the auditor disagrees with the client, the client is free to hire a more pliable auditor with no one the wiser.</li><li> <em>Scope</em> The standards permit the client to limit the scope of the audit to defined systems and their components using defined methods.  If the client doesn't want to pay for penetration tests, the auditor doesn't do them.</li><li> <em>Completeness</em> A typical PCI DSS audit uses the client's system and security documentation as the starting point.  The responsibility for gathering other evidence is limited.  There is no requirement to do any network scanning (like with NMAP) or to go sniffing for undocumented wireless entry points, so there may be elements of the system not documented and not tested.  This sounds like the case discussed here.</li><li> <em>Validation</em> PCI DSS auditors are not responsible for verifying that the client's controls worked as intended.  There is no mandate for penetration testing, war driving, or independent virus scanning.</li></ul><p>
Even if the auditor had done his job (not really clear from the articles), that to me would not demonstrate that the customer data was safe.<br> <br>
Links: <br> <a href="http://www.csoonline.com/article/488431/Critics\_Tear\_Into\_PCI\_Security\_Rules\_at\_Hearing" title="csoonline.com" rel="nofollow">Congress is not happy, either.</a> [csoonline.com]
<br> <a href="https://www.pcisecuritystandards.org/pdfs/pci\_dss\_validation\_requirements\_for\_qualified\_security\_assessors\_QSAs\_v1-1.pdf" title="pcisecuritystandards.org" rel="nofollow">PCI DSS Validation Standards</a> [pcisecuritystandards.org]
<br> <a href="https://www.pcisecuritystandards.org/pdfs/pci\_audit\_procedures\_v1-1.pdf" title="pcisecuritystandards.org" rel="nofollow">PCI DSS audit procedures</a> [pcisecuritystandards.org]
<br> <br>So much for my lunch break.</p></htmltext>
<tokenext>Payment Card Industry Data Security Standards seem kind of weak to me .
Here are just some of the issues : Independence PCI DSS auditors are permitted to audit companies where the auditor sold , installed , configured , or has rights to the security software being used .
Also , if the auditor disagrees with the client , the client is free to hire a more pliable auditor with no one the wiser .
Scope The standards permit the client to limit the scope of the audit to defined systems and their components using defined methods .
If the client does n't want to pay for penetration tests , the auditor does n't do them .
Completeness A typical PCI DSS audit uses the client 's system and security documentation as the starting point .
The responsibility for gathering other evidence is limited .
There is no requirement to do any network scanning ( like with NMAP ) or to go sniffing for undocumented wireless entry points , so there may be elements of the system not documented and not tested .
This sounds like the case discussed here .
Validation PCI DSS auditors are not responsible for verifying that the client 's controls worked as intended .
There is no mandate for penetration testing , war driving , or independent virus scanning .
Even if the auditor had done his job ( not really clear from the articles ) , that to me would not demonstrate that the customer data was safe .
Links : Congress is not happy , either .
[ csoonline.com ] PCI DSS Validation Standards [ pcisecuritystandards.org ] PCI DSS audit procedures [ pcisecuritystandards.org ] So much for my lunch break .</tokentext>
<sentencetext>Payment Card Industry Data Security Standards seem kind of weak to me.
Here are just some of the issues:
  Independence PCI DSS auditors are permitted to audit companies where the auditor sold, installed, configured, or has rights to the security software being used.
Also, if the auditor disagrees with the client, the client is free to hire a more pliable auditor with no one the wiser.
Scope The standards permit the client to limit the scope of the audit to defined systems and their components using defined methods.
If the client doesn't want to pay for penetration tests, the auditor doesn't do them.
Completeness A typical PCI DSS audit uses the client's system and security documentation as the starting point.
The responsibility for gathering other evidence is limited.
There is no requirement to do any network scanning (like with NMAP) or to go sniffing for undocumented wireless entry points, so there may be elements of the system not documented and not tested.
This sounds like the case discussed here.
Validation PCI DSS auditors are not responsible for verifying that the client's controls worked as intended.
There is no mandate for penetration testing, war driving, or independent virus scanning.
Even if the auditor had done his job (not really clear from the articles), that to me would not demonstrate that the customer data was safe.
Links:  Congress is not happy, either.
[csoonline.com]
 PCI DSS Validation Standards [pcisecuritystandards.org]
 PCI DSS audit procedures [pcisecuritystandards.org]
 So much for my lunch break.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208197</id>
	<title>This is a positive development</title>
	<author>oldbamboo</author>
	<datestamp>1244124000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Very much in agreement. <br>
I spent some time in IT audit for one of the Big 4, and it's always puzzled me that they can issue a draft audit point which if challenged is just taken away. If accepted, lots of monkeys have to run around at great expense clearing it. It seems a bit rich to me that there is no penalty on the auditor for this. effectively they can just rain paper with little consequence, and at potentially huge cost to the client.<br> <br>
Having said that, these firms are partnerships, there is always a partner very close to the work being undertaken, and it's their ass and their money and as a consequence the QA at these firms on their deliverables was exceptional in my experience.<br> <br>
But this is an issue, and I think that legal redress is deperately needed.<br> <br>
To illustrate this, I recall one audit I had to do. It was a follow on from the previous years IT audit a colleague had done for one of the two biggest banks in the country in question. One of the previous years recommendations, signed off on by the business, was the need for Network Intrusion Detection to be put in place. This was actioned, and when I got there they had had an expert working day in day out for months, with a huge budget for some very expensive network taps and headcount for monitoring. I reviewed the point, determined that they hadnt yet implemented the control as of that date, recommending that they proceed and introduce it within the coming year. <br> <br>
At the close out meeting one of the commercial directors ate us alive. The original point should never have been accepted. The banking industry, at that time, hadnt settled on NIDS as a requirement and host based should have been fine. Effectively our sloppy report made them piss millions up the wall for little reason.<br> <br>
Audit reports are clear documents, beautifully built, well evidenced. They always have work papers and test papers behind them. They are perfect candidates for for further inspection in a court of law and I have seen, first hand, instances where they have been harmful and inaccurate and should be subject to this scrutiny. If a process or test was missed off, it will show. Every time.<br> <br>
Yes, it's true that senior management at the bank signed off on the previous years report, but this was in good faith that my firm knew what they were talking about. They didnt, and should have been liable. Why not? Currently they get out of jail if they're right, and they get out of jail if they're wrong.
And dont even get my started on the conflicts of interests I saw!</htmltext>
<tokenext>Very much in agreement .
I spent some time in IT audit for one of the Big 4 , and it 's always puzzled me that they can issue a draft audit point which if challenged is just taken away .
If accepted , lots of monkeys have to run around at great expense clearing it .
It seems a bit rich to me that there is no penalty on the auditor for this .
effectively they can just rain paper with little consequence , and at potentially huge cost to the client .
Having said that , these firms are partnerships , there is always a partner very close to the work being undertaken , and it 's their ass and their money and as a consequence the QA at these firms on their deliverables was exceptional in my experience .
But this is an issue , and I think that legal redress is deperately needed .
To illustrate this , I recall one audit I had to do .
It was a follow on from the previous years IT audit a colleague had done for one of the two biggest banks in the country in question .
One of the previous years recommendations , signed off on by the business , was the need for Network Intrusion Detection to be put in place .
This was actioned , and when I got there they had had an expert working day in day out for months , with a huge budget for some very expensive network taps and headcount for monitoring .
I reviewed the point , determined that they hadnt yet implemented the control as of that date , recommending that they proceed and introduce it within the coming year .
At the close out meeting one of the commercial directors ate us alive .
The original point should never have been accepted .
The banking industry , at that time , hadnt settled on NIDS as a requirement and host based should have been fine .
Effectively our sloppy report made them piss millions up the wall for little reason .
Audit reports are clear documents , beautifully built , well evidenced .
They always have work papers and test papers behind them .
They are perfect candidates for for further inspection in a court of law and I have seen , first hand , instances where they have been harmful and inaccurate and should be subject to this scrutiny .
If a process or test was missed off , it will show .
Every time .
Yes , it 's true that senior management at the bank signed off on the previous years report , but this was in good faith that my firm knew what they were talking about .
They didnt , and should have been liable .
Why not ?
Currently they get out of jail if they 're right , and they get out of jail if they 're wrong .
And dont even get my started on the conflicts of interests I saw !</tokentext>
<sentencetext>Very much in agreement.
