Jonia Chucks Thanx for the info.Then who in your view should do an IT audit. eg if chucks wants to audit his system.who does chucks go to? a fellow skunker :-)

This is an issue which has been there for a long time, that used by such big firms like KPMG etc. There is no way Finance Department can do an IT Audit unless they are doing a Financial Audit. This is a prank these firms are using, but looks like people are starting to learn, and soon they will be off business if they don't change.

Please read this post here, http://lists.my.co.ke/pipermail/security/2009-August/000566.html

Pretty interesting may i say.

On 10/18/09, Cynthia Wahome <cwahome@jambo.co.ke> wrote:

...

Dear All Let me get your thoughts on this.

Is it right for a Finance guy to come and do an audit to an IT department yet the Finance guy has no clue about IT. I wont name the audit firm here but i wonder,when they go to the net and download a form then they come and ask you silly questions makes me question them

People my question is this Who should do an IT audit? Finance People? or IT People I stand to be corrected

---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"

---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"

Cynthia, don't go for one company to do the whole IT Audit. E.g an example E and Y are good in Management Security, but they aren't good on Security Assessments. SRS could be good in Financial Security Assessment, but they cant do a good job on vulnerability assessment or even in a Penetration Assessments, and story continues. So the question, is what you really need done? Whether your doing it for orientation or for concern issues. Personally i do security assessments, so i cant touch on Management security, financial security, etc. ./Chuks On 10/18/09, Areba Collins <arebacollins@gmail.com> wrote:

Yes. The idea behind an IT Audit is basically to ascertain that the IT infrastructure performs the way it was designed to. To do this, you need someone who is conversant with all elements of the system and that cant be a finance auditor. At best, you need a team of IT consultants with a project manager, security guy, network guy, etc.

On 10/18/09, Cynthia Wahome <cwahome@jambo.co.ke> wrote:

...

Jonia Chucks Thanx for the info.Then who in your view should do an IT audit. eg if chucks wants to audit his system.who does chucks go to? a fellow skunker :-)

...

This is an issue which has been there for a long time, that used by such big firms like KPMG etc. There is no way Finance Department can do an IT Audit unless they are doing a Financial Audit. This is a prank these firms are using, but looks like people are starting to learn, and soon they will be off business if they don't change.

Please read this post here, http://lists.my.co.ke/pipermail/security/2009-August/000566.html

Pretty interesting may i say.

On 10/18/09, Cynthia Wahome <cwahome@jambo.co.ke> wrote:

...

Dear All Let me get your thoughts on this.

Is it right for a Finance guy to come and do an audit to an IT department yet the Finance guy has no clue about IT. I wont name the audit firm here but i wonder,when they go to the net and download a form then they come and ask you silly questions makes me question them

People my question is this Who should do an IT audit? Finance People? or IT People I stand to be corrected

---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"

---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/

A Finance person auditing an IT infrastructure is like a Security Assessor auditing the end year results of a company. I find it very ironical and old school thinking from those days when I.T used to Fall under Finance department/Division. Back then, the systems were simple and geared towards very specific tasks. That is no longer the case nowadays. A company's systems infrastructure has become very comples, look at a situation where a company has several DMZ,s each hosting different systems, several Server Farms, Webhosting Facilities, a super big ERP....and then you bring an accountant to do a security audit of the systems or rather perform an entire audit meaning management, financial and security audit....forgive me but i find it plain stupid! The positive thing is that most companies are now realising the importance of a information security role within their ranks. Once someone in charge of security is in place then chances of being audited on Security by a CPA-K are reduced because the I.T guy will spot their incomptencies from a mile away... On Mon, Oct 19, 2009 at 8:33 AM, Edmund Okumu <edmund.okumu@gmail.com>wrote:

Most Audit firms do exactly that. It is not right at all to have a finance guy audit IT. Let me state categorically that even if a finance person has taken the CISA exams and passed, they still don't qualify to audit IT as IT audit requires an IT Audit professional with some level of deep understanding in the particular field of audit. Preferably the IT auditor should come from a technical background e.g. Systems Development, Systems and Network Administration or Database Administration.

Such people employed by audit firms usually right nasty audit reports based on findings that do not satisfy the expectations of the forms downloaded from the Internet. The audit reports therefore do not give a true reflection of the particular IT department of interest.

Can someone from ISACA the kenyan chapter respond to this issue and tell us the way forward. We need some level of regulation on this.

On Sun, Oct 18, 2009 at 6:07 PM, Cynthia Wahome <cwahome@jambo.co.ke>wrote:

...

Dear All Let me get your thoughts on this.

Is it right for a Finance guy to come and do an audit to an IT department yet the Finance guy has no clue about IT. I wont name the audit firm here but i wonder,when they go to the net and download a form then they come and ask you silly questions makes me question them

People my question is this Who should do an IT audit? Finance People? or IT People I stand to be corrected

---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- Edmund C. O. Okumu P.O Box 8490-00200, Nairobi, Kenya. TEL: 254-721-734935

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

I dont think there is naything wrong with a Finance guy auditing IT. The issue should be what's the purpose of the audit. The purpose will give a clear scope and the necessary competence to undertake the the audit. For example if you were to audit the financial sense of having a unit within IT, you dont need another IT guy to do this audit. If an auditor wants to check conformity to certain standards of your network for example, there are very powerful tools a Finance guy can use. Cynthia I agree with you sometimes you can endure very unnecessary questions from an incompetent auditor I remember a case where an auditor was checking the competence of a hardware technician and he asked him 'Does the computer has a motherboard?', the technician was so pissed he plainly just said 'no this one uses a fatherboard' On Mon, Oct 19, 2009 at 3:04 PM, Joseph McDonald <mcdonaldoj@gmail.com>wrote:

The confusion started,because there are few companies that normally do independent IT audits.In most cases the IT audit is done as an extension of the Financial audits hence you will find many accountants rushed to do CISA.

Secondly in any organisation the three P's are important (People,Products and Profits) systems and IT for that matter,in most cases are enablers to help the people,to move the products faster to the market and to increase efficiency hence profits.

There are some IT audits which finance people with can perform well.While there are some areas which definately require some IT expertise for you do benefit fully from the said audit.

Because a good audit should give the auditee and the organisation ways for corrective and preventive actions, and continual improvement.

On Mon, Oct 19, 2009 at 9:25 AM, Eric Mugo <kabugum@gmail.com> wrote:

...

