Slashdot Mirror
Should Auditors Be Liable For Certifications?
dasButcher writes "Enterprises and mid-size business rely on auditors and service providers to certify their systems as compliant with such security regs and standards as PCI-DSS or SOX. But, as Larry Walsh speculates, a lawsuit filed by a bank against an auditor/managed service provider could change that. The bank wants to hold the auditor liable for a breach at its credit card processor because the auditor certified the processor as PCI compliant. If the bank wins, it could change the standards and liabilities of auditors and service providers in the delivery of security services."
What will be interesting about this lawsuit is how the court assigns responsibility for a breach at a certified business. Audits, by their very nature, are point-in-time or snapshot checks. They cannot account for the dynamic variables of business and IT operations that may weaken security over the long-haul.
If they win this lawsuit, they're setting a dangerous precedent - anyone who at any stage has certified a system as secure becomes responsible for its ongoing security, and can potentially be held liable for stupid user errors by users of that system.
Rampant carbon sequestration destroyed the Dinosaurs' tropical paradise. I'm here to help repair the damage.
Well much as I like people to be held responsible for the quality of their work I think it is a bit much to expect technology certification experts to be held responsible for the dufus who puts his username and password on a PostIt stuck to his monitor . . .
If an inspector inspects and then signs off on an elevator, and the elevator subsequently catastrophically fails due to some reason the inspector should have caught, the inspector can be held liable, unless they can show that his inspection was somehow tampered with. Like perhaps the safety interlocks were just for show and didn't have any real parts inside of them.
Auditors should be held to the same standard, and given the same rights to defend themselves.
I don't want to sound harsh, but considering people pay auditors to do a job, if the job isn't done right, they need to suffer the consequences.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
But there'll be an indemnity or escape clause in their contract with the processor.
Yay me!
All it will do, is make future certifications 10 times slower, more invasive and more expensive... This bank is shooting themselves in the foot because they will have to get themselves certified again in the future and will be expected to pay a hefty premium.
Besides, the auditor merely certifies that a particular defined system complies with a given spec at a point in time... They don't assert that the setup is secure, merely that it complies with the letter of the standard, and most of these standards are poorly written with loopholes big enough to drive a truck through.
Not to mention that there are ongoing changes, such as patching and updates to signature files etc, do you need to recertify every time a minor change is made? A minor change could introduce vulnerabilities, for instance a security update could introduce new features and bring with it new exploitable issues while it also fixes an older issue.
How widely do you define the scope? ideally you would include absolutely everything associated with the system, so every workstation used for admin purposes, every inch of cabling etc, this would make the scope very large and costly to deal with.
And how about the age old question of human error? No matter how secure a system is, an error (or intentional attack) by the legitimate users could break things in all manner of ways.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Should the auditor be liable for mis-certification? Or for the (correctly) certified system not withstanding attacks?
I think people should *very* hard try to distinguish between the two scenarios:
1) An auditor certifies a system as XY-compliant as of [insert date here]. However, it can be demonstrated that the system was *not* XY-compliant at that date.
2) An auditor certifies a system as XY-compliant as of [insert date here]. However, at a later date, the system breaks for some reason. It can be proven that the system was XY-compliant, but for some reason (stupid user interaction?) is not anymore. Or, even better: it can be proven that the system *still* is XY-compliant, but the XY-standard is unfit to defend [insert attack here].
I think in case (1) the auditor should be held liable, since he obviously certified something that didn't meet the promised standards. However, in case of (2), not the auditor is to blame. If the system breaks despite of the certification, then it's not the auditor's fault -- it's how things work, and making a scapegoat out of the auditor is not going to do anybody any good. Even worse, if the system fails to meet standard XY because a stupid user (or admin, for that matter) interaction *after* the certification, then there's no way an auditor could have prevented that -- it's either the user/admin's fault for interfering with a certified system, or the standard's fault for not defining what a user/admin is allowed to do with the system without interfering with its certified qualities.
