Slashdot Mirror
Should Auditors Be Liable For Certifications?
dasButcher writes "Enterprises and mid-size business rely on auditors and service providers to certify their systems as compliant with such security regs and standards as PCI-DSS or SOX. But, as Larry Walsh speculates, a lawsuit filed by a bank against an auditor/managed service provider could change that. The bank wants to hold the auditor liable for a breach at its credit card processor because the auditor certified the processor as PCI compliant. If the bank wins, it could change the standards and liabilities of auditors and service providers in the delivery of security services."
If an inspector inspects and then signs off on an elevator, and the elevator subsequently catastrophically fails due to some reason the inspector should have caught, the inspector can be held liable, unless they can show that his inspection was somehow tampered with. Like perhaps the safety interlocks were just for show and didn't have any real parts inside of them.
Auditors should be held to the same standard, and given the same rights to defend themselves.
I don't want to sound harsh, but considering people pay auditors to do a job, if the job isn't done right, they need to suffer the consequences.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
How so? The principle seems clear enough that any audit, in any industry, is only a snapshot; why would you think a court would change that principle in this case?
The article indicates that the system wasn't CISP compliant at the time of the breach, but presumably Merrick can only prevail if they can show that the non-compliant that allowed the breach was also in place at the time of the audit. Do you think otherwise? If so, what leads you the conclusion that the sky is about to fall?
If you were blocking sigs, you wouldn't have to read this.
After conducting an audit of a Merchant et a PSP (payement service provider), a QSA (qualified security assesor) issues a ROC (report on compliance to PCI-DSS) that is submitted du issuers (VISA, Mastercard, Amex, JCB and Discover).
Then the issuers certify the auditee.
An individual can not be a QSA by itself, it has to work in an organization that is qualified as well. Among other things a QSA organization has to provision a HUGE amount of cash in case it is found liable of having unduly declared an auditee compliant.
When a breach occurs, there is an investigation and eventually it is found that the ROC was not accurate by the time of the audit in such case the QSA organization and the QSA individual are in trouble.
BTW a certification is only for one year.
Now the case is not about PCI-DSS but "Cardholder Information Security Program" (CISP) and the breach happened in 2005.
Therefore I think the outcome would not have much impact on PCI program where liabilities are well defined.
It's up to the individual states, but most states have them. Here in Virginia, I have to get my car safety inspected once a year (and carry an inspection sticker on my windshield) and emissions tested once every two years (or they won't let me renew the car's registration).
Quote from the linked page:
"In the case of the Tacoma Narrows Bridge, there was no resonance."
That bridge came down due to a profoundly nonlinear positive feedback effect (the deformation caused by the wind increased the area of attack, which lead to more deformation, etc), not due to the bridge resonating.
I am working in a large firm. Quite often new projects upon realisation require technical audits as well as "Life Cycle" audits for existing systems involved with billing etc. One point that needs to be clear. Audits are not cheap! These guys are paid between 1500-2000 per Man day. Presently this is done in essence without ANY liability as to the quality of their work. What needs to be established in this case is: 1. Technical Audits provide a snapshot of a system "at a particular point in time" - Did at the time of the Audit these holes exist, or where there changes afterwards which could have affected the audit results? 2. Audit Scope. This is really important! If the Audit scope didn't include for instance the visibility of the systems from outside of the firewall, then the perspective of the auditors were limited and therefore the audit itself is not complete. I have seen companies for instance that are ISO 27001 Certified....however.... the audit scope was only for a particular part of the company. This enables the company to suggest 27001 Certification when in fact it may not indeed be fully the case. Most likely the outcome of such a case would be an increase in costs to cover Liability (insurance or something of the like) on the part of the auditor. However it may well be also an increase in the quality and transparency (clearer scope, limitations etc.) of technical audit work. Both of these are positive outcomes! http://streetstyles.ch/ - Swiss Band & Fashion Tshirts
"Audits, by their very nature, are point-in-time or snapshot checks."
8 years military service here. Security was 24/7 plus when I was in uniform. There was no "snapshot" of security, because everyone was trained from day one to understand that a moment in time is meaningless.
I have always laughed at the concept of "security" in most of the civilian world. Seldom have I been in any civil institution where real security measures were in place, and enforced - be that physical or electronic. Oh, there ARE places that are secure, but most banks are a sad, sad joke when it comes to security.
Security providers especially should be liable. They have a contract to provide security, they can't come around every few weeks and check on how things are going.
An auditor has less responsibility than a provider, but even so, he should realize that a "snapshot" is only a fleeting moment in time. If he doesn't understand that he needs to spend DAYS on site to understand not only how things are SUPPOSED to work, but how they DO work, then he isn't competent to pass himself off as a security auditor.