A Finance person auditing an IT infrastructure is like a Security Assessor auditing the end year results of a company. I find it very ironical and old school thinking from those days when I.T used to Fall under Finance department/Division. Back then, the systems were simple and geared towards very specific tasks. That is no longer the case nowadays.

A company's systems infrastructure has become very comples, look at a situation where a company has several DMZ,s each hosting different systems, several Server Farms, Webhosting Facilities, a super big ERP....and then you bring an accountant to do a security audit of the systems or rather perform an entire audit meaning management, financial and security audit....forgive me but i find it plain stupid!

The positive thing is that most companies are now realising the importance of a information security role within their ranks. Once someone in charge of security is in place then chances of being audited on Security by a CPA-K are reduced because the I.T guy will spot their incomptencies from a mile away...

On Mon, Oct 19, 2009 at 8:33 AM, Edmund Okumu <edmund.okumu@gmail.com>wrote:

...

Most Audit firms do exactly that. It is not right at all to have a finance guy audit IT. Let me state categorically that even if a finance person has taken the CISA exams and passed, they still don't qualify to audit IT as IT audit requires an IT Audit professional with some level of deep understanding in the particular field of audit. Preferably the IT auditor should come from a technical background e.g. Systems Development, Systems and Network Administration or Database Administration.

Such people employed by audit firms usually right nasty audit reports based on findings that do not satisfy the expectations of the forms downloaded from the Internet. The audit reports therefore do not give a true reflection of the particular IT department of interest.

Can someone from ISACA the kenyan chapter respond to this issue and tell us the way forward. We need some level of regulation on this.

On Sun, Oct 18, 2009 at 6:07 PM, Cynthia Wahome <cwahome@jambo.co.ke>wrote:

...

Dear All Let me get your thoughts on this.

Is it right for a Finance guy to come and do an audit to an IT department yet the Finance guy has no clue about IT. I wont name the audit firm here but i wonder,when they go to the net and download a form then they come and ask you silly questions makes me question them

People my question is this Who should do an IT audit? Finance People? or IT People I stand to be corrected

---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- Edmund C. O. Okumu P.O Box 8490-00200, Nairobi, Kenya. TEL: 254-721-734935

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- ---------------------------------------------------------------- Joshua Amolo Cell: +254 720 263308/+255 783 060052 Managing IT people is like herding cats

If you check my mail again Chuks, i talked about SCOPE On Mon, Oct 19, 2009 at 4:00 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

@Joshua, yah mistaken. What does an IT Audit compose of. Because a Code Audit is part of IT Audit, tell us, how can an Finance guy look for loop holes and bugs in a php code if he doesn't even know how to write one?

On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote:

...

I dont think there is naything wrong with a Finance guy auditing IT.

The issue should be what's the purpose of the audit. The purpose will give a clear scope and the necessary competence to undertake the the audit.

For example if you were to audit the financial sense of having a unit within IT, you dont need another IT guy to do this audit. If an auditor wants to check conformity to certain standards of your network for example, there are very powerful tools a Finance guy can use.

Cynthia I agree with you sometimes you can endure very unnecessary questions from an incompetent auditor I remember a case where an auditor was checking the competence of a hardware technician and he asked him 'Does the computer has a motherboard?', the technician was so pissed he plainly just said 'no this one uses a fatherboard'

On Mon, Oct 19, 2009 at 3:04 PM, Joseph McDonald <mcdonaldoj@gmail.com>wrote:

...

The confusion started,because there are few companies that normally do independent IT audits.In most cases the IT audit is done as an extension of the Financial audits hence you will find many accountants rushed to do CISA.

Secondly in any organisation the three P's are important (People,Products and Profits) systems and IT for that matter,in most cases are enablers to help the people,to move the products faster to the market and to increase efficiency hence profits.

There are some IT audits which finance people with can perform well.While there are some areas which definately require some IT expertise for you do benefit fully from the said audit.

Because a good audit should give the auditee and the organisation ways for corrective and preventive actions, and continual improvement.

On Mon, Oct 19, 2009 at 9:25 AM, Eric Mugo <kabugum@gmail.com> wrote:

...

A Finance person auditing an IT infrastructure is like a Security Assessor auditing the end year results of a company. I find it very ironical and old school thinking from those days when I.T used to Fall under Finance department/Division. Back then, the systems were simple and geared towards very specific tasks. That is no longer the case nowadays.

A company's systems infrastructure has become very comples, look at a situation where a company has several DMZ,s each hosting different systems, several Server Farms, Webhosting Facilities, a super big ERP....and then you bring an accountant to do a security audit of the systems or rather perform an entire audit meaning management, financial and security audit....forgive me but i find it plain stupid!

The positive thing is that most companies are now realising the importance of a information security role within their ranks. Once someone in charge of security is in place then chances of being audited on Security by a CPA-K are reduced because the I.T guy will spot their incomptencies from a mile away...

On Mon, Oct 19, 2009 at 8:33 AM, Edmund Okumu <edmund.okumu@gmail.com>wrote:

...

Most Audit firms do exactly that. It is not right at all to have a finance guy audit IT. Let me state categorically that even if a finance person has taken the CISA exams and passed, they still don't qualify to audit IT as IT audit requires an IT Audit professional with some level of deep understanding in the particular field of audit. Preferably the IT auditor should come from a technical background e.g. Systems Development, Systems and Network Administration or Database Administration.

Such people employed by audit firms usually right nasty audit reports based on findings that do not satisfy the expectations of the forms downloaded from the Internet. The audit reports therefore do not give a true reflection of the particular IT department of interest.

Can someone from ISACA the kenyan chapter respond to this issue and tell us the way forward. We need some level of regulation on this.

On Sun, Oct 18, 2009 at 6:07 PM, Cynthia Wahome <cwahome@jambo.co.ke>wrote:

...

Dear All Let me get your thoughts on this.

Is it right for a Finance guy to come and do an audit to an IT department yet the Finance guy has no clue about IT. I wont name the audit firm here but i wonder,when they go to the net and download a form then they come and ask you silly questions makes me question them

People my question is this Who should do an IT audit? Finance People? or IT People I stand to be corrected

---------------------------------------------- This message has been scanned for viruses and dangerous content by Jambo MailScanner, and is believed to be clean. --------------------------------------------- "easy access to the world"

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- Edmund C. O. Okumu P.O Box 8490-00200, Nairobi, Kenya. TEL: 254-721-734935

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- ---------------------------------------------------------------- Joshua Amolo Cell: +254 720 263308/+255 783 060052

Managing IT people is like herding cats

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- ---------------------------------------------------------------- Joshua Amolo Cell: +254 720 263308/+255 783 060052 Managing IT people is like herding cats

am liking this... so far Chucks is leading :) On Mon, Oct 19, 2009 at 5:36 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

So their scope would be Financial Audit?

