Slashdot Mirror

← Back to Stories (view on slashdot.org)

Should Auditors Be Liable For Certifications?

Posted by samzenpus on from the pass-the-buck dept.

dasButcher writes "Enterprises and mid-size business rely on auditors and service providers to certify their systems as compliant with such security regs and standards as PCI-DSS or SOX. But, as Larry Walsh speculates, a lawsuit filed by a bank against an auditor/managed service provider could change that. The bank wants to hold the auditor liable for a breach at its credit card processor because the auditor certified the processor as PCI compliant. If the bank wins, it could change the standards and liabilities of auditors and service providers in the delivery of security services."

7 of 209 comments (clear)

  1. Kind of. by Renraku · · Score: 4, Informative

    If an inspector inspects and then signs off on an elevator, and the elevator subsequently catastrophically fails due to some reason the inspector should have caught, the inspector can be held liable, unless they can show that his inspection was somehow tampered with. Like perhaps the safety interlocks were just for show and didn't have any real parts inside of them.

    Auditors should be held to the same standard, and given the same rights to defend themselves.

    I don't want to sound harsh, but considering people pay auditors to do a job, if the job isn't done right, they need to suffer the consequences.

    --
    Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
    1. Re:Kind of. by Tom · · Score: 4, Informative

      The problem is that auditors only check something at that point in time. They can't check that things are correct on an ongoing basis and they can't help it if what they're checking against isn't foolproof.

      The elevator guy has the same problem and yet it works in real life.

      That is because in any real life situation, tests are indeed done repeatedly, such as every quarter, every month - or if they are really important, every day or every event. No plane in the western world takes off without the pilot and co-pilot having run through a standardized checklist first.

      "But things can change" is a pretty bad excuse. Like the elevator (where wear and tear change the physics constantly), your system has to be resilient enough to withstand normal changes (e.g. wear and tear, different weights, etc.) at least until the next check. Unauthorized changes have to be hard to make unintentionally (that's why there's no "cut the cable" button inside the elevator).

      It really isn't that hard. It works in thousands of areas, many of whom are non-trivial and technically complex (e.g. airplanes). But for some reason, we think it's impossible to do it in auditing and software?

      --
      Assorted stuff I do sometimes: Lemuria.org
  2. Re:Oh, this sounds like a good idea... by Rogerborg · · Score: 4, Informative

    If they win this lawsuit, they're setting a dangerous precedent

    How so? The principle seems clear enough that any audit, in any industry, is only a snapshot; why would you think a court would change that principle in this case?

    The article indicates that the system wasn't CISP compliant at the time of the breach, but presumably Merrick can only prevail if they can show that the non-compliant that allowed the breach was also in place at the time of the audit. Do you think otherwise? If so, what leads you the conclusion that the sky is about to fall?

    --
    If you were blocking sigs, you wouldn't have to read this.
  3. In PCI the auditor does not certify by hugetoon · · Score: 5, Informative

    After conducting an audit of a Merchant et a PSP (payement service provider), a QSA (qualified security assesor) issues a ROC (report on compliance to PCI-DSS) that is submitted du issuers (VISA, Mastercard, Amex, JCB and Discover).

    Then the issuers certify the auditee.

    An individual can not be a QSA by itself, it has to work in an organization that is qualified as well. Among other things a QSA organization has to provision a HUGE amount of cash in case it is found liable of having unduly declared an auditee compliant.

    When a breach occurs, there is an investigation and eventually it is found that the ROC was not accurate by the time of the audit in such case the QSA organization and the QSA individual are in trouble.

    BTW a certification is only for one year.

    Now the case is not about PCI-DSS but "Cardholder Information Security Program" (CISP) and the breach happened in 2005.
    Therefore I think the outcome would not have much impact on PCI program where liabilities are well defined.

    1. Re:In PCI the auditor does not certify by hemp · · Score: 3, Informative

      CISP applied to Visa only. At the time, each payment card was instituting a separate security program. Due to feed back from merchants, all of the programs were rolled into PCI.

      PCI is very similar to the original Visa CISP program.

      The standard can be found here in case anyone is wondering what all is involved in a PCI audit:
      https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml/

      --
      Skip ------ See the latest from http://www.anArchyFortWorth.com
  4. Re:Oh, this sounds like a good idea... by Ihlosi · · Score: 3, Informative
    how do you guarantee that the wind doesn't induce fatal vibrations matching the resonant frequency of the bridge.

    Quote from the linked page:

    "In the case of the Tacoma Narrows Bridge, there was no resonance."

    That bridge came down due to a profoundly nonlinear positive feedback effect (the deformation caused by the wind increased the area of attack, which lead to more deformation, etc), not due to the bridge resonating.

  5. Audit Responsibility - Possibly a good thing. by luftmatraze · · Score: 3, Informative

    I am working in a large firm. Quite often new projects upon realisation require technical audits as well as "Life Cycle" audits for existing systems involved with billing etc. One point that needs to be clear. Audits are not cheap! These guys are paid between 1500-2000 per Man day. Presently this is done in essence without ANY liability as to the quality of their work. What needs to be established in this case is: 1. Technical Audits provide a snapshot of a system "at a particular point in time" - Did at the time of the Audit these holes exist, or where there changes afterwards which could have affected the audit results? 2. Audit Scope. This is really important! If the Audit scope didn't include for instance the visibility of the systems from outside of the firewall, then the perspective of the auditors were limited and therefore the audit itself is not complete. I have seen companies for instance that are ISO 27001 Certified....however.... the audit scope was only for a particular part of the company. This enables the company to suggest 27001 Certification when in fact it may not indeed be fully the case. Most likely the outcome of such a case would be an increase in costs to cover Liability (insurance or something of the like) on the part of the auditor. However it may well be also an increase in the quality and transparency (clearer scope, limitations etc.) of technical audit work. Both of these are positive outcomes! http://streetstyles.ch/ - Swiss Band & Fashion Tshirts