I spent some time in IT audit for one of the Big 4, and it's always puzzled me that they can issue a draft audit point which if challenged is just taken away.
If accepted, lots of monkeys have to run around at great expense clearing it.
It seems a bit rich to me that there is no penalty on the auditor for this.
effectively they can just rain paper with little consequence, and at potentially huge cost to the client.
Having said that, these firms are partnerships, there is always a partner very close to the work being undertaken, and it's their ass and their money and as a consequence the QA at these firms on their deliverables was exceptional in my experience.
But this is an issue, and I think that legal redress is deperately needed.
To illustrate this, I recall one audit I had to do.
It was a follow on from the previous years IT audit a colleague had done for one of the two biggest banks in the country in question.
One of the previous years recommendations, signed off on by the business, was the need for Network Intrusion Detection to be put in place.
This was actioned, and when I got there they had had an expert working day in day out for months, with a huge budget for some very expensive network taps and headcount for monitoring.
I reviewed the point, determined that they hadnt yet implemented the control as of that date, recommending that they proceed and introduce it within the coming year.
At the close out meeting one of the commercial directors ate us alive.
The original point should never have been accepted.
The banking industry, at that time, hadnt settled on NIDS as a requirement and host based should have been fine.
Effectively our sloppy report made them piss millions up the wall for little reason.
Audit reports are clear documents, beautifully built, well evidenced.
They always have work papers and test papers behind them.
They are perfect candidates for for further inspection in a court of law and I have seen, first hand, instances where they have been harmful and inaccurate and should be subject to this scrutiny.
If a process or test was missed off, it will show.
Every time.
Yes, it's true that senior management at the bank signed off on the previous years report, but this was in good faith that my firm knew what they were talking about.
They didnt, and should have been liable.
Why not?
Currently they get out of jail if they're right, and they get out of jail if they're wrong.
And dont even get my started on the conflicts of interests I saw!</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207067</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207187</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>asdf7890</author>
	<datestamp>1244114580000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>2</modscore>
	<htmltext><p><div class="quote"><p>If they win this lawsuit, they're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security, and can potentially be held liable for stupid user errors by users of that system.</p></div><p>IMO it depends on where the fault lies.</p><p>If the fault that allowed the problem is a property of the system that an auditor or penetration tester could be reasonably expected to have picked up on (such as password complexity and cycling rules not being present or not being correctly enforced) then maybe the case is valid.</p><p>If on the other hand the problem is outside the system that was audited (i.e. the breach was due to a user having stored/transmitted a copy of their credentials insecurely, or due to users/admins not being adequately trained, or due (or due in part) to software/configuration/network changes made after the audit was complete) then there is no way the auditor should be held responsible.</p><p>In reality all that will happen which-ever way this case goes is that there will be chunks of new boiler-plate exceptions text in future relevant contracts or the auditors will charge companies more in exchange for underwriting the extra risk. At work we are currently playing piggy-in-the-middle with the agreements for penetrations testing a new system we are building for a client and there is a lot of contracts work that goes on sorting out who is allowed to do what and who (us, the DC and equipment provider, the client and the 3rd party testers) is responsible for what now and going forward - this case will do no more in the long run than to add extra items to those lists (an increase the relevant consultation fees too, of course).</p></div>
	</htmltext>
<tokenext>If they win this lawsuit , they 're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security , and can potentially be held liable for stupid user errors by users of that system.IMO it depends on where the fault lies.If the fault that allowed the problem is a property of the system that an auditor or penetration tester could be reasonably expected to have picked up on ( such as password complexity and cycling rules not being present or not being correctly enforced ) then maybe the case is valid.If on the other hand the problem is outside the system that was audited ( i.e .
the breach was due to a user having stored/transmitted a copy of their credentials insecurely , or due to users/admins not being adequately trained , or due ( or due in part ) to software/configuration/network changes made after the audit was complete ) then there is no way the auditor should be held responsible.In reality all that will happen which-ever way this case goes is that there will be chunks of new boiler-plate exceptions text in future relevant contracts or the auditors will charge companies more in exchange for underwriting the extra risk .
At work we are currently playing piggy-in-the-middle with the agreements for penetrations testing a new system we are building for a client and there is a lot of contracts work that goes on sorting out who is allowed to do what and who ( us , the DC and equipment provider , the client and the 3rd party testers ) is responsible for what now and going forward - this case will do no more in the long run than to add extra items to those lists ( an increase the relevant consultation fees too , of course ) .</tokentext>
<sentencetext>If they win this lawsuit, they're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security, and can potentially be held liable for stupid user errors by users of that system.IMO it depends on where the fault lies.If the fault that allowed the problem is a property of the system that an auditor or penetration tester could be reasonably expected to have picked up on (such as password complexity and cycling rules not being present or not being correctly enforced) then maybe the case is valid.If on the other hand the problem is outside the system that was audited (i.e.
the breach was due to a user having stored/transmitted a copy of their credentials insecurely, or due to users/admins not being adequately trained, or due (or due in part) to software/configuration/network changes made after the audit was complete) then there is no way the auditor should be held responsible.In reality all that will happen which-ever way this case goes is that there will be chunks of new boiler-plate exceptions text in future relevant contracts or the auditors will charge companies more in exchange for underwriting the extra risk.
At work we are currently playing piggy-in-the-middle with the agreements for penetrations testing a new system we are building for a client and there is a lot of contracts work that goes on sorting out who is allowed to do what and who (us, the DC and equipment provider, the client and the 3rd party testers) is responsible for what now and going forward - this case will do no more in the long run than to add extra items to those lists (an increase the relevant consultation fees too, of course).
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28219379</id>
	<title>As a former auditor</title>
	<author>blippy</author>
	<datestamp>1244235120000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Many years ago I worked as an accountant in the UK. I have never been involved in SOX, but can offer a perspective on audit reports.
<p>
First off, an audit report is for the benefit of the shareholders, not the management. Management prepares accounts, and auditor signs it off as representing a true and fair view of the financial position of the company. This gives the shareholders some confidence that the figures aren't just totally made up.
</p><p>
Secondly, it is managements responsibility to manage the company. Not the auditors. It is up to management to put in everything in place that needs to be put in place, and ensure that everything is working correctly. This is what it means to be a manager. The auditor merely counts the beans and ticks the boxes.
</p><p>
Thirdly, auditors do not owe a duty of care to the company. When performing an audit, they should conduct their work neither to expect malfeasance, nor neglect it as a possibility. However, if they have reason to believe that there is malfeasance, then it is their duty to perform a proper investigation.
</p><p>
Fourthly, auditors usually write a report to management explaining where their accounting procedures could be improved. Management often dismisses such recomendations. Imagine, then, the scenario where the auditor has to be accountable for what essentially boils down to the actions of the management.  They'd presumably write book-length reports on what needs to be done. If anything were to then subsequently go wrong, you'd have lawyers pouring over these reports with fine-tooth combs. The auditors lawyers will be asking management "did you implement this recomendation?", "did you implement that recomendation?", "how about this one over here?". "No? Oh sorry, we can't be held responsible when we've clearly laid out the defects, and you refused to correct them."</p></htmltext>
<tokenext>Many years ago I worked as an accountant in the UK .
I have never been involved in SOX , but can offer a perspective on audit reports .
First off , an audit report is for the benefit of the shareholders , not the management .
Management prepares accounts , and auditor signs it off as representing a true and fair view of the financial position of the company .
This gives the shareholders some confidence that the figures are n't just totally made up .
Secondly , it is managements responsibility to manage the company .
Not the auditors .
It is up to management to put in everything in place that needs to be put in place , and ensure that everything is working correctly .
This is what it means to be a manager .
The auditor merely counts the beans and ticks the boxes .
Thirdly , auditors do not owe a duty of care to the company .
When performing an audit , they should conduct their work neither to expect malfeasance , nor neglect it as a possibility .
However , if they have reason to believe that there is malfeasance , then it is their duty to perform a proper investigation .
Fourthly , auditors usually write a report to management explaining where their accounting procedures could be improved .
Management often dismisses such recomendations .
Imagine , then , the scenario where the auditor has to be accountable for what essentially boils down to the actions of the management .
They 'd presumably write book-length reports on what needs to be done .
If anything were to then subsequently go wrong , you 'd have lawyers pouring over these reports with fine-tooth combs .
