On 10/22/09, Eric Mugo <
kabugum@gmail.com> wrote:
> hehe...i have to agree with Evans on that one....he answered your question
> and even added that he would hire you.... :-)
>
> On Thu, Oct 22, 2009 at 3:45 PM, Evans Ikua <
ikua.evans@gmail.com> wrote:
>
>> Chuks you are taking this discussion round in circles. Walubengo has just
>> cleared that.
>> Ikua
>>
>>
>> On Thu, Oct 22, 2009 at 3:16 PM, Gichuki John Chuksjonia <
>>
chuksjonia@gmail.com> wrote:
>>
>>> @Walu, So in short, should CISAs be taking Security Assessment Jobs?
>>>
>>> On 10/22/09, Walubengo J <
jwalu@yahoo.com> wrote:
>>> > @./Chuks
>>> >
>>> > I hear you...however I must still repeat that CISAs are by design NOT
>>> > Penetration Testers. So it is harsh to judge their relevance based on
>>> their
>>> > failure to execute a PenTest.
>>> >
>>> > Just to repeat, CISAs evaluate and focus on the big picture of the
>>> Security
>>> > ecosystem - i.e the relationship between People, Processes and Systems
>>> that
>>> > is necessary to provide assurance that risk is mitigated. And taking
>>> your
>>> > Penetration test example further, indeed you may have exposed and
>>> > sealed
>>> the
>>> > loophole in the Webserver (if your focus being ONLY on "Systems") but
>>> > if
>>> the
>>> > "People" and the "Process" aspects are weak, your superior technical
>>> > solutions may still fail to address the overall Security objectives.
>>> >
>>> > That said, if I was a CISA and had that Audit job that required
>>> Penetration
>>> > testing, I would have definitely hired you ;-)
>>> >
>>> > walu.
>>> > --- On Thu, 10/22/09, Preston <
podera@k90ea.com> wrote:
>>> >
>>> > From: Preston <
podera@k90ea.com>
>>> > Subject: Re: [Skunkworks] AUDIT OF IT
>>> > To: "Skunkworks Forum" <
skunkworks@lists.my.co.ke>
>>> > Date: Thursday, October 22, 2009, 12:32 AM
>>> >
>>> >
>>> > Hi All
>>> >
>>> > CISSP is for Security Professional just like CISM is for Security
>>> Manager.
>>> > Let us think of MBA or Bsc and then we will know how deep we can go
>>> > with
>>> the
>>> > discussion.
>>> >
>>> > Preston
>>> >
>>> >
>>> > --- On Wed, 10/21/09, Gichuki John Chuksjonia <
chuksjonia@gmail.com>
>>> wrote:
>>> >
>>> >> From: Gichuki John Chuksjonia <
chuksjonia@gmail.com>
>>> >> Subject: Re: [Skunkworks] AUDIT OF IT
>>> >> To: "Skunkworks Forum" <
skunkworks@lists.my.co.ke>
>>> >> Date: Wednesday, October 21, 2009, 12:01 PM
>>> >> Personally i think a CISSP is much
>>> >> more better than a CISA, since he
>>> >> see things the technical way and also Managerial way. The
>>> >> other day in
>>> >> Ghana some CISA guys were doing security audit and they
>>> >> were asking
>>> >> for files in a SUSE server that never exist. I don't know
>>> >> where they
>>> >> heard that from, and as far as as am concerned, such info
>>> >> can be
>>> >> Googled.
>>> >>
>>> >> So such audits depends on what the customer wants and how
>>> >> knowing he
>>> >> is, coz if you are concerned about something you will need
>>> >> it done. So
>>> >> Audit Policies should always have a questionnaires when
>>> >> picking up
>>> >> Security Vendors which helps to narrow down to the right
>>> >> auditing
>>> >> firm.
>>> >>
>>> >> The other day i was doing a penetration testing for a
>>> >> client who have
>>> >> a set of servers with one Portal on the bonder. A big
>>> >> company had done
>>> >> a pentest a month before but they client wasn't satisfied,
>>> >> so he
>>> >> needed a real penetration test. So amazingly there was a
>>> >> plugin in the
>>> >> webserver that gave me way to root since it had a sql
>>> >> injection on it
>>> >> though blind. so i blindly uploaded code that would run
>>> >> arbitrary
>>> >> commands and soon i had a bindshell. One thing a pentester
>>> >> would do is
>>> >> try all means to get root, and see if he can read history
>>> >> of all the
>>> >> users. So one thing i noticed is that if these guys had a
>>> >> good
>>> >> security admin like they had specified, they should have
>>> >> seen that
>>> >> Apache tried to bind and was already a privileged user.
>>> >> Secondly the
>>> >> security administrator should have seen that guys miss to
>>> >> write their
>>> >> passwords when sshing and leaving them in their history.
>>> >>
>>> >> What amazed me was that this Company that had done the
>>> >> audit before
>>> >> was a well proclaimed companies that was assigned with this
>>> >> same task
>>> >> and failed to deliver. They have CISAs, CISSPs, CEHs,
>>> >> proffessionals
>>> >> but Risk Part of the Assessment wasn't done.
