Slashdot Mirror
Should Auditors Be Liable For Certifications?
dasButcher writes "Enterprises and mid-size business rely on auditors and service providers to certify their systems as compliant with such security regs and standards as PCI-DSS or SOX. But, as Larry Walsh speculates, a lawsuit filed by a bank against an auditor/managed service provider could change that. The bank wants to hold the auditor liable for a breach at its credit card processor because the auditor certified the processor as PCI compliant. If the bank wins, it could change the standards and liabilities of auditors and service providers in the delivery of security services."
If an inspector inspects and then signs off on an elevator, and the elevator subsequently catastrophically fails due to some reason the inspector should have caught, the inspector can be held liable, unless they can show that his inspection was somehow tampered with. Like perhaps the safety interlocks were just for show and didn't have any real parts inside of them.
Auditors should be held to the same standard, and given the same rights to defend themselves.
I don't want to sound harsh, but considering people pay auditors to do a job, if the job isn't done right, they need to suffer the consequences.
Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
How so? The principle seems clear enough that any audit, in any industry, is only a snapshot; why would you think a court would change that principle in this case?
The article indicates that the system wasn't CISP compliant at the time of the breach, but presumably Merrick can only prevail if they can show that the non-compliant that allowed the breach was also in place at the time of the audit. Do you think otherwise? If so, what leads you the conclusion that the sky is about to fall?
If you were blocking sigs, you wouldn't have to read this.
After conducting an audit of a Merchant et a PSP (payement service provider), a QSA (qualified security assesor) issues a ROC (report on compliance to PCI-DSS) that is submitted du issuers (VISA, Mastercard, Amex, JCB and Discover).
Then the issuers certify the auditee.
An individual can not be a QSA by itself, it has to work in an organization that is qualified as well. Among other things a QSA organization has to provision a HUGE amount of cash in case it is found liable of having unduly declared an auditee compliant.
When a breach occurs, there is an investigation and eventually it is found that the ROC was not accurate by the time of the audit in such case the QSA organization and the QSA individual are in trouble.
BTW a certification is only for one year.
Now the case is not about PCI-DSS but "Cardholder Information Security Program" (CISP) and the breach happened in 2005.
Therefore I think the outcome would not have much impact on PCI program where liabilities are well defined.
It's up to the individual states, but most states have them. Here in Virginia, I have to get my car safety inspected once a year (and carry an inspection sticker on my windshield) and emissions tested once every two years (or they won't let me renew the car's registration).
Quote from the linked page:
"In the case of the Tacoma Narrows Bridge, there was no resonance."
That bridge came down due to a profoundly nonlinear positive feedback effect (the deformation caused by the wind increased the area of attack, which lead to more deformation, etc), not due to the bridge resonating.
I am working in a large firm. Quite often new projects upon realisation require technical audits as well as "Life Cycle" audits for existing systems involved with billing etc. One point that needs to be clear. Audits are not cheap! These guys are paid between 1500-2000 per Man day. Presently this is done in essence without ANY liability as to the quality of their work. What needs to be established in this case is: 1. Technical Audits provide a snapshot of a system "at a particular point in time" - Did at the time of the Audit these holes exist, or where there changes afterwards which could have affected the audit results? 2. Audit Scope. This is really important! If the Audit scope didn't include for instance the visibility of the systems from outside of the firewall, then the perspective of the auditors were limited and therefore the audit itself is not complete. I have seen companies for instance that are ISO 27001 Certified....however.... the audit scope was only for a particular part of the company. This enables the company to suggest 27001 Certification when in fact it may not indeed be fully the case. Most likely the outcome of such a case would be an increase in costs to cover Liability (insurance or something of the like) on the part of the auditor. However it may well be also an increase in the quality and transparency (clearer scope, limitations etc.) of technical audit work. Both of these are positive outcomes! http://streetstyles.ch/ - Swiss Band & Fashion Tshirts
Except those two specific conditions, and in theory (how to prevent them) are well-known.
The unknown bugs software has are new cases entirely that cannot be examined a priori like a bridge's aerodynamics can.
PCI compliance is mostly about network security and infrastructure, such as ensuring networks that service secured endpoints are isolated from networks that aren't. The auditor is really only there to attempt to mitigate and isolate known security issues that most shops don't bother to take too seriously. By starting this buck passing all you are really doing is starting a new age of insurance that you will need to take to cover the possible fraud that can take place rather than working with the banks to just keep it to a minimum and deal with the one offs. I do believe that if an auditor checks out a network / system and approves a network / protocol that is insecure by their own standards then of course it is the fault of the auditor and the responsibility of the auditors company to clean up the mess. As many are alluding to as far as OS exploits and the like no one is really able to prevent or anticipate all these possibilities and those are just the "breaks".
As I said before looking for a fall guy (especially when both parties are financially powerful) will never resolve anything rather than finding a way to screw the business running the system that was audited. This will likely be too much of a liability for many to handle and will rather come out of your pocket in other ways. If you think any financial type business will actually take responsibility on paper or other wise for anything then you are way to new to this game to be making decisions like this.
A loop, by its nature, continues. If that didn't make sense, start reading this sentence again.
I am an IT auditor working for a company that You would call if You would want to be certified.
Certification means that there is a work (audit) programme that states control objectives. Auditor follows this programme very closely and then, if the issues are within some zone of tolerance (which may be zero as well), auditor writes a statement that company XYZ is compliant with this and that.
What it does NOT mean is:
a) a certified company will follow its practice after certification (they may just have put a convincing show).
b) that there are no other issues with the company that are outside of work programme
c) that sysadmin will be dilligent in future to apply timely patches
A PCI-DSS compliance says "There are no critical issues on the surface". That's it.
Lone Gunmen crew.
Exactly. This is a very important disctinction that some peoples fail to grasp.
An auditor basically compare a situation vs a checklist of auditable issues. He's NOT there to find your security vulnerabilities and tell you to fix them. He's there to tell you that you do or don't respect requirement XYZ. If an issue isn't covered by the standard's requirements, well, what can he do? He can always make a formal observation, but that's beyond the scope of his responsabilities.
Standards such as PCI, SOX, NERC CIPs etc. aren't designed to protect you against all known threats, they are designed around the general, most common, most problematic security issues. A company can pass an audit and still be very insecure.
Damn Wikipedea sucks balls.
Some moron gets it into his head that the Tacoma Narrows bridge failed due to 'aeroelastic flutter' not resonance. The definition of 'aeroelastic flutter' begins with the description:
Emphasis mine
In any case the bridge was visibly in resonance torquing in its second harmonic. WTF do you think 'natural vibration' means.
The editor of the Wiki article goes to great lengths to prove he doesn't really know what resonance means. He quotes some profs point that there wasn't resonance between the vortex shedding and the natural frequency (something started it torquing, ). Completely missing the point that flutter is still resonance.
John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'