The auditors lawyers will be asking management " did you implement this recomendation ?
" , " did you implement that recomendation ?
" , " how about this one over here ? " .
" No ? Oh sorry , we ca n't be held responsible when we 've clearly laid out the defects , and you refused to correct them .
"</tokentext>
<sentencetext>Many years ago I worked as an accountant in the UK.
I have never been involved in SOX, but can offer a perspective on audit reports.
First off, an audit report is for the benefit of the shareholders, not the management.
Management prepares accounts, and auditor signs it off as representing a true and fair view of the financial position of the company.
This gives the shareholders some confidence that the figures aren't just totally made up.
Secondly, it is managements responsibility to manage the company.
Not the auditors.
It is up to management to put in everything in place that needs to be put in place, and ensure that everything is working correctly.
This is what it means to be a manager.
The auditor merely counts the beans and ticks the boxes.
Thirdly, auditors do not owe a duty of care to the company.
When performing an audit, they should conduct their work neither to expect malfeasance, nor neglect it as a possibility.
However, if they have reason to believe that there is malfeasance, then it is their duty to perform a proper investigation.
Fourthly, auditors usually write a report to management explaining where their accounting procedures could be improved.
Management often dismisses such recomendations.
Imagine, then, the scenario where the auditor has to be accountable for what essentially boils down to the actions of the management.
They'd presumably write book-length reports on what needs to be done.
If anything were to then subsequently go wrong, you'd have lawyers pouring over these reports with fine-tooth combs.
The auditors lawyers will be asking management "did you implement this recomendation?
", "did you implement that recomendation?
", "how about this one over here?".
"No? Oh sorry, we can't be held responsible when we've clearly laid out the defects, and you refused to correct them.
"</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207401</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>Anonymous</author>
	<datestamp>1244117880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p><div class="quote"><p><div class="quote"><p>If they win this lawsuit, they're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security, and can potentially be held liable for stupid user errors by users of that system.</p></div><p>Contrary to the precedent that no matter how much you fuck up, and no matter how blatantly false your audit report is, you're not responsible for anything, including not finding problems that are there when your whole job justification is that you're there to find these problems?</p><p>Stop worrying about the poor little techie. We're talking commercial enterprises here. The immediate effect will be that auditing companies take out insurances to cover this risk, and the price of audits goes up a little. <b>However</b>, the secondary effect will be that audits do, in fact, improve, because the premiums on your insurance depend on how often you fuck up and the insurance company has to pay for it.</p></div><p>Tertiary effect:  customers, auditors, and the insurance companies you mentioned turn on vendors (*cough* Microsoft *cough*) that produce products with crappy security and hold <b>THEM</b> liable.</p></div>
	</htmltext>
<tokenext>If they win this lawsuit , they 're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security , and can potentially be held liable for stupid user errors by users of that system.Contrary to the precedent that no matter how much you fuck up , and no matter how blatantly false your audit report is , you 're not responsible for anything , including not finding problems that are there when your whole job justification is that you 're there to find these problems ? Stop worrying about the poor little techie .
We 're talking commercial enterprises here .
The immediate effect will be that auditing companies take out insurances to cover this risk , and the price of audits goes up a little .
However , the secondary effect will be that audits do , in fact , improve , because the premiums on your insurance depend on how often you fuck up and the insurance company has to pay for it.Tertiary effect : customers , auditors , and the insurance companies you mentioned turn on vendors ( * cough * Microsoft * cough * ) that produce products with crappy security and hold THEM liable .</tokentext>
<sentencetext>If they win this lawsuit, they're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security, and can potentially be held liable for stupid user errors by users of that system.Contrary to the precedent that no matter how much you fuck up, and no matter how blatantly false your audit report is, you're not responsible for anything, including not finding problems that are there when your whole job justification is that you're there to find these problems?Stop worrying about the poor little techie.
We're talking commercial enterprises here.
The immediate effect will be that auditing companies take out insurances to cover this risk, and the price of audits goes up a little.
However, the secondary effect will be that audits do, in fact, improve, because the premiums on your insurance depend on how often you fuck up and the insurance company has to pay for it.Tertiary effect:  customers, auditors, and the insurance companies you mentioned turn on vendors (*cough* Microsoft *cough*) that produce products with crappy security and hold THEM liable.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207067</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28212213</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>mattwarden</author>
	<datestamp>1244141160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>&gt; However, the secondary effect will be that audits do, in fact, improve, because<br>&gt; the premiums on your insurance depend on how often you fuck up and the insurance<br>&gt; company has to pay for it.</p><p>You are essentially suggesting that audit quality does not current affect an auditor's demand and the market instead would benefit from direct price impacts of insurance premium changes due to audit quality. Do I restate you correctly?</p></htmltext>
<tokenext>&gt; However , the secondary effect will be that audits do , in fact , improve , because &gt; the premiums on your insurance depend on how often you fuck up and the insurance &gt; company has to pay for it.You are essentially suggesting that audit quality does not current affect an auditor 's demand and the market instead would benefit from direct price impacts of insurance premium changes due to audit quality .
Do I restate you correctly ?</tokentext>
<sentencetext>&gt; However, the secondary effect will be that audits do, in fact, improve, because&gt; the premiums on your insurance depend on how often you fuck up and the insurance&gt; company has to pay for it.You are essentially suggesting that audit quality does not current affect an auditor's demand and the market instead would benefit from direct price impacts of insurance premium changes due to audit quality.
Do I restate you correctly?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207067</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28217899</id>
	<title>Re:Follow-up yo Obama's speech to Muslims - Fuck y</title>
	<author>Anonymous</author>
	<datestamp>1244130720000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>What a relief that Obama is about three times as intelligent as George Bush.  And, about four times as intelligent as the poster child above.  Where Bush promised a crusade, Obama salaam'd Islam.  Winning hearts and souls - the right way.  Now, it's time for the parent poster to bite a big salaami<nobr> <wbr></nobr>...</p></htmltext>
<tokenext>What a relief that Obama is about three times as intelligent as George Bush .
And , about four times as intelligent as the poster child above .
Where Bush promised a crusade , Obama salaam 'd Islam .
Winning hearts and souls - the right way .
Now , it 's time for the parent poster to bite a big salaami .. .</tokentext>
<sentencetext>What a relief that Obama is about three times as intelligent as George Bush.
And, about four times as intelligent as the poster child above.
Where Bush promised a crusade, Obama salaam'd Islam.
Winning hearts and souls - the right way.
Now, it's time for the parent poster to bite a big salaami ...</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207491</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208795</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>Fieryphoenix</author>
	<datestamp>1244127000000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Not to mention, since when does "conforms to a particular security standard" equal "impregnable"?</htmltext>
<tokenext>Not to mention , since when does " conforms to a particular security standard " equal " impregnable " ?</tokentext>
<sentencetext>Not to mention, since when does "conforms to a particular security standard" equal "impregnable"?</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207491</id>
	<title>Follow-up yo Obama's speech to Muslims - Fuck you!</title>
	<author>Anonymous</author>
	<datestamp>1244118900000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Stop acting like spoiled little children - like it's the rest of the world who has to respect your religion and not the other way around.  Stop systematically oppressing non-muslims in your midst, and stop threatening apostates with murder.  Stop beating, raping, and gouging out the clitorises of your women.  Stop murdering homosexuals, and stoning people who say things you don't like.  Stop murdering critics.  Stop burning cars when someone draws an ironic cartoon of your silly pedophile war-mongering "prophet."  Stop denying the Holocaust, an event for which living witnesses still exist and which has been exhaustively documented.  Stop your backwards, fucked-up, middle-ages, barbaric bullshit.  Yes, basically I'm telling you to give up Islam, which glorifies all the things I just mentioned.</p></htmltext>
<tokenext>Stop acting like spoiled little children - like it 's the rest of the world who has to respect your religion and not the other way around .
Stop systematically oppressing non-muslims in your midst , and stop threatening apostates with murder .
Stop beating , raping , and gouging out the clitorises of your women .
Stop murdering homosexuals , and stoning people who say things you do n't like .
Stop murdering critics .
Stop burning cars when someone draws an ironic cartoon of your silly pedophile war-mongering " prophet .
" Stop denying the Holocaust , an event for which living witnesses still exist and which has been exhaustively documented .
Stop your backwards , fucked-up , middle-ages , barbaric bullshit .
