Audit Frequency

In one of the forums I subscribe to the question came up “How often should one carry out an internal audit?”  There were variations on this to do with external  audits as well.   Lets suppose you aren’t one of the relicrant types that take the attitude that audits aren’t necessary or that an audit – or a risk analysis for that mater – needs to be done just the once.

How often?  Yearly?  Ever Six Months?  Every Month?

Maybe. maybe not.
If you are one of a certain set of classes of organizations there are rules that mandate when you get audited. For example, if you process credit cards then the PCI:DSS rules apply to you.

If you are a bank, you should check for Basel II and FFIEC regulations.

And so forth. Continue reading Audit Frequency

Technology does not fix process

A number of people outside InfoSec have pointed this out to me and I thought I’d pass it along with a couple of observations.

The first is of course the (ISC)2‘s motto “Security Transcends Technology” and the second is Marcus Ranum‘s comment:

“If you think that technology can solve your problems then you
don’t understand technology and you don’t understand your

Continue reading Technology does not fix process