Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Only as Good as Your Auditor


Only as Good as Your Auditor

Author
Message
Andy Warren
Andy Warren
SSCrazy Eights
SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)SSCrazy Eights (9.5K reputation)

Group: Moderators
Points: 9511 Visits: 2728
Comments posted to this topic are about the item Only as Good as Your Auditor

Andy
SQLAndy - My Blog!
Connect with me on LinkedIn
Follow me on Twitter
Rod
Rod
SSCrazy
SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)SSCrazy (2.2K reputation)

Group: General Forum Members
Points: 2186 Visits: 2028
Having sat through several audits myself I appreciate what you've said here, Andy. Every audit I sat through was done by one vendor or as was more likely the case, some government agent working on behalf of a Federal agency we were being funded by. But you've brought up a point which I've never had to deal with and that's what happens if more than one auditor performs an audit on you/your company. I know it's easy to think, "Yeah, we passed the audit! Now its back to normal." I see how that might lead to some complacency.


Kindest Regards,Rod
Connect with me on LinkedIn.
David.Poole
David.Poole
SSCertifiable
SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)SSCertifiable (6.1K reputation)

Group: General Forum Members
Points: 6077 Visits: 3238
One of the outcomes of the banking crisis was awareness that the regulator had been a watch dog that didn't bark, let alone bite. There was an all-to-cosy relationship between the regulated and the regulator.

The old watchdog was put down and the new watchdog was very keen to show it had teeth and that they worked. I don't know if the situation has slumped back into the old status quo. What I do know is that security is a topic where you have to be continually ratcheting up your capability. A toothless auditor is no help. Yes, an audit can be a painful process, but if it was easy I'd be worried.

My thoughts are that an organisation shouldn't wait until the end of the year and sit quaking in fear at the sound of the auditors tread. Some form of continuous improvement process needs to be in place which includes a RAID log.
  • Risks - Threats, real and potential

  • Actions- Things done proactively to address risks and things done reactively to mitigate risks. These should also reference the decisions.

  • Issues - This should include where risks have become an issue as well as the issues that snuck in under the radar

  • Decisions - Who, what, when and the target for implementation




LinkedIn Profile

Newbie on www.simple-talk.com
Gary Varga
Gary Varga
SSChampion
SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)SSChampion (13K reputation)

Group: General Forum Members
Points: 13703 Visits: 6467
I tend to think that an audit that raises nothing provides no value at all. It is similar to the test team. I expect that many things will be covered off by the teams leading up to the audit (or testing in the comparison) but I only believe they are being thorough when they raise the first non-superficial issue. No issues (defects) means that it hasn't been evaluated (tested) enough.

...and, basically, David is spot on in his assessment.

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search