>>> >>
>>> >> So the question is, are the these Auditors just doing it
>>> >> for the
>>> >> money, or just having so much fun leaving Gaping holes for
>>> >> the
>>> >> clients, or is it that they just don't know what they are
>>> >> supposed to
>>> >> look for?
>>> >>
>>> >> Secondly do these papers(Certs) matter these days in the
>>> >> world of IT,
>>> >> coz i have seen Bedroom coders who end being better than
>>> >> even guys who
>>> >> went to school. Look-up at the Kenyan BDS developer,
>>> >> @kasina in
>>> >> tweeter, that guy didn't learn C in school.
>>> >>
>>> >> So what i think is real change as far such issues are
>>> >> concerned
>>> >> otherwise, all organizations in Africa/Kenya are open to
>>> >> serious
>>> >> compromise especially Govt Infrastructure.
>>> >>
>>> >> Two Cents!
>>> >>
>>> >>
>>> >>
>>> >> ./Chuks
>>> >>
>>> >> On 10/21/09, Walubengo J <
jwalu@yahoo.com>
>>> >> wrote:
>>> >> > I agree with Ikua/Preston. CISA (Certified
>>> >> Information Systems Auditors)
>>> >> > tend to have the big picture - and that's by design.
>>> >> They dont drill down
>>> >> > to specific vendor technologies - even though they
>>> >> know what to expect from
>>> >> > such technologies. Maybe a snapshot of the course
>>> >> content would help as
>>> >> > given below :(ref:
www.isaca.org)
>>> >> >
>>> >> >
1.IS Audit Process
>>> >> >
2.IT Governance
>>> >> > 3.Infrastructure Lifecycle Development
>>> >> > 4.Protection of Information Assets.
>>> >> > 5.Business Continuity and Disaster Mngt
>>> >> >
>>> >> > And so If am a CISA with a financial/accounting
>>> >> background but need to
>>> >> > inspect a Cisco PIX firewall I would be obliged to
>>> >> hire the expertise
>>> >> > rather pretend to do it. Ofcourse, If am a CISA and a
>>> >> techie in that area
>>> >> > (and there are many like that) I would just proceed
>>> >> and perform the
>>> >> > inspection accordingly.
>>> >> >
>>> >> > The point is, the Security Ecosystem is so large and
>>> >> each professional in
>>> >> > the Security field has an important role to play.
>>> >> Trying to establish who is
>>> >> > better than the other would be like trying to see who
>>> >> btwn the following is
>>> >> > better than the other: The Architect who designs the
>>> >> building or the
>>> >> > Electrical/Civil/Structural Engineers who provide
>>> >> specialized services
>>> >> > within the buildings...rather than begin to research
>>> >> for an answer, I would
>>> >> > say it's really a misplaced question to ask.
>>> >> >
>>> >> > walu.
>>> >> > nb: am a CISA but not an Accountant (so feel free to
>>> >> consider my views
>>> >> > biased ;-)
>>> >> >
>>> >> > --- On Tue, 10/20/09, Preston <
podera@k90ea.com>
>>> >> wrote:
>>> >> >
>>> >> > From: Preston <
podera@k90ea.com>
>>> >> > Subject: Re: [Skunkworks] AUDIT OF IT
>>> >> > To: "Skunkworks Forum" <
skunkworks@lists.my.co.ke>
>>> >> > Date: Tuesday, October 20, 2009, 2:09 PM
>>> >> >
>>> >> > If we start from the premise that you cannot be a
>>> >> master of all then
>>> >> > Certified Penetration Testers, Systems Engineers,
>>> >> Network Vulnerabilty
>>> >> > Experts can only handle their areas but only to the
>>> >> level their knowledge
>>> >> > can allow with a scale (1 to 10) depending on whether
>>> >> you gained it from
>>> >> > Karamaindo as a college or company. Also hands-on
>>> >> experience plays a greater
>>> >> > part including organization culture.
>>> >> >
>>> >> > Depending on what has to be audited you need a team of
>>> >> experts!! in the
>>> >> > areas being audited. The experts might not be the
>>> >> better than those being
>>> >> > audited (Even on Financial Audits this is sometimes
>>> >> the case where junior
>>> >> > auditors are sent to companies with least audit
>>> >> experience)but has to make
>>> >> > an assurance that the areas being audited are meeting
>>> >> some standards both as
>>> >> > defined by the company being audited or guided by
>>> >> international standards.
>>> >> >
>>> >> > What is also required is a team leader and that is
>>> >> where Certified
>>> >> > Information Systems Auditors come in. These are from
>>> >> various backgrounds
>>> >> > including teckies, financials etc..