Yes , basically I 'm telling you to give up Islam , which glorifies all the things I just mentioned .</tokentext>
<sentencetext>Stop acting like spoiled little children - like it's the rest of the world who has to respect your religion and not the other way around.
Stop systematically oppressing non-muslims in your midst, and stop threatening apostates with murder.
Stop beating, raping, and gouging out the clitorises of your women.
Stop murdering homosexuals, and stoning people who say things you don't like.
Stop murdering critics.
Stop burning cars when someone draws an ironic cartoon of your silly pedophile war-mongering "prophet.
"  Stop denying the Holocaust, an event for which living witnesses still exist and which has been exhaustively documented.
Stop your backwards, fucked-up, middle-ages, barbaric bullshit.
Yes, basically I'm telling you to give up Islam, which glorifies all the things I just mentioned.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208081</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>itsdapead</author>
	<datestamp>1244123520000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>If they win this lawsuit, they're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security</p></div><p>No, to win, they will presumably have to prove that their systems weren't compliant <i>at the time of the audit</i>. All the TFA says is that the later investigation showed non-compliance - it gives no indication as to the nature of this problem.

</p><p>Say I inspect your security, claiming to be an expert, and a few weeks later you have a breach. If, after the inspection, someone re-set a password to something lame and/or left it on a post-it than don't blame me. If, however, it turns out that your wireless router doesn't support encryption - something that's unlikely to have changed since the inspection - then I haven't done a very good job, so why on earth should I not share the liability?

</p><p>It also depends what level of expertise is expected from customer and inspector: in some cases the inspector will just be independently verifying what the customer should already know, in other cases the inspector could reasonably be expected to act as an expert: If I'm designing cellphones then I should have a ruddy good idea of whether my product meets FCC standards; If I run a small business and pay an accountant to check my tax returns then I expect them to know a darn site more about tax law than me.</p></div>
	</htmltext>
<tokenext>If they win this lawsuit , they 're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing securityNo , to win , they will presumably have to prove that their systems were n't compliant at the time of the audit .
All the TFA says is that the later investigation showed non-compliance - it gives no indication as to the nature of this problem .
Say I inspect your security , claiming to be an expert , and a few weeks later you have a breach .
If , after the inspection , someone re-set a password to something lame and/or left it on a post-it than do n't blame me .
If , however , it turns out that your wireless router does n't support encryption - something that 's unlikely to have changed since the inspection - then I have n't done a very good job , so why on earth should I not share the liability ?
It also depends what level of expertise is expected from customer and inspector : in some cases the inspector will just be independently verifying what the customer should already know , in other cases the inspector could reasonably be expected to act as an expert : If I 'm designing cellphones then I should have a ruddy good idea of whether my product meets FCC standards ; If I run a small business and pay an accountant to check my tax returns then I expect them to know a darn site more about tax law than me .</tokentext>
<sentencetext>If they win this lawsuit, they're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing securityNo, to win, they will presumably have to prove that their systems weren't compliant at the time of the audit.
All the TFA says is that the later investigation showed non-compliance - it gives no indication as to the nature of this problem.
Say I inspect your security, claiming to be an expert, and a few weeks later you have a breach.
If, after the inspection, someone re-set a password to something lame and/or left it on a post-it than don't blame me.
If, however, it turns out that your wireless router doesn't support encryption - something that's unlikely to have changed since the inspection - then I haven't done a very good job, so why on earth should I not share the liability?
It also depends what level of expertise is expected from customer and inspector: in some cases the inspector will just be independently verifying what the customer should already know, in other cases the inspector could reasonably be expected to act as an expert: If I'm designing cellphones then I should have a ruddy good idea of whether my product meets FCC standards; If I run a small business and pay an accountant to check my tax returns then I expect them to know a darn site more about tax law than me.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207071</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>Rogerborg</author>
	<datestamp>1244112780000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>4</modscore>
	<htmltext><blockquote><div><p>If they win this lawsuit, they're setting a dangerous precedent</p></div></blockquote><p>How so?  The principle seems clear enough that any audit, in any industry, is only a snapshot; why would you think a court would change that principle in this case?

</p><p>The article indicates that the system wasn't CISP compliant at the time of the <em>breach</em>, but presumably Merrick can only prevail if they can show that the non-compliant that allowed the breach was also in place at the time of the <em>audit</em>.  Do you think otherwise?  If so, what leads you the conclusion that the sky is about to fall?</p></div>
	</htmltext>
<tokenext>If they win this lawsuit , they 're setting a dangerous precedentHow so ?
The principle seems clear enough that any audit , in any industry , is only a snapshot ; why would you think a court would change that principle in this case ?
The article indicates that the system was n't CISP compliant at the time of the breach , but presumably Merrick can only prevail if they can show that the non-compliant that allowed the breach was also in place at the time of the audit .
Do you think otherwise ?
If so , what leads you the conclusion that the sky is about to fall ?</tokentext>
<sentencetext>If they win this lawsuit, they're setting a dangerous precedentHow so?
The principle seems clear enough that any audit, in any industry, is only a snapshot; why would you think a court would change that principle in this case?
The article indicates that the system wasn't CISP compliant at the time of the breach, but presumably Merrick can only prevail if they can show that the non-compliant that allowed the breach was also in place at the time of the audit.
Do you think otherwise?
If so, what leads you the conclusion that the sky is about to fall?
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28210225</id>
	<title>Messy business anyway ...</title>
	<author>Anonymous</author>
	<datestamp>1244132880000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>I guess an auditor who does not specify exactly the "scope, assumptions and disclaimers" of his certification is not worth his title in the first place. Professionally speaking : if you are auditing "the bridge" as in the examples mentioned, you would have either : a) clearly stated that the quality of steel used is not in scope, OR better still, taken a random sample from an un-critical segment and tested it in a lab, or something to that  effect. In any way taken, its a very risky business, because even if you state your "disclaimers" in the contract, and something does happen you are still exposed on an ethical or reputation level, because not everybody will have read your contract - and what the relevant public would still say is that XYZ audited and certified a bridge that fell.</p></htmltext>
<tokenext>I guess an auditor who does not specify exactly the " scope , assumptions and disclaimers " of his certification is not worth his title in the first place .
Professionally speaking : if you are auditing " the bridge " as in the examples mentioned , you would have either : a ) clearly stated that the quality of steel used is not in scope , OR better still , taken a random sample from an un-critical segment and tested it in a lab , or something to that effect .
In any way taken , its a very risky business , because even if you state your " disclaimers " in the contract , and something does happen you are still exposed on an ethical or reputation level , because not everybody will have read your contract - and what the relevant public would still say is that XYZ audited and certified a bridge that fell .</tokentext>
<sentencetext>I guess an auditor who does not specify exactly the "scope, assumptions and disclaimers" of his certification is not worth his title in the first place.
Professionally speaking : if you are auditing "the bridge" as in the examples mentioned, you would have either : a) clearly stated that the quality of steel used is not in scope, OR better still, taken a random sample from an un-critical segment and tested it in a lab, or something to that  effect.
In any way taken, its a very risky business, because even if you state your "disclaimers" in the contract, and something does happen you are still exposed on an ethical or reputation level, because not everybody will have read your contract - and what the relevant public would still say is that XYZ audited and certified a bridge that fell.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207183</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>Anonymous</author>
	<datestamp>1244114580000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>Good Auditors leave the back door open, say yes, but have a mile of qualifications. After all who reads page 246?<br>like based on what was presented/asserted<br>That that was accurate and checked my the MD<br>and that things could change if the client failed to warn or notify us of xxxxx<br>all care no responsibility<br>in the event of a court case, maximum damages $100 dollars.</p><p>For years they have been poking their beaks into areas they no nothing about, but do have a pretty good checklist.<br>Think Enron, think Barrings, think big banks rescued? by the guvment.</p></htmltext>
<tokenext>Good Auditors leave the back door open , say yes , but have a mile of qualifications .
After all who reads page 246 ? like based on what was presented/assertedThat that was accurate and checked my the MDand that things could change if the client failed to warn or notify us of xxxxxall care no responsibilityin the event of a court case , maximum damages $ 100 dollars.For years they have been poking their beaks into areas they no nothing about , but do have a pretty good checklist.Think Enron , think Barrings , think big banks rescued ?
by the guvment .</tokentext>
<sentencetext>Good Auditors leave the back door open, say yes, but have a mile of qualifications.
