[Am-info] GAO and State Auditors Release Security Auditing Guide

[Fred A. Miller]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

GAO and State Auditors Release Security Auditing Guide

The US Government Accounting Office and twelve state and local
auditing agencies jointly published a comprehensive and thoughtful
roadmap for security audits.  Among the many important guidelines
was an unequivocal requirement that auditors who audit access
control (including penetration testing) and system software must
have specialized technical skills such as knowledge of security
configuration requirements and how to test for them on both servers
and applications as well as advanced knowledge of network hardware,
software and protocols.

http://www.gao.gov/special.pubs/mgmtpln.pdf

[[Editor's (Paller) Note: This is good advice.  With solid technical
skills, security auditors often become the most powerful force for
positive change in improving security.  Even before the new report was
issued, we saw a surge in auditors attending very technical courses
at SANS conferences and earning GIAC certifications. Randy Marchany
(at Virginia Tech) is the quintessence of the fusion of technical
skills and auditing. His STAR risk analysis system has been a boon
to hundreds of security auditors:
http://www.security.vt.edu/playitsafe/index.phtml#RiskAnalysis]

- -- 
Fred A. Miller
Systems Administrator
Cornell Univ. Press Services
fm@cupserv.org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8NJACIhTtc6nTZIIRAljLAJ9w67LAW6q4h6ViyfgybDKK6hcSXgCcD42A
+E0Pis9DojkKay/lIxOkmnc=
=QCNS
-----END PGP SIGNATURE-----