On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote:

...

If you check my mail again Chuks, i talked about SCOPE

On Mon, Oct 19, 2009 at 4:00 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

...

@Joshua, yah mistaken. What does an IT Audit compose of. Because a Code Audit is part of IT Audit, tell us, how can an Finance guy look for loop holes and bugs in a php code if he doesn't even know how to write one?

On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote:

...

I dont think there is naything wrong with a Finance guy auditing IT.

The issue should be what's the purpose of the audit. The purpose will give a clear scope and the necessary competence to undertake the the audit.

For example if you were to audit the financial sense of having a unit within IT, you dont need another IT guy to do this audit. If an auditor wants to check conformity to certain standards of your network for example, there are very powerful tools a Finance guy can use.

Cynthia I agree with you sometimes you can endure very unnecessary questions from an incompetent auditor I remember a case where an auditor was checking the competence of a hardware technician and he asked him 'Does the computer has a motherboard?', the technician was so pissed he plainly just said 'no this one uses a fatherboard'

On Mon, Oct 19, 2009 at 3:04 PM, Joseph McDonald <mcdonaldoj@gmail.com>wrote:

...

The confusion started,because there are few companies that normally do independent IT audits.In most cases the IT audit is done as an extension of the Financial audits hence you will find many accountants rushed to do CISA.

Secondly in any organisation the three P's are important (People,Products and Profits) systems and IT for that matter,in most cases are enablers to help the people,to move the products faster to the market and to increase efficiency hence profits.

There are some IT audits which finance people with can perform well.While there are some areas which definately require some IT expertise for you do benefit fully from the said audit.

Because a good audit should give the auditee and the organisation ways for corrective and preventive actions, and continual improvement.

On Mon, Oct 19, 2009 at 9:25 AM, Eric Mugo <kabugum@gmail.com> wrote:

...

A Finance person auditing an IT infrastructure is like a Security Assessor auditing the end year results of a company. I find it very ironical and old school thinking from those days when I.T used to Fall under Finance department/Division. Back then, the systems were simple and geared towards very specific tasks. That is no longer the case nowadays.

A company's systems infrastructure has become very comples, look at a situation where a company has several DMZ,s each hosting different systems, several Server Farms, Webhosting Facilities, a super big ERP....and then you bring an accountant to do a security audit of the systems or rather perform an entire audit meaning management, financial and security audit....forgive me but i find it plain stupid!

The positive thing is that most companies are now realising the importance of a information security role within their ranks. Once someone in charge of security is in place then chances of being audited on Security by a CPA-K are reduced because the I.T guy will spot their incomptencies from a mile away...

On Mon, Oct 19, 2009 at 8:33 AM, Edmund Okumu <edmund.okumu@gmail.com>wrote:

> Most Audit firms do exactly that. It is not right at all to have a > finance guy audit IT. Let me state categorically that even if a finance > person has taken the CISA exams and passed, they still don't qualify to > audit IT as IT audit requires an IT Audit professional with some > level > of > deep understanding in the particular field of audit. Preferably the > IT > auditor should come from a technical background e.g. Systems > Development, > Systems and Network Administration or Database Administration. > > Such people employed by audit firms usually right nasty audit reports > based on findings that do not satisfy the expectations of the forms > downloaded from the Internet. The audit reports therefore do not give a > true > reflection of the particular IT department of interest. > > Can someone from ISACA the kenyan chapter respond to this issue and tell > us the way forward. We need some level of regulation on this. > > > On Sun, Oct 18, 2009 at 6:07 PM, Cynthia Wahome > <cwahome@jambo.co.ke>wrote: > >> Dear All >> Let me get your thoughts on this. >> >> Is it right for a Finance guy to come and do an audit to an IT >> department >> yet the Finance guy has no clue about IT. >> I wont name the audit firm here but i wonder,when they go to the net >> and >> download a form then they come and ask you silly questions makes me >> question them >> >> People my question is this >> Who should do an IT audit? Finance People? or IT People >> I stand to be corrected >> >> >> ---------------------------------------------- >> This message has been scanned for viruses and >> dangerous content by Jambo MailScanner, and is >> believed to be clean. >> --------------------------------------------- >> "easy access to the world" >> >> _______________________________________________ >> Skunkworks mailing list >> Skunkworks@lists.my.co.ke >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> ------------ >> Skunkworks Rules >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> ------------ >> Other services @ http://my.co.ke >> Other lists >> ------------- >> Announce: >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> > > > > -- > Edmund C. O. Okumu > P.O Box 8490-00200, > Nairobi, Kenya. > TEL: 254-721-734935 > > > _______________________________________________ > Skunkworks mailing list > Skunkworks@lists.my.co.ke > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > ------------ > Skunkworks Rules > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > ------------ > Other services @ http://my.co.ke > Other lists > ------------- > Announce: > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- ---------------------------------------------------------------- Joshua Amolo Cell: +254 720 263308/+255 783 060052

Managing IT people is like herding cats

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- ---------------------------------------------------------------- Joshua Amolo Cell: +254 720 263308/+255 783 060052

Managing IT people is like herding cats

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- "Change is slow and gradual. It requires hardwork, a bit of luck, a fair amount of self-sacrifice and a lot of patience." Roy.

I am a member of the local ISACA chapter, but I will speak for myself. Amolo, I dont agree with you. I recently spoke to a guy from a local shop of the big 5 audit (Finance) firms. He said they do IT audits alright. But they are more interested in seeing how far the IT infrastructure supports the financial figures that they are reporting on. You realize most of accounting nowadays is dependent on IT, as is most of business processes. But how does an accountant (majority of CISAs are) tell if a DB has been compromised if he does not understand the deep workings of a DB? As I have said before, the best a CISA can do is to manage the whole process of the IT audit, but not to pretend to be what they are not. One of the ISACA audit standards states that an auditor should use the right expert for the right audit process. If you want to audit a data base, hire a data base expert. If you want to gauge network vulnerability, hire a vulnerability expert, and so on. It's professional negligence, which should attract hefty legal penalties, for a firm to conduct an IT audit, give a clean bill of health, and leave an organization at risk. Just wait till you hear someone taken to court for professional negligence. Ikua On Mon, Oct 19, 2009 at 10:51 PM, Areba Collins <arebacollins@gmail.com> wrote:

Slunks! Whats so hard? IT audit, IT. Finance audit, FINANCE.