>>> >> >
>>> >> > As Evans indicates One of the ISACA audit standards
>>> >> states that an auditor
>>> >> > should use the right expert for the right audit
>>> >> process. This is quite true
>>> >> > for all professions. I realized this when putting up a
>>> >> modest palace (needed
>>> >> > Architect, Quantity Engineer, Structural Engineer,
>>> >> Foreman Man, Plumber,
>>> >> > Electrical Engieer, Loader and a host of other
>>> >> professions while the single
>>> >> > process was Putting Up the Palace=IT Audit). In all of
>>> >> these a team work of
>>> >> > different professions are required guided by a leader
>>> >> who has received
>>> >> > certain qualification where CISA is one of them
>>> >> >
>>> >> >
>>> >> > Preston
>>> >> >
>>> >> >
>>> >> >
>>> >> > --- On Tue, 10/20/09, Evans Ikua <
ikua.evans@gmail.com>
>>> >> wrote:
>>> >> >
>>> >> >> From: Evans Ikua <
ikua.evans@gmail.com>
>>> >> >> Subject: Re: [Skunkworks] AUDIT OF IT
>>> >> >> To: "Skunkworks Forum" <
skunkworks@lists.my.co.ke>
>>> >> >> Date: Tuesday, October 20, 2009, 10:58 AM
>>> >> >> I am a member of the local ISACA
>>> >> >> chapter, but I will speak for myself.
>>> >> >> Amolo, I dont agree with you. I recently spoke to
>>> >> a guy
>>> >> >> from a local
>>> >> >> shop of the big 5 audit (Finance) firms. He said
>>> >> they do IT
>>> >> >> audits
>>> >> >> alright. But they are more interested in seeing
>>> >> how far the
>>> >> >> IT
>>> >> >> infrastructure supports the financial figures that
>>> >> they are
>>> >> >> reporting
>>> >> >> on. You realize most of accounting nowadays is
>>> >> dependent on
>>> >> >> IT, as is
>>> >> >> most of business processes.
>>> >> >>
>>> >> >> But how does an accountant (majority of CISAs are)
>>> >> tell if
>>> >> >> a DB has
>>> >> >> been compromised if he does not understand the
>>> >> deep
>>> >> >> workings of a DB?
>>> >> >>
>>> >> >> As I have said before, the best a CISA can do is
>>> >> to manage
>>> >> >> the whole
>>> >> >> process of the IT audit, but not to pretend to be
>>> >> what they
>>> >> >> are not.
>>> >> >> One of the ISACA audit standards states that an
>>> >> auditor
>>> >> >> should use the
>>> >> >> right expert for the right audit process. If you
>>> >> want to
>>> >> >> audit a data
>>> >> >> base, hire a data base expert. If you want to
>>> >> gauge
>>> >> >> network
>>> >> >> vulnerability, hire a vulnerability expert, and so
>>> >> on.
>>> >> >> It's
>>> >> >> professional negligence, which should attract
>>> >> hefty legal
>>> >> >> penalties,
>>> >> >> for a firm to conduct an IT audit, give a clean
>>> >> bill of
>>> >> >> health, and
>>> >> >> leave an organization at risk.
>>> >> >>
>>> >> >> Just wait till you hear someone taken to court
>>> >> for
>>> >> >> professional negligence.
>>> >> >>
>>> >> >> Ikua
>>> >> >>
>>> >> >> On Mon, Oct 19, 2009 at 10:51 PM, Areba Collins
>>> >> <
arebacollins@gmail.com>
>>> >> >> wrote:
>>> >> >> > Slunks! Whats so hard? IT audit, IT. Finance
>>> >> audit,
>>> >> >> FINANCE.
>>> >> >> >
>>> >> >> > On 10/19/09, Paul Roy <
roykoikai@gmail.com>
>>> >> >> wrote:
>>> >> >> >> am liking this... so far Chucks is
>>> >> leading :)
>>> >> >> >>
>>> >> >> >> On Mon, Oct 19, 2009 at 5:36 PM, Gichuki
>>> >> John
>>> >> >> Chuksjonia <
>>> >> >> >>
chuksjonia@gmail.com>
>>> >> >> wrote:
>>> >> >> >>
>>> >> >> >>> So their scope would be Financial
>>> >> Audit?
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>> On 10/19/09, Joshua Amolo <
joshua.amolo@gmail.com>
>>> >> >> wrote:
>>> >> >> >>> > If you check my mail again
>>> >> Chuks, i
>>> >> >> talked about SCOPE
>>> >> >> >>> >
>>> >> >> >>> > On Mon, Oct 19, 2009 at 4:00 PM,
>>> >> Gichuki
>>> >> >> John Chuksjonia <
>>> >> >> >>> >
chuksjonia@gmail.com>
>>> >> >> wrote:
>>> >> >> >>> >
>>> >> >> >>> >> @Joshua, yah mistaken. What
>>> >> does an
>>> >> >> IT Audit compose of. Because a
>>> >> >> >>> >> Code Audit is part of IT
>>> >> Audit, tell
>>> >> >> us, how can an Finance guy look
>>> >> >> >>> >> for loop holes and bugs in a
>>> >> php code
>>> >> >> if he doesn't even know how to
>>> >> >> >>> >> write one?
>>> >> >> >>> >>
>>> >> >> >>> >>
>>> >> >> >>> >>
>>> >> >> >>> >>
>>> >> >> >>> >> On 10/19/09, Joshua Amolo
>>> >> <
joshua.amolo@gmail.com>
>>> >> >> wrote:
>>> >> >> >>> >> > I dont think there is
>>> >> naything
>>> >> >> wrong with a Finance guy auditing IT.
