For the US Feds, we say that any former audits are a control out of NIST
SP 800-53 and roll the findings up from that audit into the
certification and accreditation of that system.
I think the bottom line is that a finding is a finding and it's
applicable to all standards. The trick is to have a requirements
traceability matrix (and by extension, a test and evaluation plan) that
lists *all* the standards that you are aiming for.
HTH
--Mike
Michael J Smith michael.j.smith (at) unisys (dot) com [email concealed]
Information Security Architect
703.419.3109 W
703.855.0890 C
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
> -----Original Message-----
> From: Vic N [mailto:vic778 (at) hotmail (dot) com [email concealed]]
> Sent: Sunday, December 04, 2005 4:50 PM
> To: psrc (at) securityfocus (dot) com [email concealed]
> Subject: combining multiple audits
>
> Is anyone having the discussion about combining multiple audits into
one
> single audit? For example, I'd like to combine the IT portion of the
SOX
> audit and the PCI audit into one audit to spare my IT teams multiple
> "visits" from auditors.
>
> At first blush, it seems an IT component that is evaluated within the
PCI
> standard as acceptable *should* (big should) probably also be
considered
> SOX
> compliant.
>
> However, it does not seem like it's a straight apples-to-apples
> comparison,
> but it may be still be possible to combine multiple audits into one
> single
> (less invasive) evaluation.
>
> Anyone else thinking about this?
>
SP 800-53 and roll the findings up from that audit into the
certification and accreditation of that system.
I think the bottom line is that a finding is a finding and it's
applicable to all standards. The trick is to have a requirements
traceability matrix (and by extension, a test and evaluation plan) that
lists *all* the standards that you are aiming for.
HTH
--Mike
Michael J Smith michael.j.smith (at) unisys (dot) com [email concealed]
Information Security Architect
703.419.3109 W
703.855.0890 C
"Those who do not understand Unix are condemned to reinvent it, poorly."
--Henry Spencer
> -----Original Message-----
> From: Vic N [mailto:vic778 (at) hotmail (dot) com [email concealed]]
> Sent: Sunday, December 04, 2005 4:50 PM
> To: psrc (at) securityfocus (dot) com [email concealed]
> Subject: combining multiple audits
>
> Is anyone having the discussion about combining multiple audits into
one
> single audit? For example, I'd like to combine the IT portion of the
SOX
> audit and the PCI audit into one audit to spare my IT teams multiple
> "visits" from auditors.
>
> At first blush, it seems an IT component that is evaluated within the
PCI
> standard as acceptable *should* (big should) probably also be
considered
> SOX
> compliant.
>
> However, it does not seem like it's a straight apples-to-apples
> comparison,
> but it may be still be possible to combine multiple audits into one
> single
> (less invasive) evaluation.
>
> Anyone else thinking about this?
>
[ reply ]