On 10/19/09, Paul Roy <roykoikai@gmail.com> wrote:

...

am liking this... so far Chucks is leading :)

On Mon, Oct 19, 2009 at 5:36 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

...

So their scope would be Financial Audit?

On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote:

...

If you check my mail again Chuks, i talked about SCOPE

On Mon, Oct 19, 2009 at 4:00 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

...

@Joshua, yah mistaken. What does an IT Audit compose of. Because a Code Audit is part of IT Audit, tell us, how can an Finance guy look for loop holes and bugs in a php code if he doesn't even know how to write one?

On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote:

...

I dont think there is naything wrong with a Finance guy auditing IT.

The issue should be what's the purpose of the audit. The purpose will give a clear scope and the necessary competence to undertake the the audit.

For example if you were to audit the financial sense of having a unit within IT, you dont need another IT guy to do this audit. If an auditor wants to check conformity to certain standards of your network for example, there are very powerful tools a Finance guy can use.

Cynthia I agree with you sometimes you can endure very unnecessary questions from an incompetent auditor I remember a case where an auditor was checking the competence of a hardware technician and he asked him 'Does the computer has a motherboard?', the technician was so pissed he plainly just said 'no this one uses a fatherboard'

On Mon, Oct 19, 2009 at 3:04 PM, Joseph McDonald <mcdonaldoj@gmail.com>wrote:

> The confusion started,because there are few companies that normally do > independent IT audits.In most cases the IT audit is done as an > extension > of > the Financial audits hence you will find many accountants rushed to do > CISA. > > Secondly in any organisation the three P's are important (People,Products > and Profits) systems and IT for that matter,in most cases are enablers to > help the people,to move the products faster to the market and to increase > efficiency hence profits. > > There are some IT audits which finance people with can perform well.While > there are some areas which definately require some IT expertise for you do > benefit fully from the said audit. > > Because a good audit should give the auditee and the organisation ways for > corrective and preventive actions, and continual improvement. > > > On Mon, Oct 19, 2009 at 9:25 AM, Eric Mugo <kabugum@gmail.com> wrote: > >> A Finance person auditing an IT infrastructure is like a Security >> Assessor >> auditing the end year results of a company. I find it very ironical >> and >> old >> school thinking from those days when I.T used to Fall under Finance >> department/Division. Back then, the systems were simple and geared >> towards >> very specific tasks. That is no longer the case nowadays. >> >> A company's systems infrastructure has become very comples, look at a >> situation where a company has several DMZ,s each hosting different >> systems, >> several Server Farms, Webhosting Facilities, a super big ERP....and then >> you >> bring an accountant to do a security audit of the systems or rather >> perform >> an entire audit meaning management, financial and security >> audit....forgive >> me but i find it plain stupid! >> >> The positive thing is that most companies are now realising the >> importance >> of a information security role within their ranks. Once someone in charge >> of >> security is in place then chances of being audited on Security by a CPA-K >> are reduced because the I.T guy will spot their incomptencies from >> a mile >> away... >> >> >> >> >> >> On Mon, Oct 19, 2009 at 8:33 AM, Edmund Okumu >> <edmund.okumu@gmail.com>wrote: >> >>> Most Audit firms do exactly that. It is not right at all to have a >>> finance guy audit IT. Let me state categorically that even if a finance >>> person has taken the CISA exams and passed, they still don't qualify to >>> audit IT as IT audit requires an IT Audit professional with some >>> level >>> of >>> deep understanding in the particular field of audit. Preferably >>> the >>> IT >>> auditor should come from a technical background e.g. Systems >>> Development, >>> Systems and Network Administration or Database Administration. >>> >>> Such people employed by audit firms usually right nasty audit reports >>> based on findings that do not satisfy the expectations of the >>> forms >>> downloaded from the Internet. The audit reports therefore do not give a >>> true >>> reflection of the particular IT department of interest. >>> >>> Can someone from ISACA the kenyan chapter respond to this issue >>> and tell >>> us the way forward. We need some level of regulation on this. >>> >>> >>> On Sun, Oct 18, 2009 at 6:07 PM, Cynthia Wahome >>> <cwahome@jambo.co.ke>wrote: >>> >>>> Dear All >>>> Let me get your thoughts on this. >>>> >>>> Is it right for a Finance guy to come and do an audit to an IT >>>> department >>>> yet the Finance guy has no clue about IT. >>>> I wont name the audit firm here but i wonder,when they go to the net >>>> and >>>> download a form then they come and ask you silly questions makes me >>>> question them >>>> >>>> People my question is this >>>> Who should do an IT audit? Finance People? or IT People >>>> I stand to be corrected >>>> >>>> >>>> ---------------------------------------------- >>>> This message has been scanned for viruses and >>>> dangerous content by Jambo MailScanner, and is >>>> believed to be clean. >>>> --------------------------------------------- >>>> "easy access to the world" >>>> >>>> _______________________________________________ >>>> Skunkworks mailing list >>>> Skunkworks@lists.my.co.ke >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>>> ------------ >>>> Skunkworks Rules >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>>> ------------ >>>> Other services @ http://my.co.ke >>>> Other lists >>>> ------------- >>>> Announce: >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >>>> Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >>>> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >>>> >>> >>> >>> >>> -- >>> Edmund C. O. Okumu >>> P.O Box 8490-00200, >>> Nairobi, Kenya. >>> TEL: 254-721-734935 >>> >>> >>> _______________________________________________ >>> Skunkworks mailing list >>> Skunkworks@lists.my.co.ke >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> ------------ >>> Skunkworks Rules >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> ------------ >>> Other services @ http://my.co.ke >>> Other lists >>> ------------- >>> Announce: >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >>> Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >>> kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >>> >> >> >> _______________________________________________ >> Skunkworks mailing list >> Skunkworks@lists.my.co.ke >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> ------------ >> Skunkworks Rules >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> ------------ >> Other services @ http://my.co.ke >> Other lists >> ------------- >> Announce: >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> > > > _______________________________________________ > Skunkworks mailing list > Skunkworks@lists.my.co.ke > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > ------------ > Skunkworks Rules > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > ------------ > Other services @ http://my.co.ke > Other lists > ------------- > Announce: > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >

-- ---------------------------------------------------------------- Joshua Amolo Cell: +254 720 263308/+255 783 060052

Managing IT people is like herding cats

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- ---------------------------------------------------------------- Joshua Amolo Cell: +254 720 263308/+255 783 060052

Managing IT people is like herding cats

-- --  Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- "Change is slow and gradual. It requires hardwork, a bit of luck, a fair amount of self-sacrifice and a lot of patience."

