The first question is "what audit". C&W did not complete an audit. An audit of controls would be a check against the standards. In this case the CISP from VISA.

If C&W audited CardSystems based on the standard they could not have just stopped at the couple servers identified by the client. The CISP document is clear and comprehensive.

I have seen that there is nothing covering the setup of firewalls for instance. This shows the ignorance of the "consultant". There are several pages on this topic alone just as a single example.

There are 2 issues here.
1 C&W do not do audits in the real sense nor seem to understand what an audit is. A vulnerability scan or limited security review can not be considered an audit. They did not audit against the standard from VISA they reviewed a system per CardSystems instructions. At best this is an aide to an internal audit. The requirement is an indepenant external audit.

2 CardSystems was required to undertake a complete onsite audit. They did not and sought to hide this in a limited review.

Finally, external audit does not mean a scan from outside the network. It is NOT an ethical attack. It is a complete systematic audit from an external party of the internal systems. A lack of professionalism from "security professionals" is not helping. How about we learn what an audit is BEFORE we start to do audits!



Craig

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/344/32214#32214