After all who reads page 246?like based on what was presented/assertedThat that was accurate and checked my the MDand that things could change if the client failed to warn or notify us of xxxxxall care no responsibilityin the event of a court case, maximum damages $100 dollars.For years they have been poking their beaks into areas they no nothing about, but do have a pretty good checklist.Think Enron, think Barrings, think big banks rescued?
by the guvment.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207439</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>Runaway1956</author>
	<datestamp>1244118360000</datestamp>
	<modclass>Informativ</modclass>
	<modscore>1</modscore>
	<htmltext><p>"Audits, by their very nature, are point-in-time or snapshot checks."</p><p>8 years military service here.  Security was 24/7 plus when I was in uniform.  There was no "snapshot" of security, because everyone was trained from day one to understand that a moment in time is meaningless.</p><p>I have always laughed at the concept of "security" in most of the civilian world.  Seldom have I been in any civil institution where real security measures were in place, and enforced - be that physical or electronic.  Oh, there ARE places that are secure, but most banks are a sad, sad joke when it comes to security.</p><p>Security providers especially should be liable.  They have a contract to provide security, they can't come around every few weeks and check on how things are going.</p><p>An auditor has less responsibility than a provider, but even so, he should realize that a "snapshot" is only a fleeting moment in time.  If he doesn't understand that he needs to spend DAYS on site to understand not only how things are SUPPOSED to work, but how they DO work, then he isn't competent to pass himself off as a security auditor.</p><p>To be perfectly honest, it all comes back to the management, though.  There are precious few managers who will part with the money necessary to hire competent security, or to enforce strict compliance with real security measures.  Again, that is true of physical security, AND electronic security.  The day that someone such as a bank manager pulls his head out of his arse, and realizes that security is costly, the day that he PAYS FOR competent security personnel, THEN his bank will become secure.</p><p>It's a good thing to begin to hold these auditors and providers accountable.  At least 90\% of them are lax, and at least 70\% of them are incompetent.  A little liability will teach them to learn their jobs, then to perform their jobs properly.  It will cost, but everyone will benefit, in the end.</p><p>Well, everyone will benefit except those who are exploiting the present lack of security.</p></htmltext>
<tokenext>" Audits , by their very nature , are point-in-time or snapshot checks .
" 8 years military service here .
Security was 24/7 plus when I was in uniform .
There was no " snapshot " of security , because everyone was trained from day one to understand that a moment in time is meaningless.I have always laughed at the concept of " security " in most of the civilian world .
Seldom have I been in any civil institution where real security measures were in place , and enforced - be that physical or electronic .
Oh , there ARE places that are secure , but most banks are a sad , sad joke when it comes to security.Security providers especially should be liable .
They have a contract to provide security , they ca n't come around every few weeks and check on how things are going.An auditor has less responsibility than a provider , but even so , he should realize that a " snapshot " is only a fleeting moment in time .
If he does n't understand that he needs to spend DAYS on site to understand not only how things are SUPPOSED to work , but how they DO work , then he is n't competent to pass himself off as a security auditor.To be perfectly honest , it all comes back to the management , though .
There are precious few managers who will part with the money necessary to hire competent security , or to enforce strict compliance with real security measures .
Again , that is true of physical security , AND electronic security .
The day that someone such as a bank manager pulls his head out of his arse , and realizes that security is costly , the day that he PAYS FOR competent security personnel , THEN his bank will become secure.It 's a good thing to begin to hold these auditors and providers accountable .
At least 90 \ % of them are lax , and at least 70 \ % of them are incompetent .
A little liability will teach them to learn their jobs , then to perform their jobs properly .
It will cost , but everyone will benefit , in the end.Well , everyone will benefit except those who are exploiting the present lack of security .</tokentext>
<sentencetext>"Audits, by their very nature, are point-in-time or snapshot checks.
"8 years military service here.
Security was 24/7 plus when I was in uniform.
There was no "snapshot" of security, because everyone was trained from day one to understand that a moment in time is meaningless.I have always laughed at the concept of "security" in most of the civilian world.
Seldom have I been in any civil institution where real security measures were in place, and enforced - be that physical or electronic.
Oh, there ARE places that are secure, but most banks are a sad, sad joke when it comes to security.Security providers especially should be liable.
They have a contract to provide security, they can't come around every few weeks and check on how things are going.An auditor has less responsibility than a provider, but even so, he should realize that a "snapshot" is only a fleeting moment in time.
If he doesn't understand that he needs to spend DAYS on site to understand not only how things are SUPPOSED to work, but how they DO work, then he isn't competent to pass himself off as a security auditor.To be perfectly honest, it all comes back to the management, though.
There are precious few managers who will part with the money necessary to hire competent security, or to enforce strict compliance with real security measures.
Again, that is true of physical security, AND electronic security.
The day that someone such as a bank manager pulls his head out of his arse, and realizes that security is costly, the day that he PAYS FOR competent security personnel, THEN his bank will become secure.It's a good thing to begin to hold these auditors and providers accountable.
At least 90\% of them are lax, and at least 70\% of them are incompetent.
A little liability will teach them to learn their jobs, then to perform their jobs properly.
It will cost, but everyone will benefit, in the end.Well, everyone will benefit except those who are exploiting the present lack of security.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28213187</id>
	<title>How do we work this into our legal system?</title>
	<author>sorak</author>
	<datestamp>1244145240000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>It seems to make sense that, this should be treated like most other audits. If the auditor failed to notice a problem that it would be reasonable to assume a professional would get right, then he should be accountable. But this brings the same problem we have with IT patents: How do we fix our legal system so that the authorities are qualified to weed out the BS in complicated technical matters?
<br> <br>
I'm starting to think we need a separate court system just to handle technology-related cases. One in which it is reasonable to say "If you can't explain DNS", then you're not qualified. But that's just a thought...</htmltext>
<tokenext>It seems to make sense that , this should be treated like most other audits .
If the auditor failed to notice a problem that it would be reasonable to assume a professional would get right , then he should be accountable .
But this brings the same problem we have with IT patents : How do we fix our legal system so that the authorities are qualified to weed out the BS in complicated technical matters ?
I 'm starting to think we need a separate court system just to handle technology-related cases .
One in which it is reasonable to say " If you ca n't explain DNS " , then you 're not qualified .
But that 's just a thought.. .</tokentext>
<sentencetext>It seems to make sense that, this should be treated like most other audits.
If the auditor failed to notice a problem that it would be reasonable to assume a professional would get right, then he should be accountable.
But this brings the same problem we have with IT patents: How do we fix our legal system so that the authorities are qualified to weed out the BS in complicated technical matters?
I'm starting to think we need a separate court system just to handle technology-related cases.
One in which it is reasonable to say "If you can't explain DNS", then you're not qualified.
But that's just a thought...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207067</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>Anonymous</author>
	<datestamp>1244112720000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>5</modscore>
	<htmltext><p><div class="quote"><p>If they win this lawsuit, they're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security, and can potentially be held liable for stupid user errors by users of that system.</p></div><p>Contrary to the precedent that no matter how much you fuck up, and no matter how blatantly false your audit report is, you're not responsible for anything, including not finding problems that are there when your whole job justification is that you're there to find these problems?</p><p>Stop worrying about the poor little techie. We're talking commercial enterprises here. The immediate effect will be that auditing companies take out insurances to cover this risk, and the price of audits goes up a little. <b>However</b>, the secondary effect will be that audits do, in fact, improve, because the premiums on your insurance depend on how often you fuck up and the insurance company has to pay for it.</p></div>
	</htmltext>
<tokenext>If they win this lawsuit , they 're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security , and can potentially be held liable for stupid user errors by users of that system.Contrary to the precedent that no matter how much you fuck up , and no matter how blatantly false your audit report is , you 're not responsible for anything , including not finding problems that are there when your whole job justification is that you 're there to find these problems ? Stop worrying about the poor little techie .
We 're talking commercial enterprises here .
The immediate effect will be that auditing companies take out insurances to cover this risk , and the price of audits goes up a little .
