[Owasp-leaders] Question on ISACA

kuai hinojosa kuai.hinojosa at owasp.org
Wed Nov 4 11:18:15 EST 2009

On Nov 4, 2009, at 11:11 AM, Dan Cornell wrote:

> I've worked with a number of IT auditors in the past and that is a  
> fair characterization, based on my experiences.  Most of the folks  
> in that job function I have worked with are, at best, infrastructure  
> security folks who have moved to IT audit, but many are CPAs by  
> background or have other non-IT experience bases.
> The majority of the time I have worked with IT auditors it has been  
> helping them to translate their audit requirement into reasonable  
> technical measures that can be taken that meet those requirements  
> and then helping them to interpret the results of Threat Models,  
> code and application scans, etc so they can determine if they feel  
> comfortable that their audit requirements have been met.
> As for what OWASP can do I think the manager-focused documentation  
> for the OWASP Top 10, etc is helpful in translating fairly technical  
> information to the level of business risk.  There was work done a  
> while back on ISO 17799 mappings and resurrecting that and providing  
> further application-level guidance for these compliance/audit  
> regimes might be helpful.

I believe this is one of the initiatives of the Global Education  
Committee, we are planning on structuring and "translating" documents  
for different target audience, managers being one.

> Have other folks on the list fielded questions from IT auditors who  
> were looking for further direction?
> Thanks,
> Dan
> ________________________________________
> From: owasp-leaders-bounces at lists.owasp.org [owasp-leaders-bounces at lists.owasp.org 
> ] On Behalf Of McGovern, James F. (eBusiness) [James.McGovern at thehartford.com 
> ]
> Sent: Wednesday, November 04, 2009 9:38 AM
> To: owasp-leaders at lists.owasp.org; sc-l at securecoding.org
> Subject: [Owasp-leaders] Question on ISACA
> John Morency of Gartner just finished giving a presentation to our  
> IT executives and one of the observations is that IT auditors have  
> zero clue as to how to audit a secure coding practice. IT audit  
> right now is limited to simply looking at "control" documents and  
> viewing things through the lens of "infrastructure". Is there  
> something we as a community should be doing to make auditors smarter?
> ************************************************************
> This communication, including attachments, is for the exclusive use  
> of addressee and may contain proprietary, confidential and/or  
> privileged information.  If you are not the intended recipient, any  
> use, copying, disclosure, dissemination or distribution is strictly  
> prohibited.  If you are not the intended recipient, please notify  
> the sender immediately by return e-mail, delete this communication  
> and destroy all copies.
> ************************************************************
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

More information about the OWASP-Leaders mailing list