Who will ever even attempt to certify this bank again? If the auditor made a mistake I can understand the bank, but if the problem was caused by a user, I can not see how to auditor is responsible...
The big banks really are intent on shooting themselves in the foot. If they hold the auditor liable for security breaches, nobody else will be willing to offer certification services for PCI-DSS. And considering that it's the banks who desperately want everyone to be PCI-DSS compliant (does anybody other than the banks get any benefit from it? Really?), that is particularly stupid.
It's hard enough achieving compliancy as it is - whenever we get near to completing the questionnaire, they change all the questions!
"If they win this lawsuit, they're setting a dangerous precedent"
Audits are performed so the company can demonstrate due dilligence should something go wrong, if the auditors themselves cannot show due dilligence in their own actions then they deserve to be hammered.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
From what I have heard and seen, auditors do a very lousy job. I very much hate the fact that they get a lot money while they are generally not responsible for the quality of their work.
On the other hand, it is clear that auditors can not find all possible problems, therefore it doesn't make sense to make them responsible for all incidents. This just would not work.
IANAL, but as far as I recall there is the SCOTUS decision in Smoremberg vs. Entertaining Dance Clothing Corp. where the widow of a man sued a textile cooperation because her husband accidentially strangulated himself with the power cord of a power drill by slipping from a ladder while repairing the roof of his garage and wearing pink ballet shoes and a pink tutu.
The layers of the widow argued that the shoes were certified as "safe", but the company argued that this only referred to normal ballet dancing and not home repairs with power tools.
The very same argument could be applied here.
Are there certain parts of a standard that leave enough room for interpretation by the auditor to warrant an lawsuit if in hindsight this interpretation may be demonstrably flawed? Or, given all relevant information, will different auditors, following their auditing standards (damn, circular), reach the same conclusion?
Auditors check that the company have security policies, that they have proper procedures and that these have been followed in the past. There is obviously no guarantee that the employees in the company will continue to follow the security procedures, just because they have done so in the past. Security breaches usually occur because someone failed to follow procedure.
Security standards and audits give the company assurance that they have reduced the chance of security breaches as much as possible. However , you can NEVER certify any system as "secure".
Audits usually control access and change procedures for systems and verify that there are controls and procedures that have been followed up to that point in time.
See http://en.wikipedia.org/wiki/IT_audit for more info.
After conducting an audit of a Merchant et a PSP (payement service provider), a QSA (qualified security assesor) issues a ROC (report on compliance to PCI-DSS) that is submitted du issuers (VISA, Mastercard, Amex, JCB and Discover).
Then the issuers certify the auditee.
An individual can not be a QSA by itself, it has to work in an organization that is qualified as well. Among other things a QSA organization has to provision a HUGE amount of cash in case it is found liable of having unduly declared an auditee compliant.
When a breach occurs, there is an investigation and eventually it is found that the ROC was not accurate by the time of the audit in such case the QSA organization and the QSA individual are in trouble.
BTW a certification is only for one year.
Now the case is not about PCI-DSS but "Cardholder Information Security Program" (CISP) and the breach happened in 2005.
Therefore I think the outcome would not have much impact on PCI program where liabilities are well defined.
The question is: does a certification have a value, or not?
Consider an example in a different area: accounting. At the end of the year, a public corporation must have its accounts certified by an auditor. The audit essentially states that the accounts are an accurate reflection of the company's financial state - that the accountants haven't "disappeared" a few million dollars into their private accounts, or whatever.
If the accounts turn out to be fraudulent, the auditors have failed - and it is entirely correct to sue them.
Back to IT certifications: if the audit missed something, then it is entirely appropriate to sue the auditors. If the security breach was not due to problems the auditors should have caught (inside job, violation of established procedures, etc.), then the auditors should not be liable.
Consider what happens if you do not hold the auditors liable: a very current example from the financial world. The ratings agencies said that derivatives based on sub-prime mortgages were top-quality, low risk investments. Screwing up a rating costs them nothing, so they gave in to political pressure and rated these derivatives too high. Had they been liable for the consequences of their ratings, they would have done a better job. At least, one would like to think so - sadly, there is no way to go back and test this hypothesis...