>>> >> >> >>> >> >
>>> >> >> >>> >> > The issue should be
>>> >> what's the
>>> >> >> purpose of the audit. The purpose will
>>> >> >> >>> >> give a
>>> >> >> >>> >> > clear scope and the
>>> >> necessary
>>> >> >> competence to undertake the the audit.
>>> >> >> >>> >> >
>>> >> >> >>> >> > For example if you were
>>> >> to audit
>>> >> >> the financial sense of having a unit
>>> >> >> >>> >> within
>>> >> >> >>> >> > IT, you dont need
>>> >> another IT guy
>>> >> >> to do this audit. If an auditor
>>> >> >> >>> >> > wants
>>> >> >> >>> >> > to
>>> >> >> >>> >> > check conformity to
>>> >> certain
>>> >> >> standards of your network for example,
>>> >> >> >>> there
>>> >> >> >>> >> are
>>> >> >> >>> >> > very powerful tools a
>>> >> Finance
>>> >> >> guy can use.
>>> >> >> >>> >> >
>>> >> >> >>> >> > Cynthia I agree with
>>> >> you
>>> >> >> sometimes you can endure very unnecessary
>>> >> >> >>> >> questions
>>> >> >> >>> >> > from an incompetent
>>> >> auditor I
>>> >> >> remember a case where an auditor was
>>> >> >> >>> >> checking
>>> >> >> >>> >> > the competence of a
>>> >> hardware
>>> >> >> technician and he asked him 'Does the
>>> >> >> >>> >> computer
>>> >> >> >>> >> > has a motherboard?',
>>> >> the
>>> >> >> technician was so pissed he plainly just
>>> >> >> >>> >> > said
>>> >> >> >>> >> 'no
>>> >> >> >>> >> > this one uses a
>>> >> fatherboard'
>>> >> >> >>> >> >
>>> >> >> >>> >> >
>>> >> >> >>> >> > On Mon, Oct 19, 2009 at
>>> >> 3:04 PM,
>>> >> >> Joseph McDonald
>>> >> >> >>> >> > <
mcdonaldoj@gmail.com>wrote:
>>> >> >> >>> >> >
>>> >> >> >>> >> >> The confusion
>>> >> >> started,because there are few companies that
>>> >> normally
>>> >> >> >>> do
>>> >> >> >>> >> >> independent IT
>>> >> audits.In
>>> >> >> most cases the IT audit is done as an
>>> >> >> >>> >> >> extension
>>> >> >> >>> >> >> of
>>> >> >> >>> >> >> the Financial
>>> >> audits hence
>>> >> >> you will find many accountants rushed to
>>> >> >> >>> do
>>> >> >> >>> >> >> CISA.
>>> >> >> >>> >> >>
>>> >> >> >>> >> >> Secondly in any
>>> >> organisation
>>> >> >> the three P's are important
>>> >> >> >>> >> (People,Products
>>> >> >> >>> >> >> and Profits)
>>> >> systems and IT
>>> >> >> for that matter,in most cases are
>>> >> >> >>> enablers
>>> >> >> >>> >> to
>>> >> >> >>> >> >> help the people,to
>>> >> move the
>>> >> >> products faster to the market and to
>>> >> >> >>> >> increase
>>> >> >> >>> >> >> efficiency hence
>>> >> profits.
>>> >> >> >>> >> >>
>>> >> >> >>> >> >> There are some IT
>>> >> audits
>>> >> >> which finance people with can perform
>>> >> >> >>> >> well.While
>>> >> >> >>> >> >> there are some
>>> >> areas which
>>> >> >> definately require some IT expertise for
>>> >> >> >>> you
>>> >> >> >>> >> do
>>> >> >> >>> >> >> benefit fully from
>>> >> the said
>>> >> >> audit.
>>> >> >> >>> >> >>
>>> >> >> >>> >> >> Because a good
>>> >> audit should
>>> >> >> give the auditee and the organisation
>>> >> >> >>> ways
>>> >> >> >>> >> for
>>> >> >> >>> >> >> corrective and
>>> >> preventive
>>> >> >> actions, and continual improvement.
>>> >> >> >>> >> >>
>>> >> >> >>> >> >>
>>> >> >> >>> >> >> On Mon, Oct 19,
>>> >> 2009 at 9:25
>>> >> >> AM, Eric Mugo <
kabugum@gmail.com>
>>> >> >> >>> wrote:
>>> >> >> >>> >> >>
>>> >> >> >>> >> >>> A Finance
>>> >> person
>>> >> >> auditing an IT infrastructure is like a Security
>>> >> >> >>> >> >>> Assessor
>>> >> >> >>> >> >>> auditing the
>>> >> end year
>>> >> >> results of a company. I find it very ironical
>>> >> >> >>> >> >>> and
>>> >> >> >>> >> >>> old
>>> >> >> >>> >> >>> school thinking
>>> >> from
>>> >> >> those days when I.T used to Fall under Finance
>>> >> >> >>> >> >>>
>>> >> department/Division.