Roy.

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

I agree with Ikua/Preston.  CISA (Certified Information Systems Auditors) tend to have the big picture - and that's by design.  They dont drill down to specific vendor technologies - even though they know what to expect from such technologies.  Maybe a snapshot of the course content would help as given below :(ref: www.isaca.org) 1.IS Audit Process 2.IT Governance 3.Infrastructure Lifecycle Development 4.Protection of Information Assets. 5.Business Continuity and Disaster Mngt And so If am a CISA with a financial/accounting background but need to inspect a Cisco PIX firewall  I would be obliged to hire the expertise rather pretend to do it. Ofcourse, If am a CISA and a techie in that area (and there are many like that) I would just proceed and perform the inspection accordingly. The point is, the Security Ecosystem is so large and each professional in the Security field has an important role to play. Trying to establish who is better than the other would be like trying to see who btwn the following is better than the other: The Architect who designs the building or the Electrical/Civil/Structural Engineers who provide specialized services within the buildings...rather than begin to research for an answer, I would say it's really a misplaced question to ask. walu. nb: am a CISA but not an Accountant (so feel free to consider my views biased ;-) --- On Tue, 10/20/09, Preston <podera@k90ea.com> wrote: From: Preston <podera@k90ea.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 2:09 PM If we start from the premise that you cannot be a master of all then Certified Penetration Testers, Systems Engineers, Network Vulnerabilty Experts can only handle their areas but only to the level their knowledge can allow with a scale (1 to 10) depending on whether you gained it from Karamaindo as a college or company. Also hands-on experience plays a greater part including organization culture. Depending on what has to be audited you need a team of experts!! in the areas being audited. The experts might not be the better than those being audited (Even on Financial Audits this is sometimes the case where junior auditors are sent to companies with least audit experience)but has to make an assurance that the areas being audited are meeting some standards both as defined by the company being audited or guided by international standards. What is also required is a team leader and that is where Certified Information Systems Auditors come in. These are from various backgrounds including teckies, financials etc.. As Evans indicates One of the ISACA audit standards states that an auditor should use the right expert for the right audit process.  This is quite true for all professions. I realized this when putting up a modest palace (needed Architect, Quantity Engineer, Structural Engineer, Foreman Man, Plumber, Electrical Engieer, Loader and a host of other professions while the single process was Putting Up the Palace=IT Audit). In all of these a team work of different professions are required guided by a leader who has received certain qualification where CISA is one of them Preston --- On Tue, 10/20/09, Evans Ikua <ikua.evans@gmail.com> wrote:

From: Evans Ikua <ikua.evans@gmail.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 10:58 AM I am a member of the local ISACA chapter, but I will speak for myself. Amolo, I dont agree with you. I recently spoke to a guy from a local shop of the big 5 audit (Finance) firms. He said they do IT audits alright. But they are more interested in seeing how far the IT infrastructure supports the financial figures that they are reporting on. You realize most of accounting nowadays is dependent on IT, as is most of business processes.

But how does an accountant (majority of CISAs are) tell if a DB has been compromised if he does not understand the deep workings of a DB?

As I have said before, the best a CISA can do is to manage the whole process of the IT audit, but not to pretend to be what they are not. One of the ISACA audit standards states that an auditor should use the right expert for the right audit process. If you want to audit a data base, hire a data base expert. If you want to gauge network vulnerability, hire a vulnerability expert, and so on. It's professional negligence, which should attract hefty legal penalties, for a firm to conduct an IT audit, give a clean bill of health, and leave an organization at risk.

Just wait till you hear someone taken to court for professional negligence.

Ikua

On Mon, Oct 19, 2009 at 10:51 PM, Areba Collins <arebacollins@gmail.com> wrote:

...

Slunks! Whats so hard? IT audit, IT. Finance audit, FINANCE.

On 10/19/09, Paul Roy <roykoikai@gmail.com> wrote:

...

am liking this... so far Chucks is leading :)

On Mon, Oct 19, 2009 at 5:36 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

...

So their scope would be Financial Audit?

On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote:

...

If you check my mail again Chuks, i talked about SCOPE

On Mon, Oct 19, 2009 at 4:00 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

...

@Joshua, yah mistaken. What does an IT Audit compose of. Because a Code Audit is part of IT Audit, tell us, how can an Finance guy look for loop holes and bugs in a php code if he doesn't even know how to write one?