Enjoy life! This is not a dress rehearsal.
Interestingly, PCI-DSS does not itself appear to be sufficient to prevent a security breach in the first place; among other things, they mandate a set of principles which are pretty, but not a guarantee:
https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml
Yeah, if everything were to work out, and all virus threads were already covered by the antivirus software, and there were no such thing as a zero-day exploits, it might stop a penetration. But not otherwise.
-- Terry
Seriously. What else are certificates good for? If it's just "drop some money so we send you a guy that hands you a cert", what does the certificate mean? I mean, besides "we had enough money to buy it"?
Certificates are worthless if they don't certify anything but having enough money to have an auditor squat at your company for a few days. And if auditors are not liable for the validity of a cert, that's basically all they really prove. Why else should the auditor really audit a company and not just hang out there and surf for porn for a few days so it seems he did his job?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Plaintiff: "Your Honor, we're suing defendant because they certified our credit card system as being PCI compliant, yet it was breached by hackers."
Judge to Defendant: "Is this true?"
Defendant: "Yes Your Honor, however being PCI compliant does not guarantee you will never be breached by hackers."
Judge: "Case dismissed!"
Who audits the auditors?
I am working in a large firm. Quite often new projects upon realisation require technical audits as well as "Life Cycle" audits for existing systems involved with billing etc. One point that needs to be clear. Audits are not cheap! These guys are paid between 1500-2000 per Man day. Presently this is done in essence without ANY liability as to the quality of their work. What needs to be established in this case is: 1. Technical Audits provide a snapshot of a system "at a particular point in time" - Did at the time of the Audit these holes exist, or where there changes afterwards which could have affected the audit results? 2. Audit Scope. This is really important! If the Audit scope didn't include for instance the visibility of the systems from outside of the firewall, then the perspective of the auditors were limited and therefore the audit itself is not complete. I have seen companies for instance that are ISO 27001 Certified....however.... the audit scope was only for a particular part of the company. This enables the company to suggest 27001 Certification when in fact it may not indeed be fully the case. Most likely the outcome of such a case would be an increase in costs to cover Liability (insurance or something of the like) on the part of the auditor. However it may well be also an increase in the quality and transparency (clearer scope, limitations etc.) of technical audit work. Both of these are positive outcomes! http://streetstyles.ch/ - Swiss Band & Fashion Tshirts
First off, an auditor can only confirm a PRESENT situation, not a future one. In other words, that they do the right thing when the auditor is "in da house" doesn't mean they'll do that when he/she has left.
Secondly, I'm rather averse to the whole money game, because this is where Andersen came unstuck. Creating liabilities ensures that only the big boys can play, and only the big players can afford an audit unless compelled by law. I much prefer a system where a certain volume of independent auditors exists because it makes collusion so much harder.
Thirdly, allowing any entity to quickly blame their auditors when things blow up means an escape route for management: spend less and plan to sue the auditor when it blows up. Very Much Not Good IMHO.
Stop acting like spoiled little children - like it's the rest of the world who has to respect your religion and not the other way around. Stop systematically oppressing non-muslims in your midst, and stop threatening apostates with murder. Stop beating, raping, and gouging out the clitorises of your women. Stop murdering homosexuals, and stoning people who say things you don't like. Stop murdering critics. Stop burning cars when someone draws an ironic cartoon of your silly pedophile war-mongering "prophet." Stop denying the Holocaust, an event for which living witnesses still exist and which has been exhaustively documented. Stop your backwards, fucked-up, middle-ages, barbaric bullshit. Yes, basically I'm telling you to give up Islam, which glorifies all the things I just mentioned.
I audit IT Security for a living, and have just finished a Level 1 PCI-DSS study.
An audit does NOT "certify a system as secure". It certifies that certain features of the system are present and working. A computer system (or any other system, mecanical, electrical, human based, or what-have-you) may fail for a variety of reasons.