However , the secondary effect will be that audits do , in fact , improve , because the premiums on your insurance depend on how often you fuck up and the insurance company has to pay for it .</tokentext>
<sentencetext>If they win this lawsuit, they're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security, and can potentially be held liable for stupid user errors by users of that system.Contrary to the precedent that no matter how much you fuck up, and no matter how blatantly false your audit report is, you're not responsible for anything, including not finding problems that are there when your whole job justification is that you're there to find these problems?Stop worrying about the poor little techie.
We're talking commercial enterprises here.
The immediate effect will be that auditing companies take out insurances to cover this risk, and the price of audits goes up a little.
However, the secondary effect will be that audits do, in fact, improve, because the premiums on your insurance depend on how often you fuck up and the insurance company has to pay for it.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28212141</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>ToasterMonkey</author>
	<datestamp>1244140920000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p><div class="quote"><p>8 years military service here. Security was 24/7 plus when I was in uniform. There was no "snapshot" of security, because everyone was trained from day one to understand that a moment in time is meaningless.</p></div><p>For security, sure, but we're talking certifications here.  There is no such thing as 24/7 certification, they are issued once a year or so, and you can fuck everything up in between.<br>Think of all the annual training that you (hopefully, mostly) received.  Are you likely to forget how to fire a rifle, tread water, or don a gas mask between qualifications?  Probably not, but I'll bet you didn't regularly train in those unless you were infantry.  Every so often someone will even fail a semi-annual fitness test, and that "skill" is almost universally maintained year round.   Businesses don't do security just for the sake of security, that's not what they're in it for, unlike the military.</p></div>
	</htmltext>
<tokenext>8 years military service here .
Security was 24/7 plus when I was in uniform .
There was no " snapshot " of security , because everyone was trained from day one to understand that a moment in time is meaningless.For security , sure , but we 're talking certifications here .
There is no such thing as 24/7 certification , they are issued once a year or so , and you can fuck everything up in between.Think of all the annual training that you ( hopefully , mostly ) received .
Are you likely to forget how to fire a rifle , tread water , or don a gas mask between qualifications ?
Probably not , but I 'll bet you did n't regularly train in those unless you were infantry .
Every so often someone will even fail a semi-annual fitness test , and that " skill " is almost universally maintained year round .
Businesses do n't do security just for the sake of security , that 's not what they 're in it for , unlike the military .</tokentext>
<sentencetext>8 years military service here.
Security was 24/7 plus when I was in uniform.
There was no "snapshot" of security, because everyone was trained from day one to understand that a moment in time is meaningless.For security, sure, but we're talking certifications here.
There is no such thing as 24/7 certification, they are issued once a year or so, and you can fuck everything up in between.Think of all the annual training that you (hopefully, mostly) received.
Are you likely to forget how to fire a rifle, tread water, or don a gas mask between qualifications?
Probably not, but I'll bet you didn't regularly train in those unless you were infantry.
Every so often someone will even fail a semi-annual fitness test, and that "skill" is almost universally maintained year round.
Businesses don't do security just for the sake of security, that's not what they're in it for, unlike the military.
	</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207439</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28217997</id>
	<title>Two names, three words</title>
	<author>Nefarious Wheel</author>
	<datestamp>1244131740000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Arthur Anderson.  Enron.</htmltext>
<tokenext>Arthur Anderson .
Enron .</tokentext>
<sentencetext>Arthur Anderson.
Enron.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28209323</id>
	<title>lolol</title>
	<author>dstones</author>
	<datestamp>1244129160000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>Just because you are compliant with some regulation does not mean that your system cannot be breached.  That would be absurd to believe. Sure PCI is a regulation affirming that the system is secure, but secure is defined by their set of regulations.  You cannot protect against everything.  I think it's a joke to hold the auditor responsible, unless like some others have stated, that it is possible to prove that the job done was insufficient.</htmltext>
<tokenext>Just because you are compliant with some regulation does not mean that your system can not be breached .
That would be absurd to believe .
Sure PCI is a regulation affirming that the system is secure , but secure is defined by their set of regulations .
You can not protect against everything .
I think it 's a joke to hold the auditor responsible , unless like some others have stated , that it is possible to prove that the job done was insufficient .</tokentext>
<sentencetext>Just because you are compliant with some regulation does not mean that your system cannot be breached.
That would be absurd to believe.
Sure PCI is a regulation affirming that the system is secure, but secure is defined by their set of regulations.
You cannot protect against everything.
I think it's a joke to hold the auditor responsible, unless like some others have stated, that it is possible to prove that the job done was insufficient.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208133</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>D3</author>
	<datestamp>1244123760000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>First, it is way too easy to hide information from the PCI assessors.  BTW, they are NOT auditors, they are assessors, there is a big difference.  But it is too easy to hide stuff because to really dig into a complex system for every last detail is already cost prohibitive.</p><p>Which brings me to my second point.  If liability gets pushed to the assessors (or SOX auditors which are real auditors) then the cost of being assessed/audited are going to skyrocket because they will just pass the cost of liability right back to the company that hired them.  The companies being assessed/audited are being held at 'legal gunpoint' to comply and pay whatever cost.  Then, the cost of being assessed will be passed on to the consumers or the company will go out of business.</p></htmltext>
<tokenext>First , it is way too easy to hide information from the PCI assessors .
BTW , they are NOT auditors , they are assessors , there is a big difference .
But it is too easy to hide stuff because to really dig into a complex system for every last detail is already cost prohibitive.Which brings me to my second point .
If liability gets pushed to the assessors ( or SOX auditors which are real auditors ) then the cost of being assessed/audited are going to skyrocket because they will just pass the cost of liability right back to the company that hired them .
The companies being assessed/audited are being held at 'legal gunpoint ' to comply and pay whatever cost .
Then , the cost of being assessed will be passed on to the consumers or the company will go out of business .</tokentext>
<sentencetext>First, it is way too easy to hide information from the PCI assessors.
BTW, they are NOT auditors, they are assessors, there is a big difference.
But it is too easy to hide stuff because to really dig into a complex system for every last detail is already cost prohibitive.Which brings me to my second point.
If liability gets pushed to the assessors (or SOX auditors which are real auditors) then the cost of being assessed/audited are going to skyrocket because they will just pass the cost of liability right back to the company that hired them.
The companies being assessed/audited are being held at 'legal gunpoint' to comply and pay whatever cost.
Then, the cost of being assessed will be passed on to the consumers or the company will go out of business.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207023</id>
	<title>Due dilligence.</title>
	<author>TapeCutter</author>
	<datestamp>1244111940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><i>"If they win this lawsuit, they're setting a dangerous precedent"</i>
<br> <br>
Audits are performed so the company can demonstrate due dilligence should something go wrong, if the auditors themselves cannot show due dilligence in their own actions then they deserve to be hammered.</htmltext>
<tokenext>" If they win this lawsuit , they 're setting a dangerous precedent " Audits are performed so the company can demonstrate due dilligence should something go wrong , if the auditors themselves can not show due dilligence in their own actions then they deserve to be hammered .</tokentext>
<sentencetext>"If they win this lawsuit, they're setting a dangerous precedent"
 
Audits are performed so the company can demonstrate due dilligence should something go wrong, if the auditors themselves cannot show due dilligence in their own actions then they deserve to be hammered.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28210391</id>
	<title>Wait they aren't already?</title>
	<author>nurb432</author>
	<datestamp>1244133600000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>If they are not liable for their mistakes in certifying then what value is their approvals?</p><p>Sure, if you lie to them its your fraud and its not their fault, but if they make the mistake...</p></htmltext>
<tokenext>If they are not liable for their mistakes in certifying then what value is their approvals ? Sure , if you lie to them its your fraud and its not their fault , but if they make the mistake.. .</tokentext>
<sentencetext>If they are not liable for their mistakes in certifying then what value is their approvals?Sure, if you lie to them its your fraud and its not their fault, but if they make the mistake...</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28209233</id>
	<title>Car</title>
	<author>fulldecent</author>
	<datestamp>1244128860000</datestamp>
	<modclass>Troll</modclass>
	<modscore>0</modscore>
	<htmltext><p>I take my car to PepBoys for a yearly inspection in January. If my brakes go bad in February and my rotors are worn, that's PepBoys fault and they fix it.</p></htmltext>
<tokenext>I take my car to PepBoys for a yearly inspection in January .
If my brakes go bad in February and my rotors are worn , that 's PepBoys fault and they fix it .</tokentext>
<sentencetext>I take my car to PepBoys for a yearly inspection in January.