>>> >> >> Back then, the systems were simple and geared
>>> >> >> >>> >> >>> towards
>>> >> >> >>> >> >>> very specific
>>> >> tasks.
>>> >> >> That is no longer the case nowadays.
>>> >> >> >>> >> >>>
>>> >> >> >>> >> >>> A company's
>>> >> systems
>>> >> >> infrastructure has become very comples, look at
>>> >> >> >>> a
>>> >> >> >>> >> >>> situation where
>>> >> a
>>> >> >> company has several DMZ,s each hosting different
>>> >> >> >>> >> >>> systems,
>>> >> >> >>> >> >>> several Server
>>> >> Farms,
>>> >> >> Webhosting Facilities, a super big ERP....and
>>> >> >> >>> >> then
>>> >> >> >>> >> >>> you
>>> >> >> >>> >> >>> bring an
>>> >> accountant to
>>> >> >> do a security audit of the systems or rather
>>> >> >> >>> >> >>> perform
>>> >> >> >>> >> >>> an entire audit
>>> >> meaning
>>> >> >> management, financial and security
>>> >> >> >>> >> >>>
>>> >> audit....forgive
>>> >> >> >>> >> >>> me but i find
>>> >> it plain
>>> >> >> stupid!
>>> >> >> >>> >> >>>
>>> >> >> >>> >> >>> The positive
>>> >> thing is
>>> >> >> that most companies are now realising the
>>> >> >> >>> >> >>> importance
>>> >> >> >>> >> >>> of a
>>> >> information
>>> >> >> security role within their ranks. Once someone in
>>> >> >> >>> >> charge
>>> >> >> >>> >> >>> of
>>> >> >> >>> >> >>> security is in
>>> >> place
>>> >> >> then chances of being audited on Security by a
>>> >> >> >>> >> CPA-K
>>> >> >> >>> >> >>> are reduced
>>> >> because the
>>> >> >> I.T guy will spot their incomptencies from
>>> >> >> >>> >> >>> a
>>> >> >> >>> >> mile
>>> >> >> >>> >> >>> away...
>>> >> >> >>> >> >>>
>>> >> >> >>> >> >>>
>>> >> >> >>> >> >>>
>>> >> >> >>> >> >>>
>>> >> >> >>> >> >>>
>>> >> >> >>> >> >>> On Mon, Oct 19,
>>> >> 2009 at
>>> >> >> 8:33 AM, Edmund Okumu
>>> >> >> >>> >> >>> <
edmund.okumu@gmail.com>wrote:
>>> >> >> >>> >> >>>
>>> >> >> >>> >> >>>> Most Audit
>>> >> firms do
>>> >> >> exactly that. It is not right at all to have a
>>> >> >> >>> >> >>>> finance guy
>>> >> audit
>>> >> >> IT. Let me state categorically that even if a
>>> >> >> >>> >> finance
>>> >> >> >>> >> >>>> person has
>>> >> taken the
>>> >> >> CISA exams and passed, they still don't
>>> >> >> >>> qualify
>>> >> >> >>> >> to
>>> >> >> >>> >> >>>> audit IT as
>>> >> IT audit
>>> >> >> requires an IT Audit professional with some
>>> >> >> >>> >> >>>> level
>>> >> >> >>> >> >>>> of
>>> >> >> >>> >> >>>> deep
>>> >> understanding
>>> >> >> in the particular field of audit. Preferably
>>> >> >> >>> >> >>>> the
>>> >> >> >>> >> >>>> IT
>>> >> >> >>> >> >>>> auditor
>>> >> should come
>>> >> >> from a technical background e.g. Systems
>>> >> >> >>> >> >>>>
>>> >> Development,
>>> >> >> >>> >> >>>> Systems and
>>> >> Network
>>> >> >> Administration or Database Administration.
>>> >> >> >>> >> >>>>
>>> >> >> >>> >> >>>> Such people
>>> >> employed
>>> >> >> by audit firms usually right nasty audit
>>> >> >> >>> reports
>>> >> >> >>> >> >>>> based on
>>> >> findings
>>> >> >> that do not satisfy the expectations of the
>>> >> >> >>> >> >>>> forms
>>> >> >> >>> >> >>>> downloaded
>>> >> from the
>>> >> >> Internet. The audit reports therefore do not
>>> >> >> >>> give
>>> >> >> >>> >> a
>>> >> >> >>> >> >>>> true
>>> >> >> >>> >> >>>> reflection
>>> >> of the
>>> >> >> particular IT department of interest.
>>> >> >> >>> >> >>>>
>>> >> >> >>> >> >>>> Can someone
>>> >> from
>>> >> >> ISACA the kenyan chapter respond to this issue
>>> >> >> >>> >> >>>> and
>>> >> >> >>> >> tell
>>> >> >> >>> >> >>>> us the way
>>> >> forward.
>>> >> >> We need some level of regulation on this.