The features which are intended to prevent failure may break, or not work, or be irrelevant to the actual failure mode which occurs.
If a system fails, having had it audited may help to prove that you were doing all that was reasonable to protect against failure, but it does NOT mean that it will not fail.
The only reason for suing auditors would be if they did not provide the audit service that they claimed. If I audited a system as having an anti-virus package and it did not have one, I could be sued for failing to audit properly. You might find out that my audit was incompetent if, after I had certificated it, the system failed with a computer virus that the missing AV package should have picked up. But you cannot sue me for the impact that virus had. You can only sue me for not doing my work properly. I will NOT have claimed that the system was secure. I will have claimed that it was running X Anti-Virus, and if you can show it was not, you may claim the cost of the audit back. But you cannot then charge the cost of the clean-up to me....
I do security assessments for companies. Management needs to realize that simply being compliant isn't enough to be secure. Compliance is a good starting point, but you can't just say "Look, we're compliant with X standard." and pretend like nobody could ever hack in, or no user could ever screw up. There have been breaches where the company breached *was* PCI compliant. Being compliant doesn't mean what most people think it means.
That's all PCI is really: a bunch of pretty looking standards.
The upshot of all of those standards is that I now have a whole set of servers that I absolutely hate to work on.
Sounds like someone is looking for a scapegoat. No, the auditors should not be held liable for a standard they have no control over defining. That blame rests with the PCI Security Standards Council and the Federal government who define the contents of SOX. It is already well known the standards for security set by PCI-DSS is laughable. There was a youtube about such from England, and I am sure there are other documents that confirm just how bad their standards are. The biggest problem with PCI-DSS is their firm belief that denial of the problems pointed out in that video works just as well as security by obscurity. So is this the name of the game now... sue people FOR following the standards, even when they have no control over them?
My karma is not a Chameleon.
And P.S. - stop using the Israeli/Palestinian issue as a red herring to distract from your own leaders who have failed you and ensured that you would be left behind by the rest of civilization by their self-serving actions. And don't make the mistake of thinking that Obama actually cares, or that he intends to keep his word. The only thing he cares about is cultivating his global cult-of-personality image.
As a 3rd party, auditors remarks and certifications can give a representation inducing someone to wrongfully contract. There is an established principle in the tort of negligence that allows an injured claimant to sue a non-contractual 3rd party in this type of misstatement. We call this the Hedley Bryne principle (google it).
It's great. Providing you can establish a duty via special relation ship of reliance.
It's bad for contracting parties however, if you imply that all contracts should have this principle without the need for a special relationship of reliance, because priciple parties (the other guy, not the certifing agent) cock up - and it's their fault. It should be their fault. How am I to control the actions of someone I *thought* was competant?
A Notary Public can be held responsible but an auditing firm isn't? I would have thought they already were held liable. If they're not, what a great job! Like a Notary Public that can stamp, validate and vouch for anything without cause for concern. It's probably because the Notary is people. The auditors are corporations. Corporations are just like people absent accountability or morals. Corporations are like Sociopaths. And as they're running the show, corporations are like Sociopaths in an Anarchy.
-[d]-
It will just raise the prices since the auditors will have to take out insurance. Of course, what are banks to do? They hire someone to ensure they are compliant, then get screwed because they were compromised by something that is included in the compliancy!
Security is an imperfect world. I'm sure something will come up that a company was compliant, but still gets compromised and attempts to sue the auditor. Then again, I've met more than a few auditors that had no busy being in the security business!
Very much in agreement.
I spent some time in IT audit for one of the Big 4, and it's always puzzled me that they can issue a draft audit point which if challenged is just taken away. If accepted, lots of monkeys have to run around at great expense clearing it. It seems a bit rich to me that there is no penalty on the auditor for this. effectively they can just rain paper with little consequence, and at potentially huge cost to the client.
Having said that, these firms are partnerships, there is always a partner very close to the work being undertaken, and it's their ass and their money and as a consequence the QA at these firms on their deliverables was exceptional in my experience.
