[Owasp-leaders] Question on ISACA

Dan Cornell dan at denimgroup.com
Wed Nov 4 11:11:13 EST 2009

I've worked with a number of IT auditors in the past and that is a fair characterization, based on my experiences.  Most of the folks in that job function I have worked with are, at best, infrastructure security folks who have moved to IT audit, but many are CPAs by background or have other non-IT experience bases.

The majority of the time I have worked with IT auditors it has been helping them to translate their audit requirement into reasonable technical measures that can be taken that meet those requirements and then helping them to interpret the results of Threat Models, code and application scans, etc so they can determine if they feel comfortable that their audit requirements have been met.

As for what OWASP can do I think the manager-focused documentation for the OWASP Top 10, etc is helpful in translating fairly technical information to the level of business risk.  There was work done a while back on ISO 17799 mappings and resurrecting that and providing further application-level guidance for these compliance/audit regimes might be helpful.

Have other folks on the list fielded questions from IT auditors who were looking for further direction?


From: owasp-leaders-bounces at lists.owasp.org [owasp-leaders-bounces at lists.owasp.org] On Behalf Of McGovern, James F. (eBusiness) [James.McGovern at thehartford.com]
Sent: Wednesday, November 04, 2009 9:38 AM
To: owasp-leaders at lists.owasp.org; sc-l at securecoding.org
Subject: [Owasp-leaders] Question on ISACA

John Morency of Gartner just finished giving a presentation to our IT executives and one of the observations is that IT auditors have zero clue as to how to audit a secure coding practice. IT audit right now is limited to simply looking at "control" documents and viewing things through the lens of "infrastructure". Is there something we as a community should be doing to make auditors smarter?

This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential and/or privileged information.  If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited.  If you are not the intended recipient, please notify the sender immediately by return e-mail, delete this communication and destroy all copies.

More information about the OWASP-Leaders mailing list