On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote: > I dont think there is naything wrong with a Finance guy auditing IT. > > The issue should be what's the purpose of the audit. The purpose will give a > clear scope and the necessary competence to undertake the the audit. > > For example if you were to audit the financial sense of having a unit within > IT, you dont need another IT guy to do this audit. If an auditor > wants > to > check conformity to certain standards of your network for example, there are > very powerful tools a Finance guy can use. > > Cynthia I agree with you sometimes you can endure very unnecessary questions > from an incompetent auditor I remember a case where an auditor was checking > the competence of a hardware technician and he asked him 'Does the computer > has a motherboard?', the technician was so pissed he plainly just > said 'no > this one uses a fatherboard' > > > On Mon, Oct 19, 2009 at 3:04 PM, Joseph McDonald > <mcdonaldoj@gmail.com>wrote: > >> The confusion started,because there are few companies that normally do >> independent IT audits.In most cases the IT audit is done as an >> extension >> of >> the Financial audits hence you will find many accountants rushed to do >> CISA. >> >> Secondly in any organisation the three P's are important (People,Products >> and Profits) systems and IT for that matter,in most cases are enablers to >> help the people,to move the products faster to the market and to increase >> efficiency hence profits. >> >> There are some IT audits which finance people with can perform well.While >> there are some areas which definately require some IT expertise for you do >> benefit fully from the said audit. >> >> Because a good audit should give the auditee and the organisation ways for >> corrective and preventive actions, and continual improvement. >> >> >> On Mon, Oct 19, 2009 at 9:25 AM, Eric Mugo <kabugum@gmail.com> wrote: >> >>> A Finance person auditing an IT infrastructure is like a Security >>> Assessor >>> auditing the end year results of a company. I find it very ironical >>> and >>> old >>> school thinking from those days when I.T used to Fall under Finance >>> department/Division. Back then, the systems were simple and geared >>> towards >>> very specific tasks. That is no longer the case nowadays. >>> >>> A company's systems infrastructure has become very comples, look at a >>> situation where a company has several DMZ,s each hosting different >>> systems, >>> several Server Farms, Webhosting Facilities, a super big ERP....and then >>> you >>> bring an accountant to do a security audit of the systems or rather >>> perform >>> an entire audit meaning management, financial and security >>> audit....forgive >>> me but i find it plain stupid! >>> >>> The positive thing is that most companies are now realising the >>> importance >>> of a information security role within their ranks. Once someone in charge >>> of >>> security is in place then chances of being audited on Security by a CPA-K >>> are reduced because the I.T guy will spot their incomptencies from >>> a mile >>> away... >>> >>> >>> >>> >>> >>> On Mon, Oct 19, 2009 at 8:33 AM, Edmund Okumu >>> <edmund.okumu@gmail.com>wrote: >>> >>>> Most Audit firms do exactly that. It is not right at all to have a >>>> finance guy audit IT. Let me state categorically that even if a finance >>>> person has taken the CISA exams and passed, they still don't qualify to >>>> audit IT as IT audit requires an IT Audit professional with some >>>> level >>>> of >>>> deep understanding in the particular field of audit. Preferably >>>> the >>>> IT >>>> auditor should come from a technical background e.g. Systems >>>> Development, >>>> Systems and Network Administration or Database Administration. >>>> >>>> Such people employed by audit firms usually right nasty audit reports >>>> based on findings that do not satisfy the expectations of the >>>> forms >>>> downloaded from the Internet. The audit reports therefore do not give a >>>> true >>>> reflection of the particular IT department of interest. >>>> >>>> Can someone from ISACA the kenyan chapter respond to this issue >>>> and tell >>>> us the way forward. We need some level of regulation on this. >>>> >>>> >>>> On Sun, Oct 18, 2009 at 6:07 PM, Cynthia Wahome >>>> <cwahome@jambo.co.ke>wrote: >>>> >>>>> Dear All >>>>> Let me get your thoughts on this. >>>>> >>>>> Is it right for a Finance guy to come and do an audit to an IT >>>>> department >>>>> yet the Finance guy has no clue about IT. >>>>> I wont name the audit firm here but i wonder,when they go to the net >>>>> and >>>>> download a form then they come and ask you silly questions makes me >>>>> question them >>>>> >>>>> People my question is this >>>>> Who should do an IT audit? Finance People? or IT People >>>>> I stand to be corrected >>>>> >>>>> >>>>>

---

...

...

...

...

...

>>>>> This message has been scanned for viruses and >>>>> dangerous content by Jambo MailScanner, and is >>>>> believed to be clean. >>>>>

---

...

...

...

...

...

>>>>> "easy access to the world" >>>>> >>>>>

---

...

...

...

...

...

>>>>> Skunkworks mailing list >>>>> Skunkworks@lists.my.co.ke >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>>>> ------------ >>>>> Skunkworks Rules >>>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>>>> ------------ >>>>> Other services @ http://my.co.ke >>>>> Other lists >>>>> ------------- >>>>> Announce: >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >>>>> Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >>>>> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >>>>> >>>> >>>> >>>> >>>> -- >>>> Edmund C. O. Okumu >>>> P.O Box 8490-00200, >>>> Nairobi, Kenya. >>>> TEL: 254-721-734935 >>>> >>>> >>>>

---

...

...

...

...

...

>>>> Skunkworks mailing list >>>> Skunkworks@lists.my.co.ke >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>>> ------------ >>>> Skunkworks Rules >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>>> ------------ >>>> Other services @ http://my.co.ke >>>> Other lists >>>> ------------- >>>> Announce: >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >>>> Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >>>> kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >>>> >>> >>> >>>

---

...

...

...

...

...

>>> Skunkworks mailing list >>> Skunkworks@lists.my.co.ke >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> ------------ >>> Skunkworks Rules >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> ------------ >>> Other services @ http://my.co.ke >>> Other lists >>> ------------- >>> Announce: >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >>> Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >>> kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >>> >> >> >>

---

...

...

...

...

...

>> Skunkworks mailing list >> Skunkworks@lists.my.co.ke >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> ------------ >> Skunkworks Rules >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> ------------ >> Other services @ http://my.co.ke >> Other lists >> ------------- >> Announce: >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> > > > > -- >

---

...

...

...

...

...

> Joshua Amolo > Cell: +254 720 263308/+255 783 060052 > > > Managing IT people is like herding cats >

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/

---

...

...

...

...

...

Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

--

---

...

...

...

...

Joshua Amolo Cell: +254 720 263308/+255 783 060052

Managing IT people is like herding cats

-- --  Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/

---

...

...

...

Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- "Change is slow and gradual. It requires hardwork, a bit of luck, a fair amount of self-sacrifice and a lot of patience."

Roy.

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

@Chuks, I will agree with you on the matter of certs without real hands on. I have worked with people who have tons of papers but nothing much to show apart from googling solutions and having 10 people chat with them to help them solve very minor problems. On CISA and CISSP or even CISM, CISSP is still superior I have done CISA and CISM and when I looked at the CISSP material it was very detailed. However, I want to say that when someone takes such courses like CISA, CISM or CISSP, what really matters according to me is the intention. Some people take these courses to add the list of their qualifications never to use them actively. Some do them to change careers from whatever they have been doing to become InfoSec experts. Based on these intentions you may find a CISA being better than a CISSP vice versa. This is because for example someone does CISA and decides to focus on pentesting for example - they will therefore exhaust material on pentesting over and above what CISA curiculum or CISSP curiculum can offer. On Wed, Oct 21, 2009 at 12:01 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

Personally i think a CISSP is much more better than a CISA, since he see things the technical way and also Managerial way. The other day in Ghana some CISA guys were doing security audit and they were asking for files in a SUSE server that never exist. I don't know where they heard that from, and as far as as am concerned, such info can be Googled.

So such audits depends on what the customer wants and how knowing he is, coz if you are concerned about something you will need it done. So Audit Policies should always have a questionnaires when picking up Security Vendors which helps to narrow down to the right auditing firm.