But this is an issue, and I think that legal redress is deperately needed.
To illustrate this, I recall one audit I had to do. It was a follow on from the previous years IT audit a colleague had done for one of the two biggest banks in the country in question. One of the previous years recommendations, signed off on by the business, was the need for Network Intrusion Detection to be put in place. This was actioned, and when I got there they had had an expert working day in day out for months, with a huge budget for some very expensive network taps and headcount for monitoring. I reviewed the point, determined that they hadnt yet implemented the control as of that date, recommending that they proceed and introduce it within the coming year.
At the close out meeting one of the commercial directors ate us alive. The original point should never have been accepted. The banking industry, at that time, hadnt settled on NIDS as a requirement and host based should have been fine. Effectively our sloppy report made them piss millions up the wall for little reason.
Audit reports are clear documents, beautifully built, well evidenced. They always have work papers and test papers behind them. They are perfect candidates for for further inspection in a court of law and I have seen, first hand, instances where they have been harmful and inaccurate and should be subject to this scrutiny. If a process or test was missed off, it will show. Every time.
Yes, it's true that senior management at the bank signed off on the previous years report, but this was in good faith that my firm knew what they were talking about. They didnt, and should have been liable. Why not? Currently they get out of jail if they're right, and they get out of jail if they're wrong. And dont even get my started on the conflicts of interests I saw!
You may not agree with what I say, but you should fight to the death to allow me to say it, by modding me up.
PCI in itself doesn't guarantee 100% safety.
It says so right on their common myths page;
https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf
Quote "Successful completion of a system scan or assesssment for PCI is but a snapshot in time.
Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts
must be a continuous process of assessment and remediation to ensure safety of cardholder
data."
It's a very good PDF to read. Now if the auditor said they were PCI Compliant and there was something obvious he negligently overlooked, that would be another thing. But PCI does not mean you can not have a data breech. You can never be 100% protected from that. What if someone came in, put a gun to a privileged employees head, said give me all your data or he dies? Will PCI stop him?
You can call them "pretty looking standards", some others might call them "minimum security requirements based on a risk-based security management approach". There is no such thing as 100% secure, nor is security some goal that when achieved it can be forgotten. Security measures try to improve security to a reasonable level using available resources to minimize risks. It's a process, that in order to remain effective has to evolve and continuously re-evaluate itself.
PCI SSC aka the cars brands have several controls in place to make sure the auditors do their job properly and ethically:
- Audits can only be performed by organizations that have the QSAP status
- Audits can only be performed by trained and certified QSAs, who have to recertify annually
- Submitted PCI on-site audit reports (RoC) are scored by the SSC, anything less than a near-perfect score can lead to warnings or loss of certification status
- In case a PCI certified entity is breached, the SSC will conduct a forensic investigation. If the certified entity is found to be non-compliant and the QSA has failed to fully validate its compliance, also the QSA can face penalties.
I've heard many stories about QSAs giving out certifications on false grounds, or even fraudulently, hopefully these will be taken care of to retain the credibility of the QSAs and the PCI.
I am an IT auditor working for a company that You would call if You would want to be certified.
Certification means that there is a work (audit) programme that states control objectives. Auditor follows this programme very closely and then, if the issues are within some zone of tolerance (which may be zero as well), auditor writes a statement that company XYZ is compliant with this and that.
What it does NOT mean is:
a) a certified company will follow its practice after certification (they may just have put a convincing show).
b) that there are no other issues with the company that are outside of work programme
c) that sysadmin will be dilligent in future to apply timely patches
A PCI-DSS compliance says "There are no critical issues on the surface". That's it.
Lone Gunmen crew.
I'm surprised nobody mentioned this yet: adherence to PCI-DSS does not necessarily guarantee that your system cannot be cracked or broken into. PCI-DSS provides a set of guidelines - created by the banks and cc companies themselves - which must be met in order to be considered safe enough to be allowed to process transactions. Now, if the auditor was negligent or deceptive in certifying the system as compliant, this seems like a no-brainer lawsuit. However, it is entirely possible that the system *was* compliant, but got cracked anyway.