>>> >> >> >>> >> >>>>
>>> >> >> >>> >> >>>>
>>> >> >> >>> >> >>>> On Sun, Oct
>>> >> 18, 2009
>>> >> >> at 6:07 PM, Cynthia Wahome
>>> >> >> >>> >> >>>> <
cwahome@jambo.co.ke>wrote:
>>> >> >> >>> >> >>>>
>>> >> >> >>> >> >>>>> Dear
>>> >> All
>>> >> >> >>> >> >>>>> Let me
>>> >> get your
>>> >> >> thoughts on this.
>>> >> >> >>> >> >>>>>
>>> >> >> >>> >> >>>>> Is it
>>> >> right for
>>> >> >> a Finance guy to come and do an audit to an IT
>>> >> >> >>> >> >>>>>
>>> >> department
>>> >> >> >>> >> >>>>> yet the
>>> >> Finance
>>> >> >> guy has no clue about IT.
>>> >> >> >>> >> >>>>> I wont
>>> >> name the
>>> >> >> audit firm here but i wonder,when they go to the
>>> >> >> >>> net
>>> >> >> >>> >> >>>>> and
>>> >> >> >>> >> >>>>>
>>> >> download a form
>>> >> >> then they come and ask you silly questions makes
>>> >> >> >>> me
>>> >> >> >>> >> >>>>>
>>> >> question them
>>> >> >> >>> >> >>>>>
>>> >> >> >>> >> >>>>> People
>>> >> my
>>> >> >> question is this
>>> >> >> >>> >> >>>>> Who
>>> >> should do an
>>> >> >> IT audit? Finance People? or IT People
>>> >> >> >>> >> >>>>> I stand
>>> >> to be
>>> >> >> corrected
>>> >> >> >>> >> >>>>>
>>> >> >> >>> >> >>>>>
>>> >> >> >>> >> >>>>>
>>> >> >> ----------------------------------------------
>>> >> >> >>> >> >>>>> This
>>> >> message has
>>> >> >> been scanned for viruses and
>>> >> >> >>> >> >>>>>
>>> >> dangerous
>>> >> >> content by Jambo MailScanner, and is
>>> >> >> >>> >> >>>>>
>>> >> believed to be
>>> >> >> clean.
>>> >> >> >>> >> >>>>>
>>> >> >> ---------------------------------------------
>>> >> >> >>> >> >>>>> "easy
>>> >> access to
>>> >> >> the world"
>>> >> >> >>> >> >>>>>
>>> >> >> >>> >> >>>>>
>>> >> >> _______________________________________________
>>> >> >> >>> >> >>>>>
>>> >> Skunkworks
>>> >> >> mailing list
>>> >> >> >>> >> >>>>>
Skunkworks@lists.my.co.ke
>>> >> >> >>> >> >>>>>
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>> >> >> >>> >> >>>>>
>>> >> ------------
>>> >> >> >>> >> >>>>>
>>> >> Skunkworks
>>> >> >> Rules
>>> >> >> >>> >> >>>>>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>> >> >> >>> >> >>>>>
>>> >> ------------
>>> >> >> >>> >> >>>>> Other
>>> >> services @
>>> >> >>
http://my.co.ke>>> >> >> >>> >> >>>>> Other
>>> >> lists
>>> >> >> >>> >> >>>>>
>>> >> -------------
>>> >> >> >>> >> >>>>>
>>> >> Announce:
>>> >> >> >>> >> >>>>>
>>> >> >> >>>
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>>> >> >> >>> >> >>>>>
>>> >> Science:
>>> >> >> >>> >> >>>>>
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science
>>> >> >> >>> >> >>>>> kazi:
>>> >> >> >>>
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
>>> >> >> >>> >> >>>>>
>>> >> >> >>> >> >>>>
>>> >> >> >>> >> >>>>
>>> >> >> >>> >> >>>>
>>> >> >> >>> >> >>>> --
>>> >> >> >>> >> >>>> Edmund C.
>>> >> O. Okumu
>>> >> >> >>> >> >>>> P.O Box
>>> >> 8490-00200,
>>> >> >> >>> >> >>>> Nairobi,
>>> >> Kenya.