If my brakes go bad in February and my rotors are worn, that's PepBoys fault and they fix it.</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207279</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>Z00L00K</author>
	<datestamp>1244116380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>This is an interesting case to have.</p><ul><li>If the auditor certifies a system according to current regulations and the system later fails. Is that the fault of the auditor or the regulations?</li><li>System changes can render the certification invalid and then the system has to be revalidated.</li><li>New threats and hacking methods appears all the time, so even current regulations may be outdated.</li><li>You shall never certify your own system, always bring an outside certification agency. Then it's up to you to take action and responsibility.</li><li>Always expect at least one security measure to fail. This means that you shall never rely on a single protection as a pin code or a password for critical systems.</li><li>It's your system, so you should have the ultimate responsibility.</li><li>But then - who certifies the auditors? Do they have an up to date certification? Don't let this stop you - even auditors without certifications can be really good.</li><li>Every component in a system may check out really well, but when they interact you may have a hole as big as Grand Canyon.</li><li>Third-party problems like hijacked certificates can cause a major headache.</li></ul><p>So I would rather say that if an auditor is in the auditing report showing incompetence and negligence - then the auditor is a valid target, but if the documentation is covering the system well then the customer shouldn't be able to complain. And it's also hard for an auditor to be able to verify every aspect of a system without an extended study and analysis of the code, possible backdoors and system design.</p></htmltext>
<tokenext>This is an interesting case to have.If the auditor certifies a system according to current regulations and the system later fails .
Is that the fault of the auditor or the regulations ? System changes can render the certification invalid and then the system has to be revalidated.New threats and hacking methods appears all the time , so even current regulations may be outdated.You shall never certify your own system , always bring an outside certification agency .
Then it 's up to you to take action and responsibility.Always expect at least one security measure to fail .
This means that you shall never rely on a single protection as a pin code or a password for critical systems.It 's your system , so you should have the ultimate responsibility.But then - who certifies the auditors ?
Do they have an up to date certification ?
Do n't let this stop you - even auditors without certifications can be really good.Every component in a system may check out really well , but when they interact you may have a hole as big as Grand Canyon.Third-party problems like hijacked certificates can cause a major headache.So I would rather say that if an auditor is in the auditing report showing incompetence and negligence - then the auditor is a valid target , but if the documentation is covering the system well then the customer should n't be able to complain .
And it 's also hard for an auditor to be able to verify every aspect of a system without an extended study and analysis of the code , possible backdoors and system design .</tokentext>
<sentencetext>This is an interesting case to have.If the auditor certifies a system according to current regulations and the system later fails.
Is that the fault of the auditor or the regulations?System changes can render the certification invalid and then the system has to be revalidated.New threats and hacking methods appears all the time, so even current regulations may be outdated.You shall never certify your own system, always bring an outside certification agency.
Then it's up to you to take action and responsibility.Always expect at least one security measure to fail.
This means that you shall never rely on a single protection as a pin code or a password for critical systems.It's your system, so you should have the ultimate responsibility.But then - who certifies the auditors?
Do they have an up to date certification?
Don't let this stop you - even auditors without certifications can be really good.Every component in a system may check out really well, but when they interact you may have a hole as big as Grand Canyon.Third-party problems like hijacked certificates can cause a major headache.So I would rather say that if an auditor is in the auditing report showing incompetence and negligence - then the auditor is a valid target, but if the documentation is covering the system well then the customer shouldn't be able to complain.
And it's also hard for an auditor to be able to verify every aspect of a system without an extended study and analysis of the code, possible backdoors and system design.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207041</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>Anonymous</author>
	<datestamp>1244112300000</datestamp>
	<modclass>Insightful</modclass>
	<modscore>3</modscore>
	<htmltext>I highly doubt that's even the case. The bank would probably have to prove that the breach could have taken place even at the time of auditing, not after, due to obvious reasons anyone can imagine. If they manage do to so the suit should be perfectly valid.</htmltext>
<tokenext>I highly doubt that 's even the case .
The bank would probably have to prove that the breach could have taken place even at the time of auditing , not after , due to obvious reasons anyone can imagine .
If they manage do to so the suit should be perfectly valid .</tokentext>
<sentencetext>I highly doubt that's even the case.
The bank would probably have to prove that the breach could have taken place even at the time of auditing, not after, due to obvious reasons anyone can imagine.
If they manage do to so the suit should be perfectly valid.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28211369</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>Anonymous</author>
	<datestamp>1244137500000</datestamp>
	<modclass>None</modclass>
	<modscore>0</modscore>
	<htmltext><p>There is this thing called a "disclaimer". It says that IF you adhere to certain requirements, THEN the guarantee is good.</p><p>There's also another thing called a "post-mortem". When something crashes, forensics experts can usually do a pretty decent job of back-tracking the causes, whether it's an airliner or a credit card system. Which is how the legal people determine whether the disclaimer is valid.</p><p>It's ironic when you can sue and win major amounts for trivial reasons that there should be room for a complete denial of liability by the very people whose job it is to assert the security and/or quality of anything.</p><p>Then again, maybe I expect too much. Everyday Low Prices and gitter-dun-quick have far higher priorities these days than true quality or reliability.</p></htmltext>
<tokenext>There is this thing called a " disclaimer " .
It says that IF you adhere to certain requirements , THEN the guarantee is good.There 's also another thing called a " post-mortem " .
When something crashes , forensics experts can usually do a pretty decent job of back-tracking the causes , whether it 's an airliner or a credit card system .
Which is how the legal people determine whether the disclaimer is valid.It 's ironic when you can sue and win major amounts for trivial reasons that there should be room for a complete denial of liability by the very people whose job it is to assert the security and/or quality of anything.Then again , maybe I expect too much .
Everyday Low Prices and gitter-dun-quick have far higher priorities these days than true quality or reliability .</tokentext>
<sentencetext>There is this thing called a "disclaimer".
It says that IF you adhere to certain requirements, THEN the guarantee is good.There's also another thing called a "post-mortem".
When something crashes, forensics experts can usually do a pretty decent job of back-tracking the causes, whether it's an airliner or a credit card system.
Which is how the legal people determine whether the disclaimer is valid.It's ironic when you can sue and win major amounts for trivial reasons that there should be room for a complete denial of liability by the very people whose job it is to assert the security and/or quality of anything.Then again, maybe I expect too much.
Everyday Low Prices and gitter-dun-quick have far higher priorities these days than true quality or reliability.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28212015</id>
	<title>They should be held responsible</title>
	<author>onyxruby</author>
	<datestamp>1244140380000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>
Audit works has been about 20\% of my workload over the last few years. Auditing isn't about having the perfect environment (which I've never yet seen), it's about being able to say "I have conducted business in a good faith manner following industry best practices" - and that is what allows you to win in court. When management brings you in for an audit they are expecting someone to find these kinds of problems and point them out. They need someone who is<nobr> <wbr></nobr>/not/ a staff member, has no stake in things, no political ax to grind to come in and verify that things really are OK. I've seen environments like the client I'm with now that went years without an outside auditor before I came in and these are typically the ones that you hear about on the news for massive breaches.
</p><p>
Auditing is about trust and the reassurance that your systems are running under industry best practices and do not have undocumented security risks. Often times it takes an outside auditors report to get through red tape so that budget<nobr> <wbr></nobr>/can/ be allocated. Management (and it's not uncommon for audits to be paid for outside of IT's budget) needs to have something that they can trust and that they can use to have a legally defensible position. The auditors job is to find holes, identify problems, explicitly identify risk, review personal and so on and then document it. That being said, the auditor always runs the risk of being asked to fix what they find, so the auditor needs to be realistic in their work. </p><p>
Insurance policies, industry certifications, millions in losses and public goodwill all ride on these reports. Some auditors are afraid of writing a critical report as they fear they will personally be poorly reviewed by the client if they do, or they do not want to risk offending the client and losing repeat business. This is where lawsuits come in, so that the integrity of the audit is placed before fear of losing repeat business. That being said, writing reports that tell a client they don't know jack and have to redo everything and that they should hire some additional personnel without offending anyone is an art form if it's own sake.
</p></htmltext>
<tokenext>Audit works has been about 20 \ % of my workload over the last few years .
Auditing is n't about having the perfect environment ( which I 've never yet seen ) , it 's about being able to say " I have conducted business in a good faith manner following industry best practices " - and that is what allows you to win in court .