----
Not to be confused with Col.
The auditor did not certify them as secure. They certified them as PCI-DSS compliant. That just means that they are somewhat hard to penetrate. A certain amount of time, expertise, and tools limit is in the standard. Any criminal who spends more time, money, expertise to successfully penetrate them is ok by the PCI-DSS standard. The standard actually explicitly says this stuff.. PCI-DSS is just setting a bar. Hopefully one high enough that common criminals cannot easily or quickly beat it. But organized crime (Mafia, Russian Mafia) can afford to buy the expertise, spend the time and money. Or a common criminal (script kiddie, haxor boy) can spend enough time and defeat it as well.
I know. I designed a PCI-DSS compliant system which was certified.
So, no matter what the bank says, if the other guys were actually PCI-DSS compliant, the bank loses the court case. Unless, of course, they buy better legal representation. Since the court system is biased towards the rich and mighty, who can afford better legal representation.
And any case can be won by a good enough lawyer.
For example, a lawyer won that a board fell off a store shelf and took away the complainant's psychic powers.
wake up and hold your nose
I have just gone through a PCI audit to get my company certified PCI level 1.
It may be the auditors job to throughly go through your systems but it also up to you to honestly provide those answers to his questions. He will of course verify your answers.
Then it is the security Admins job to ensure that the network or data is secure.
Just because you have passed an audit or got the latest doo hicky to monitor your network, it is up to you to review the logs and to ensure on a dailiy basis that YOU were doing your job.
I think this is a case of someone trying to save thier job.
I take my car to PepBoys for a yearly inspection in January. If my brakes go bad in February and my rotors are worn, that's PepBoys fault and they fix it.
-- I was raised on the command line, bitch
Just because you are compliant with some regulation does not mean that your system cannot be breached. That would be absurd to believe. Sure PCI is a regulation affirming that the system is secure, but secure is defined by their set of regulations. You cannot protect against everything. I think it's a joke to hold the auditor responsible, unless like some others have stated, that it is possible to prove that the job done was insufficient.
...in an automatic failing score from that point onwards. There will cease to exist the possibility of achieving a passing grade on any systems security audits anymore. If the bank wins this lawsuit, then the only thing that such audits will achieve from that that point forward is reports showing varying degrees of security failure and risks.
And perhaps that's the way it should be anyway, because in truth there is no such thing as a secure system that involves information technology and humans.
I guess an auditor who does not specify exactly the "scope, assumptions and disclaimers" of his certification is not worth his title in the first place. Professionally speaking : if you are auditing "the bridge" as in the examples mentioned, you would have either : a) clearly stated that the quality of steel used is not in scope, OR better still, taken a random sample from an un-critical segment and tested it in a lab, or something to that effect. In any way taken, its a very risky business, because even if you state your "disclaimers" in the contract, and something does happen you are still exposed on an ethical or reputation level, because not everybody will have read your contract - and what the relevant public would still say is that XYZ audited and certified a bridge that fell.
If they are not liable for their mistakes in certifying then what value is their approvals?
Sure, if you lie to them its your fraud and its not their fault, but if they make the mistake...
---- Booth was a patriot ----
Even if the auditor had done his job (not really clear from the articles), that to me would not demonstrate that the customer data was safe.
Links:
Congress is not happy, either.
PCI DSS Validation Standards
PCI DSS audit procedures
So much for my lunch break.
Audit works has been about 20% of my workload over the last few years. Auditing isn't about having the perfect environment (which I've never yet seen), it's about being able to say "I have conducted business in a good faith manner following industry best practices" - and that is what allows you to win in court. When management brings you in for an audit they are expecting someone to find these kinds of problems and point them out. They need someone who is /not/ a staff member, has no stake in things, no political ax to grind to come in and verify that things really are OK. I've seen environments like the client I'm with now that went years without an outside auditor before I came in and these are typically the ones that you hear about on the news for massive breaches.