>>> >> >> >>> >> >>>> TEL:
>>> >> 254-721-734935
>>> >> >> >>> >> >>>>
>>> >> >> >>> >> >>>>
>>> >> >> >>> >> >>>>
>>> >> >> _______________________________________________
>>> >> >> >>> >> >>>> Skunkworks
>>> >> mailing
>>> >> >> list
>>> >> >> >>> >> >>>>
Skunkworks@lists.my.co.ke
>>> >> >> >>> >> >>>>
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>> >> >> >>> >> >>>>
>>> >> ------------
>>> >> >> >>> >> >>>> Skunkworks
>>> >> Rules
>>> >> >> >>> >> >>>>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94>>> >> >> >>> >> >>>>
>>> >> ------------
>>> >> >> >>> >> >>>> Other
>>> >> services @
http://my.co.ke>>> >> >> >>> >> >>>> Other
>>> >> lists
>>> >> >> >>> >> >>>>
>>> >> -------------
>>> >> >> >>> >> >>>> Announce:
>>> >> >> >>> >> >>>>
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>>> >> >> >>> >> >>>> Science:
>>> >> >> >>> >> >>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science
>>> >> >> >>> >> >>>> kazi:
>>> >> >> >>> >> >>>>
>>>
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
>>> >> >> >>> >> >>>>
>>> >> >> >>> >> >>>
>>> >> >> >>> >> >>>
>>> >> >> >>> >> >>>
>>> >> >> _______________________________________________
>>> >> >> >>> >> >>> Skunkworks
>>> >> mailing list
>>> >> >> >>> >> >>>
Skunkworks@lists.my.co.ke
>>> >> >> >>> >> >>>
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>> >> >> >>> >> >>> ------------
>>> >> >> >>> >> >>> Skunkworks
>>> >> Rules
>>> >> >> >>> >> >>>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>> >> >> >>> >> >>> ------------
>>> >> >> >>> >> >>> Other services
>>> >> @
http://my.co.ke
>>> >> >> >>> >> >>> Other lists
>>> >> >> >>> >> >>> -------------
>>> >> >> >>> >> >>> Announce:
>>> >> >> >>> >> >>>
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>>> >> >> >>> >> >>> Science:
>>> >> >> >>> >> >>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science
>>> >> >> >>> >> >>> kazi:
>>> >> >> >>> >> >>>
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
>>> >> >> >>> >> >>>
>>> >> >> >>> >> >>
>>> >> >> >>> >> >>
>>> >> >> >>> >> >>
>>> >> >> _______________________________________________
>>> >> >> >>> >> >> Skunkworks mailing
>>> >> list
>>> >> >> >>> >> >>
Skunkworks@lists.my.co.ke
>>> >> >> >>> >> >>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks>>> >> >> >>> >> >> ------------
>>> >> >> >>> >> >> Skunkworks Rules
>>> >> >> >>> >> >>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>> >> >> >>> >> >> ------------
>>> >> >> >>> >> >> Other services @
http://my.co.ke
>>> >> >> >>> >> >> Other lists
>>> >> >> >>> >> >> -------------
>>> >> >> >>> >> >> Announce:
>>> >> >> >>> >> >>
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>>> >> >> >>> >> >> Science:
>>> >> >> >>> >> >>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science
>>> >> >> >>> >> >> kazi:
>>> >> >> >>> >> >>
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
>>> >> >> >>> >> >>
>>> >> >> >>> >> >
>>> >> >> >>> >> >
>>> >> >> >>> >> >
>>> >> >> >>> >> > --
>>> >> >> >>> >> >
>>> >> >>
>>> >> ----------------------------------------------------------------
>>> >> >> >>> >> > Joshua Amolo
>>> >> >> >>> >> > Cell: +254 720
>>> >> 263308/+255 783
>>> >> >> 060052
>>> >> >> >>> >> >
>>> >> >> >>> >> >
>>> >> >> >>> >> > Managing IT people is
>>> >> like
>>> >> >> herding cats
>>> >> >> >>> >> >
>>> >> >> >>> >>
>>> >> >> >>> >>
>>> >> >> >>> >> --
>>> >> >> >>> >> --
>>> >> >> >>> >> Gichuki John Ndirangu, C.E.H
>>> >> ,
>>> >> >> C.P.T.P, O.S.C.P
>>> >> >> >>> >> I.T Security Analyst and
>>> >> Penetration
>>> >> >> Tester
>>> >> >> >>> >>
infosigmer@inbox.com
>>> >> >> >>> >>
>>> >> >> >>> >> {FORUM}
http://lists.my.co.ke/pipermail/security/
>>> >> >> >>> >>
http://nspkenya.blogspot.com/>>> >> >> >>> >>
http://chuksjonia.blogspot.com/
>>> >> >> >>> >>
>>> >> >> _______________________________________________
>>> >> >> >>> >> Skunkworks mailing list
>>> >> >> >>> >>
Skunkworks@lists.my.co.ke
>>> >> >> >>> >>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks>>> >> >> >>> >> ------------
>>> >> >> >>> >> Skunkworks Rules
>>> >> >> >>> >>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>> >> >> >>> >> ------------
>>> >> >> >>> >> Other services @
http://my.co.ke>>> >> >> >>> >> Other lists
>>> >> >> >>> >> -------------
>>> >> >> >>> >> Announce:
>>> >> >> >>> >>
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>>> >> >> >>> >> Science:
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science
>>> >> >> >>> >> kazi:
>>> >> >> >>> >>
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
>>> >> >> >>> >>
>>> >> >> >>> >
>>> >> >> >>> >
>>> >> >> >>> >
>>> >> >> >>> > --
>>> >> >> >>> >
>>> >> >>
>>> >> ----------------------------------------------------------------
>>> >> >> >>> > Joshua Amolo
>>> >> >> >>> > Cell: +254 720 263308/+255 783
>>> >> 060052
>>> >> >> >>> >
>>> >> >> >>> >
>>> >> >> >>> > Managing IT people is like
>>> >> herding cats
>>> >> >> >>> >
>>> >> >> >>>
>>> >> >> >>>
>>> >> >> >>> --
>>> >> >> >>> --
>>> >> >> >>> Gichuki John Ndirangu, C.E.H ,
>>> >> C.P.T.P,
>>> >> >> O.S.C.P
>>> >> >> >>> I.T Security Analyst and Penetration
>>> >> Tester
>>> >> >> >>>
infosigmer@inbox.com>>> >> >> >>>
>>> >> >> >>> {FORUM}
http://lists.my.co.ke/pipermail/security/
>>> >> >> >>>
http://nspkenya.blogspot.com/>>> >> >> >>>
http://chuksjonia.blogspot.com/
>>> >> >> >>>
>>> >> >> _______________________________________________
>>> >> >> >>> Skunkworks mailing list
>>> >> >> >>>
Skunkworks@lists.my.co.ke
>>> >> >> >>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks>>> >> >> >>> ------------
>>> >> >> >>> Skunkworks Rules
>>> >> >> >>>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>> >> >> >>> ------------
>>> >> >> >>> Other services @
http://my.co.ke>>> >> >> >>> Other lists
>>> >> >> >>> -------------
>>> >> >> >>> Announce:
>>> >> >> >>>
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>>> >> >> >>> Science:
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science>>> >> >> >>> kazi:
>>>
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general>>> >> >> >>>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >>
>>> >> >> >> --
>>> >> >> >> "Change is slow and gradual. It requires
>>> >> hardwork,
>>> >> >> a bit of
>>> >> >> >> luck, a fair amount of self-sacrifice and
>>> >> a lot of
>>> >> >> patience."