The other day i was doing a penetration testing for a client who have a set of servers with one Portal on the bonder. A big company had done a pentest a month before but they client wasn't satisfied, so he needed a real penetration test. So amazingly there was a plugin in the webserver that gave me way to root since it had a sql injection on it though blind. so i blindly uploaded code that would run arbitrary commands and soon i had a bindshell. One thing a pentester would do is try all means to get root, and see if he can read history of all the users. So one thing i noticed is that if these guys had a good security admin like they had specified, they should have seen that Apache tried to bind and was already a privileged user. Secondly the security administrator should have seen that guys miss to write their passwords when sshing and leaving them in their history.

What amazed me was that this Company that had done the audit before was a well proclaimed companies that was assigned with this same task and failed to deliver. They have CISAs, CISSPs, CEHs, proffessionals but Risk Part of the Assessment wasn't done.

So the question is, are the these Auditors just doing it for the money, or just having so much fun leaving Gaping holes for the clients, or is it that they just don't know what they are supposed to look for?

Secondly do these papers(Certs) matter these days in the world of IT, coz i have seen Bedroom coders who end being better than even guys who went to school. Look-up at the Kenyan BDS developer, @kasina in tweeter, that guy didn't learn C in school.

So what i think is real change as far such issues are concerned otherwise, all organizations in Africa/Kenya are open to serious compromise especially Govt Infrastructure.

Two Cents!

./Chuks

On 10/21/09, Walubengo J <jwalu@yahoo.com> wrote:

...

I agree with Ikua/Preston. CISA (Certified Information Systems Auditors) tend to have the big picture - and that's by design. They dont drill down to specific vendor technologies - even though they know what to expect from such technologies. Maybe a snapshot of the course content would help as given below :(ref: www.isaca.org)

1.IS Audit Process 2.IT Governance 3.Infrastructure Lifecycle Development 4.Protection of Information Assets. 5.Business Continuity and Disaster Mngt

And so If am a CISA with a financial/accounting background but need to inspect a Cisco PIX firewall I would be obliged to hire the expertise rather pretend to do it. Ofcourse, If am a CISA and a techie in that area (and there are many like that) I would just proceed and perform the inspection accordingly.

The point is, the Security Ecosystem is so large and each professional in the Security field has an important role to play. Trying to establish who is better than the other would be like trying to see who btwn the following is better than the other: The Architect who designs the building or the Electrical/Civil/Structural Engineers who provide specialized services within the buildings...rather than begin to research for an answer, I would say it's really a misplaced question to ask.

walu. nb: am a CISA but not an Accountant (so feel free to consider my views biased ;-)

--- On Tue, 10/20/09, Preston <podera@k90ea.com> wrote:

From: Preston <podera@k90ea.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 2:09 PM

If we start from the premise that you cannot be a master of all then Certified Penetration Testers, Systems Engineers, Network Vulnerabilty Experts can only handle their areas but only to the level their knowledge can allow with a scale (1 to 10) depending on whether you gained it from Karamaindo as a college or company. Also hands-on experience plays a greater part including organization culture.

Depending on what has to be audited you need a team of experts!! in the areas being audited. The experts might not be the better than those being audited (Even on Financial Audits this is sometimes the case where junior auditors are sent to companies with least audit experience)but has to make an assurance that the areas being audited are meeting some standards both as defined by the company being audited or guided by international standards.

What is also required is a team leader and that is where Certified Information Systems Auditors come in. These are from various backgrounds including teckies, financials etc..

As Evans indicates One of the ISACA audit standards states that an auditor should use the right expert for the right audit process. This is quite true for all professions. I realized this when putting up a modest palace (needed Architect, Quantity Engineer, Structural Engineer, Foreman Man, Plumber, Electrical Engieer, Loader and a host of other professions while the single process was Putting Up the Palace=IT Audit). In all of these a team work of different professions are required guided by a leader who has received certain qualification where CISA is one of them

Preston

--- On Tue, 10/20/09, Evans Ikua <ikua.evans@gmail.com> wrote:

...

From: Evans Ikua <ikua.evans@gmail.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 10:58 AM I am a member of the local ISACA chapter, but I will speak for myself. Amolo, I dont agree with you. I recently spoke to a guy from a local shop of the big 5 audit (Finance) firms. He said they do IT audits alright. But they are more interested in seeing how far the IT infrastructure supports the financial figures that they are reporting on. You realize most of accounting nowadays is dependent on IT, as is most of business processes.

But how does an accountant (majority of CISAs are) tell if a DB has been compromised if he does not understand the deep workings of a DB?

As I have said before, the best a CISA can do is to manage the whole process of the IT audit, but not to pretend to be what they are not. One of the ISACA audit standards states that an auditor should use the right expert for the right audit process. If you want to audit a data base, hire a data base expert. If you want to gauge network vulnerability, hire a vulnerability expert, and so on. It's professional negligence, which should attract hefty legal penalties, for a firm to conduct an IT audit, give a clean bill of health, and leave an organization at risk.

Just wait till you hear someone taken to court for professional negligence.

Ikua

On Mon, Oct 19, 2009 at 10:51 PM, Areba Collins <arebacollins@gmail.com

...

wrote:

...

Slunks! Whats so hard? IT audit, IT. Finance audit, FINANCE.

On 10/19/09, Paul Roy <roykoikai@gmail.com> wrote:

...

am liking this... so far Chucks is leading :)

On Mon, Oct 19, 2009 at 5:36 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

...

So their scope would be Financial Audit?