Auditing is about trust and the reassurance that your systems are running under industry best practices and do not have undocumented security risks. Often times it takes an outside auditors report to get through red tape so that budget /can/ be allocated. Management (and it's not uncommon for audits to be paid for outside of IT's budget) needs to have something that they can trust and that they can use to have a legally defensible position. The auditors job is to find holes, identify problems, explicitly identify risk, review personal and so on and then document it. That being said, the auditor always runs the risk of being asked to fix what they find, so the auditor needs to be realistic in their work.
Insurance policies, industry certifications, millions in losses and public goodwill all ride on these reports. Some auditors are afraid of writing a critical report as they fear they will personally be poorly reviewed by the client if they do, or they do not want to risk offending the client and losing repeat business. This is where lawsuits come in, so that the integrity of the audit is placed before fear of losing repeat business. That being said, writing reports that tell a client they don't know jack and have to redo everything and that they should hire some additional personnel without offending anyone is an art form if it's own sake.
Damn Wikipedea sucks balls.
Some moron gets it into his head that the Tacoma Narrows bridge failed due to 'aeroelastic flutter' not resonance. The definition of 'aeroelastic flutter' begins with the description:
Emphasis mine
In any case the bridge was visibly in resonance torquing in its second harmonic. WTF do you think 'natural vibration' means.
The editor of the Wiki article goes to great lengths to prove he doesn't really know what resonance means. He quotes some profs point that there wasn't resonance between the vortex shedding and the natural frequency (something started it torquing, ). Completely missing the point that flutter is still resonance.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
It seems to make sense that, this should be treated like most other audits. If the auditor failed to notice a problem that it would be reasonable to assume a professional would get right, then he should be accountable. But this brings the same problem we have with IT patents: How do we fix our legal system so that the authorities are qualified to weed out the BS in complicated technical matters?
I'm starting to think we need a separate court system just to handle technology-related cases. One in which it is reasonable to say "If you can't explain DNS", then you're not qualified. But that's just a thought...
Being PCI compliant does not make you invulnerable, it just means that you meet PCI standards. PCI-compliant organizations get compromised on a regular basis. The auditor isn't auditing to say "this organization is secure". They are auditing to say "this organization met the requirements of PCI standards compliance at the time the audit was conducted". That's a HUGE difference, and the point where liability effectively is shifted back from the auditor to the auditee.
What a relief that Obama is about three times as intelligent as George Bush. And, about four times as intelligent as the poster child above. Where Bush promised a crusade, Obama salaam'd Islam. Winning hearts and souls - the right way. Now, it's time for the parent poster to bite a big salaami ...
Arthur Anderson. Enron.
Do not mock my vision of impractical footwear
Being certified compliant with the PCI standards does not ensure that your networks and systems will never be compromised. Data security is not about ticking off items from a checklist. Security is a process of managing your risks and minimizing your losses. Stricter compliance with the PCI requirements may reduce your risk, but certainly won't eliminate it.
The recent massive data breach at Heartland Payment Systems is a case in point. HPA was certified PCI compliant before the breach was discovered. In this case, the attack involved custom malware designed to capture data.
That being said, there has been a wide variation in the quality of QSAs. The PCI Security Standards Council is trying to improve accuracy and reliability among QSAs. They are going to be held responsible for much more detailed analysis of network infrastructure. Even for small networks, a manual assessment of the network device configurations will never be sufficient to ensure that the PCI in-scope network is secure and controlled. We can expect to see QSAs increasingly relying on network configuration analysis tools such as Athena Security's FirePAC and Verify to ensure completeness and accuracy in their assessments.
Being certified compliant with the PCI standards does not ensure that your networks and systems will never be compromised. Data security is not about ticking off items from a checklist. Security is a process of managing your risks and minimizing your losses. Stricter compliance with the PCI requirements may reduce your risk, but certainly won't eliminate it.