To be perfectly honest, it all comes back to the management, though. There are precious few managers who will part with the money necessary to hire competent security, or to enforce strict compliance with real security measures. Again, that is true of physical security, AND electronic security. The day that someone such as a bank manager pulls his head out of his arse, and realizes that security is costly, the day that he PAYS FOR competent security personnel, THEN his bank will become secure.
It's a good thing to begin to hold these auditors and providers accountable. At least 90% of them are lax, and at least 70% of them are incompetent. A little liability will teach them to learn their jobs, then to perform their jobs properly. It will cost, but everyone will benefit, in the end.
Well, everyone will benefit except those who are exploiting the present lack of security.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
I audit IT Security for a living, and have just finished a Level 1 PCI-DSS study.
An audit does NOT "certify a system as secure". It certifies that certain features of the system are present and working. A computer system (or any other system, mecanical, electrical, human based, or what-have-you) may fail for a variety of reasons.
The features which are intended to prevent failure may break, or not work, or be irrelevant to the actual failure mode which occurs.
If a system fails, having had it audited may help to prove that you were doing all that was reasonable to protect against failure, but it does NOT mean that it will not fail.
The only reason for suing auditors would be if they did not provide the audit service that they claimed. If I audited a system as having an anti-virus package and it did not have one, I could be sued for failing to audit properly. You might find out that my audit was incompetent if, after I had certificated it, the system failed with a computer virus that the missing AV package should have picked up. But you cannot sue me for the impact that virus had. You can only sue me for not doing my work properly. I will NOT have claimed that the system was secure. I will have claimed that it was running X Anti-Virus, and if you can show it was not, you may claim the cost of the audit back. But you cannot then charge the cost of the clean-up to me....
Except those two specific conditions, and in theory (how to prevent them) are well-known.
The unknown bugs software has are new cases entirely that cannot be examined a priori like a bridge's aerodynamics can.
PCI compliance is mostly about network security and infrastructure, such as ensuring networks that service secured endpoints are isolated from networks that aren't. The auditor is really only there to attempt to mitigate and isolate known security issues that most shops don't bother to take too seriously. By starting this buck passing all you are really doing is starting a new age of insurance that you will need to take to cover the possible fraud that can take place rather than working with the banks to just keep it to a minimum and deal with the one offs. I do believe that if an auditor checks out a network / system and approves a network / protocol that is insecure by their own standards then of course it is the fault of the auditor and the responsibility of the auditors company to clean up the mess. As many are alluding to as far as OS exploits and the like no one is really able to prevent or anticipate all these possibilities and those are just the "breaks".
As I said before looking for a fall guy (especially when both parties are financially powerful) will never resolve anything rather than finding a way to screw the business running the system that was audited. This will likely be too much of a liability for many to handle and will rather come out of your pocket in other ways. If you think any financial type business will actually take responsibility on paper or other wise for anything then you are way to new to this game to be making decisions like this.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
I am an IT auditor working for a company that You would call if You would want to be certified.
Certification means that there is a work (audit) programme that states control objectives. Auditor follows this programme very closely and then, if the issues are within some zone of tolerance (which may be zero as well), auditor writes a statement that company XYZ is compliant with this and that.
What it does NOT mean is:
a) a certified company will follow its practice after certification (they may just have put a convincing show).
b) that there are no other issues with the company that are outside of work programme
c) that sysadmin will be dilligent in future to apply timely patches
A PCI-DSS compliance says "There are no critical issues on the surface". That's it.
Lone Gunmen crew.
Exactly. This is a very important disctinction that some peoples fail to grasp.
An auditor basically compare a situation vs a checklist of auditable issues. He's NOT there to find your security vulnerabilities and tell you to fix them. He's there to tell you that you do or don't respect requirement XYZ. If an issue isn't covered by the standard's requirements, well, what can he do? He can always make a formal observation, but that's beyond the scope of his responsabilities.
Standards such as PCI, SOX, NERC CIPs etc. aren't designed to protect you against all known threats, they are designed around the general, most common, most problematic security issues. A company can pass an audit and still be very insecure.
Damn Wikipedea sucks balls.
Some moron gets it into his head that the Tacoma Narrows bridge failed due to 'aeroelastic flutter' not resonance. The definition of 'aeroelastic flutter' begins with the description:
Emphasis mine
In any case the bridge was visibly in resonance torquing in its second harmonic. WTF do you think 'natural vibration' means.
The editor of the Wiki article goes to great lengths to prove he doesn't really know what resonance means. He quotes some profs point that there wasn't resonance between the vortex shedding and the natural frequency (something started it torquing, ). Completely missing the point that flutter is still resonance.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'