When management brings you in for an audit they are expecting someone to find these kinds of problems and point them out .
They need someone who is /not/ a staff member , has no stake in things , no political ax to grind to come in and verify that things really are OK. I 've seen environments like the client I 'm with now that went years without an outside auditor before I came in and these are typically the ones that you hear about on the news for massive breaches .
Auditing is about trust and the reassurance that your systems are running under industry best practices and do not have undocumented security risks .
Often times it takes an outside auditors report to get through red tape so that budget /can/ be allocated .
Management ( and it 's not uncommon for audits to be paid for outside of IT 's budget ) needs to have something that they can trust and that they can use to have a legally defensible position .
The auditors job is to find holes , identify problems , explicitly identify risk , review personal and so on and then document it .
That being said , the auditor always runs the risk of being asked to fix what they find , so the auditor needs to be realistic in their work .
Insurance policies , industry certifications , millions in losses and public goodwill all ride on these reports .
Some auditors are afraid of writing a critical report as they fear they will personally be poorly reviewed by the client if they do , or they do not want to risk offending the client and losing repeat business .
This is where lawsuits come in , so that the integrity of the audit is placed before fear of losing repeat business .
That being said , writing reports that tell a client they do n't know jack and have to redo everything and that they should hire some additional personnel without offending anyone is an art form if it 's own sake .</tokentext>
<sentencetext>
Audit works has been about 20\% of my workload over the last few years.
Auditing isn't about having the perfect environment (which I've never yet seen), it's about being able to say "I have conducted business in a good faith manner following industry best practices" - and that is what allows you to win in court.
When management brings you in for an audit they are expecting someone to find these kinds of problems and point them out.
They need someone who is /not/ a staff member, has no stake in things, no political ax to grind to come in and verify that things really are OK. I've seen environments like the client I'm with now that went years without an outside auditor before I came in and these are typically the ones that you hear about on the news for massive breaches.
Auditing is about trust and the reassurance that your systems are running under industry best practices and do not have undocumented security risks.
Often times it takes an outside auditors report to get through red tape so that budget /can/ be allocated.
Management (and it's not uncommon for audits to be paid for outside of IT's budget) needs to have something that they can trust and that they can use to have a legally defensible position.
The auditors job is to find holes, identify problems, explicitly identify risk, review personal and so on and then document it.
That being said, the auditor always runs the risk of being asked to fix what they find, so the auditor needs to be realistic in their work.
Insurance policies, industry certifications, millions in losses and public goodwill all ride on these reports.
Some auditors are afraid of writing a critical report as they fear they will personally be poorly reviewed by the client if they do, or they do not want to risk offending the client and losing repeat business.
This is where lawsuits come in, so that the integrity of the audit is placed before fear of losing repeat business.
That being said, writing reports that tell a client they don't know jack and have to redo everything and that they should hire some additional personnel without offending anyone is an art form if it's own sake.
</sentencetext>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208467</id>
	<title>Re:Oh, this sounds like a good idea...</title>
	<author>evilkasper</author>
	<datestamp>1244125500000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext>The thing that really needs to be taken into account is that just because your certified does not guarantee 100\% security. The auditor should not be held responsible for this, all they do is check to see if you are compliant with a standard. If they want 100\% secure they should unplug it , put it in safe and then drop it into the Marianas Trench.</htmltext>
<tokenext>The thing that really needs to be taken into account is that just because your certified does not guarantee 100 \ % security .
The auditor should not be held responsible for this , all they do is check to see if you are compliant with a standard .
If they want 100 \ % secure they should unplug it , put it in safe and then drop it into the Marianas Trench .</tokentext>
<sentencetext>The thing that really needs to be taken into account is that just because your certified does not guarantee 100\% security.
The auditor should not be held responsible for this, all they do is check to see if you are compliant with a standard.
If they want 100\% secure they should unplug it , put it in safe and then drop it into the Marianas Trench.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<comment>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208767</id>
	<title>Certified as secure</title>
	<author>rcamans</author>
	<datestamp>1244126940000</datestamp>
	<modclass>None</modclass>
	<modscore>1</modscore>
	<htmltext><p>The auditor did not certify them as secure. They certified them as PCI-DSS compliant. That just means that they are somewhat hard to penetrate. A certain amount of time, expertise, and tools limit is in the standard. Any criminal who spends more time, money, expertise to successfully penetrate them is ok by the PCI-DSS standard. The standard actually explicitly says this stuff.. PCI-DSS is just setting a bar. Hopefully one high enough that common criminals cannot easily or quickly beat it. But organized crime (Mafia, Russian Mafia) can afford to buy the expertise, spend the time and money. Or a common criminal (script kiddie, haxor boy) can spend enough time and defeat it as well.<br>I know. I designed a PCI-DSS compliant system which was certified.<br>So, no matter what the bank says, if the other guys were actually PCI-DSS compliant, the bank loses the court case. Unless, of course, they buy better legal representation. Since the court system is biased towards the rich and mighty, who can afford better legal representation.<br>And any case can be won by a good enough lawyer.<br>For example, a lawyer won that a board fell off a store shelf and took away the complainant's psychic powers.</p></htmltext>
<tokenext>The auditor did not certify them as secure .
They certified them as PCI-DSS compliant .
That just means that they are somewhat hard to penetrate .
A certain amount of time , expertise , and tools limit is in the standard .
Any criminal who spends more time , money , expertise to successfully penetrate them is ok by the PCI-DSS standard .
The standard actually explicitly says this stuff.. PCI-DSS is just setting a bar .
Hopefully one high enough that common criminals can not easily or quickly beat it .
But organized crime ( Mafia , Russian Mafia ) can afford to buy the expertise , spend the time and money .
Or a common criminal ( script kiddie , haxor boy ) can spend enough time and defeat it as well.I know .
I designed a PCI-DSS compliant system which was certified.So , no matter what the bank says , if the other guys were actually PCI-DSS compliant , the bank loses the court case .
Unless , of course , they buy better legal representation .
Since the court system is biased towards the rich and mighty , who can afford better legal representation.And any case can be won by a good enough lawyer.For example , a lawyer won that a board fell off a store shelf and took away the complainant 's psychic powers .</tokentext>
<sentencetext>The auditor did not certify them as secure.
They certified them as PCI-DSS compliant.
That just means that they are somewhat hard to penetrate.
A certain amount of time, expertise, and tools limit is in the standard.
Any criminal who spends more time, money, expertise to successfully penetrate them is ok by the PCI-DSS standard.
The standard actually explicitly says this stuff.. PCI-DSS is just setting a bar.
Hopefully one high enough that common criminals cannot easily or quickly beat it.
But organized crime (Mafia, Russian Mafia) can afford to buy the expertise, spend the time and money.
Or a common criminal (script kiddie, haxor boy) can spend enough time and defeat it as well.I know.
I designed a PCI-DSS compliant system which was certified.So, no matter what the bank says, if the other guys were actually PCI-DSS compliant, the bank loses the court case.
Unless, of course, they buy better legal representation.
Since the court system is biased towards the rich and mighty, who can afford better legal representation.And any case can be won by a good enough lawyer.For example, a lawyer won that a board fell off a store shelf and took away the complainant's psychic powers.</sentencetext>
	<parent>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881</parent>
</comment>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_17</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28211195
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_8</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208197
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207067
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_11</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207023
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_18</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28212141
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207439
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_15</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207041
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_1</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207187
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_5</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208795
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_3</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207401
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207067
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_9</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208767
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_12</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28212099
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_2</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208133
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_6</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207071
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_16</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207279
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_7</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207183
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_13</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28217899
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207491
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_10</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28212213
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207067
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28211369
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_4</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208467
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<thread>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#thread_09_06_04_0413211_14</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208081
http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
</commentlist>
</thread>
<conversation>
	<id>http://www.semanticweb.org/ontologies/ConversationInstances.owl#conversation09_06_04_0413211.0</id>
	<commentlist>http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28206881
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207041
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207439
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28212141
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208081
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207071
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208467
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207279
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28211195
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208795
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207023
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207491
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28217899
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207067
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207401
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28212213
--http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208197
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28212099
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208133
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28211369
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207183
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28208767
-http://www.semanticweb.org/ontologies/ConversationInstances.owl#comment09_06_04_0413211.28207187
</commentlist>
</conversation>