The recent massive data breach at Heartland Payment Systems is a case in point. HPA was certified PCI compliant before the breach was discovered. In this case, the attack involved custom malware designed to capture data.
That being said, there has been a wide variation in the quality of QSAs. The PCI Security Standards Council is trying to improve accuracy and reliability among QSAs. They are going to be held responsible for much more detailed analysis of network infrastructure. Even for small networks, a manual assessment of the network device configurations will never be sufficient to ensure that the PCI in-scope network is secure and controlled. We can expect to see QSAs increasingly relying on network configuration analysis tools such as Athena Security's FirePAC and Verify to ensure completeness and accuracy in their assessments.
First off, an audit report is for the benefit of the shareholders, not the management. Management prepares accounts, and auditor signs it off as representing a true and fair view of the financial position of the company. This gives the shareholders some confidence that the figures aren't just totally made up.
Secondly, it is managements responsibility to manage the company. Not the auditors. It is up to management to put in everything in place that needs to be put in place, and ensure that everything is working correctly. This is what it means to be a manager. The auditor merely counts the beans and ticks the boxes.
Thirdly, auditors do not owe a duty of care to the company. When performing an audit, they should conduct their work neither to expect malfeasance, nor neglect it as a possibility. However, if they have reason to believe that there is malfeasance, then it is their duty to perform a proper investigation.
Fourthly, auditors usually write a report to management explaining where their accounting procedures could be improved. Management often dismisses such recomendations. Imagine, then, the scenario where the auditor has to be accountable for what essentially boils down to the actions of the management. They'd presumably write book-length reports on what needs to be done. If anything were to then subsequently go wrong, you'd have lawyers pouring over these reports with fine-tooth combs. The auditors lawyers will be asking management "did you implement this recomendation?", "did you implement that recomendation?", "how about this one over here?". "No? Oh sorry, we can't be held responsible when we've clearly laid out the defects, and you refused to correct them."
No. The way it was vibrating was the _shape_ of the second torsional mode (not harmonic), but not the _frequency_ of the second torsional mode of the bridge. In case of resonance, you would see both the shape and the frequency of the mode in question.
PCI covers more than just servers ---- it covers physical security, staff identification, physical access to paperwork, disposal, data retention, lots of corporate policies.......
Was the Bank's security breached through exactly one of those things ?
When the breach happened, did they strictly follow the procedure precisely as it was certified ?
If something changed :
- New (non-secure) components have been added to the system and those were the entry points.
- New bugs, new security holes or other have been discovered that weren't know at the time of certification.
Then, it is NOT the fault of the auditors who gave the certification.
If nothing had changed :
- The bank strictly kept everything exactly as certified. But nonetheless one of the supposedly "certified secure" element got broken through, because it wasn't actually secure in the first place and got overlooked by the certification
Then it IS the fault of the auditors who gave the certification.
Indeed the world of security is complex and you can't certify that something will be universally secure against any possible threat current or future.
BUT if you give an XYZ certification, the system should be secure against any threat taken into account by XYZ at the time of certification.
To give a concrete example :
physical access to paperwork, disposal
For exemple, if at the time of certification, PCI required that paperwork be burned by company's own trusted employee, but the bank had regularly some of the critical papers nonetheless finish in the paper-recycling bin, it's the auditor fault. They gave certification even though the bank didn't follow proper procedures.
But if the bank had recently switched to use shredder (a not certified model), or if the physical access of the paperwork is protected inside a vault, whose mechanism is discovered to be flawed since the last certification project, it's not the auditors fault. They gave certifications according to some set of rules. If the bank subsequently fucks up, or if new data has arrived in between, it's not the auditor's fault.
That's also why auditing should be done on a regular basis.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
It was in the second frequency.
Bridges don't vibrate at other then their natural frequencies any more then guitar strings do. (That is to say they do, but the energy dissipates quickly.)
As to the claimed natural frequency of the second torsional harmonic I'll say citation needed. Who am I going to believe you or my lying eyes.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'