>>> >> >> >>
>>> >> >> >> Roy.
>>> >> >> >>
>>> >> >> >
>>> >> _______________________________________________
>>> >> >> > Skunkworks mailing list
>>> >> >> >
Skunkworks@lists.my.co.ke>>> >> >> >
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>> >> >> > ------------
>>> >> >> > Skunkworks Rules
>>> >> >> >
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>> >> >> > ------------
>>> >> >> > Other services @
http://my.co.ke>>> >> >> > Other lists
>>> >> >> > -------------
>>> >> >> > Announce:
>>> >> >> >
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>>> >> >> > Science:
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science>>> >> >> > kazi:
>>>
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general>>> >> >> >
>>> >> >> _______________________________________________
>>> >> >> Skunkworks mailing list
>>> >> >>
Skunkworks@lists.my.co.ke>>> >> >>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>> >> >> ------------
>>> >> >> Skunkworks Rules
>>> >> >>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>> >> >> ------------
>>> >> >> Other services @
http://my.co.ke>>> >> >> Other lists
>>> >> >> -------------
>>> >> >> Announce:
>>> >> >>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>>> >> >> Science:
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science>>> >> >> kazi:
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
>>> >> >>
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >>
>>> >>
>>> >> --
>>> >> --
>>> >> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
>>> >> I.T Security Analyst and Penetration Tester
>>> >>
infosigmer@inbox.com
>>> >>
>>> >> {FORUM}
http://lists.my.co.ke/pipermail/security/>>> >>
http://nspkenya.blogspot.com/
>>> >>
http://chuksjonia.blogspot.com/>>> >> _______________________________________________
>>> >> Skunkworks mailing list
>>> >>
Skunkworks@lists.my.co.ke>>> >>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>> >> ------------
>>> >> Skunkworks Rules
>>> >>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>> >> ------------
>>> >> Other services @
http://my.co.ke>>> >> Other lists
>>> >> -------------
>>> >> Announce:
>>> >>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce>>> >> Science:
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science
>>> >> kazi:
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general>>> >>
>>> > _______________________________________________
>>> > Skunkworks mailing list
>>> >
Skunkworks@lists.my.co.ke>>> >
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks
>>> > ------------
>>> > Skunkworks Rules
>>> >
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>>> > ------------
>>> > Other services @
http://my.co.ke>>> > Other lists
>>> > -------------
>>> > Announce:
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce>>> > Science:
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science
>>> > kazi:
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general>>> >
>>> >
>>> >
>>> >
>>>
>>>
>>> --
>>> --
>>> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P
>>> I.T Security Analyst and Penetration Tester
>>>
infosigmer@inbox.com
>>>
>>> {FORUM}
http://lists.my.co.ke/pipermail/security/>>>
http://nspkenya.blogspot.com/
>>>
http://chuksjonia.blogspot.com/>>> _______________________________________________
>>> Skunkworks mailing list
>>>
Skunkworks@lists.my.co.ke
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks>>> ------------
>>> Skunkworks Rules
>>>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94>>> ------------
>>> Other services @
http://my.co.ke
>>> Other lists
>>> -------------
>>> Announce:
>>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>>> Science:
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science>>> kazi:
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
>>>
>>
>>
>> _______________________________________________
>> Skunkworks mailing list
>>
Skunkworks@lists.my.co.ke
>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks>> ------------
>> Skunkworks Rules
>>
http://my.co.ke/phpbb/viewtopic.php?f=24&t=94
>> ------------
>> Other services @
http://my.co.ke>> Other lists
>> -------------
>> Announce:
>>
http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce
>> Science:
http://lists.my.co.ke/cgi-bin/mailman/listinfo/science>> kazi:
http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general
>>
>