On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote: > If you check my mail again Chuks, i talked about SCOPE > > On Mon, Oct 19, 2009 at 4:00 PM, Gichuki John Chuksjonia < > chuksjonia@gmail.com> wrote: > >> @Joshua, yah mistaken. What does an IT Audit compose of. Because a >> Code Audit is part of IT Audit, tell us, how can an Finance guy look >> for loop holes and bugs in a php code if he doesn't even know how to >> write one? >> >> >> >> >> On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote: >> > I dont think there is naything wrong with a Finance guy auditing IT. >> > >> > The issue should be what's the purpose of the audit. The purpose will >> give a >> > clear scope and the necessary competence to undertake the the audit. >> > >> > For example if you were to audit the financial sense of having a unit >> within >> > IT, you dont need another IT guy to do this audit. If an auditor >> > wants >> > to >> > check conformity to certain standards of your network for example, there >> are >> > very powerful tools a Finance guy can use. >> > >> > Cynthia I agree with you sometimes you can endure very unnecessary >> questions >> > from an incompetent auditor I remember a case where an auditor was >> checking >> > the competence of a hardware technician and he asked him 'Does the >> computer >> > has a motherboard?', the technician was so pissed he plainly just >> > said >> 'no >> > this one uses a fatherboard' >> > >> > >> > On Mon, Oct 19, 2009 at 3:04 PM, Joseph McDonald >> > <mcdonaldoj@gmail.com>wrote: >> > >> >> The confusion started,because there are few companies that normally do >> >> independent IT audits.In most cases the IT audit is done as an >> >> extension >> >> of >> >> the Financial audits hence you will find many accountants rushed to do >> >> CISA. >> >> >> >> Secondly in any organisation the three P's are important >> (People,Products >> >> and Profits) systems and IT for that matter,in most cases are enablers >> to >> >> help the people,to move the products faster to the market and to >> increase >> >> efficiency hence profits. >> >> >> >> There are some IT audits which finance people with can perform >> well.While >> >> there are some areas which definately require some IT expertise for you >> do >> >> benefit fully from the said audit. >> >> >> >> Because a good audit should give the auditee and the organisation ways >> for >> >> corrective and preventive actions, and continual improvement. >> >> >> >> >> >> On Mon, Oct 19, 2009 at 9:25 AM, Eric Mugo <kabugum@gmail.com> wrote: >> >> >> >>> A Finance person auditing an IT infrastructure is like a Security >> >>> Assessor >> >>> auditing the end year results of a company. I find it very ironical >> >>> and >> >>> old >> >>> school thinking from those days when I.T used to Fall under Finance >> >>> department/Division. Back then, the systems were simple and geared >> >>> towards >> >>> very specific tasks. That is no longer the case nowadays. >> >>> >> >>> A company's systems infrastructure has become very comples, look at a >> >>> situation where a company has several DMZ,s each hosting different >> >>> systems, >> >>> several Server Farms, Webhosting Facilities, a super big ERP....and >> then >> >>> you >> >>> bring an accountant to do a security audit of the systems or rather >> >>> perform >> >>> an entire audit meaning management, financial and security >> >>> audit....forgive >> >>> me but i find it plain stupid! >> >>> >> >>> The positive thing is that most companies are now realising the >> >>> importance >> >>> of a information security role within their ranks. Once someone in >> charge >> >>> of >> >>> security is in place then chances of being audited on Security by a >> CPA-K >> >>> are reduced because the I.T guy will spot their incomptencies from >> >>> a >> mile >> >>> away... >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> On Mon, Oct 19, 2009 at 8:33 AM, Edmund Okumu >> >>> <edmund.okumu@gmail.com>wrote: >> >>> >> >>>> Most Audit firms do exactly that. It is not right at all to have a >> >>>> finance guy audit IT. Let me state categorically that even if a >> finance >> >>>> person has taken the CISA exams and passed, they still don't qualify >> to >> >>>> audit IT as IT audit requires an IT Audit professional with some >> >>>> level >> >>>> of >> >>>> deep understanding in the particular field of audit. Preferably >> >>>> the >> >>>> IT >> >>>> auditor should come from a technical background e.g. Systems >> >>>> Development, >> >>>> Systems and Network Administration or Database Administration. >> >>>> >> >>>> Such people employed by audit firms usually right nasty audit reports >> >>>> based on findings that do not satisfy the expectations of the >> >>>> forms >> >>>> downloaded from the Internet. The audit reports therefore do not give >> a >> >>>> true >> >>>> reflection of the particular IT department of interest. >> >>>> >> >>>> Can someone from ISACA the kenyan chapter respond to this issue >> >>>> and >> tell >> >>>> us the way forward. We need some level of regulation on this. >> >>>> >> >>>> >> >>>> On Sun, Oct 18, 2009 at 6:07 PM, Cynthia Wahome >> >>>> <cwahome@jambo.co.ke>wrote: >> >>>> >> >>>>> Dear All >> >>>>> Let me get your thoughts on this. >> >>>>> >> >>>>> Is it right for a Finance guy to come and do an audit to an IT >> >>>>> department >> >>>>> yet the Finance guy has no clue about IT. >> >>>>> I wont name the audit firm here but i wonder,when they go to the net >> >>>>> and >> >>>>> download a form then they come and ask you silly questions makes me >> >>>>> question them >> >>>>> >> >>>>> People my question is this >> >>>>> Who should do an IT audit? Finance People? or IT People >> >>>>> I stand to be corrected >> >>>>> >> >>>>> >> >>>>>

---

...

...

...

>> >>>>> This message has been scanned for viruses and >> >>>>> dangerous content by Jambo MailScanner, and is >> >>>>> believed to be clean. >> >>>>>

---

...

...

...

>> >>>>> "easy access to the world" >> >>>>> >> >>>>>

---

...

...

...

>> >>>>> Skunkworks mailing list >> >>>>> Skunkworks@lists.my.co.ke >> >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>>>> ------------ >> >>>>> Skunkworks Rules >> >>>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>>>> ------------ >> >>>>> Other services @ http://my.co.ke >> >>>>> Other lists >> >>>>> ------------- >> >>>>> Announce: >> >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>>>> Science: >> >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>>>> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>>>> >> >>>> >> >>>> >> >>>> >> >>>> -- >> >>>> Edmund C. O. Okumu >> >>>> P.O Box 8490-00200, >> >>>> Nairobi, Kenya. >> >>>> TEL: 254-721-734935 >> >>>> >> >>>> >> >>>>

---

...

...

...

>> >>>> Skunkworks mailing list >> >>>> Skunkworks@lists.my.co.ke >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>>> ------------ >> >>>> Skunkworks Rules >> >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>>> ------------ >> >>>> Other services @ http://my.co.ke >> >>>> Other lists >> >>>> ------------- >> >>>> Announce: >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>>> Science: >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>>> kazi: >> >>>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>>> >> >>> >> >>> >> >>>

---

...

...

...

>> >>> Skunkworks mailing list >> >>> Skunkworks@lists.my.co.ke >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>> ------------ >> >>> Skunkworks Rules >> >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>> ------------ >> >>> Other services @ http://my.co.ke >> >>> Other lists >> >>> ------------- >> >>> Announce: >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>> Science: >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>> kazi: >> >>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>> >> >> >> >> >> >>

---

...

...

...

>> >> Skunkworks mailing list >> >> Skunkworks@lists.my.co.ke >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >> ------------ >> >> Skunkworks Rules >> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >> ------------ >> >> Other services @ http://my.co.ke >> >> Other lists >> >> ------------- >> >> Announce: >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >> kazi: >> >> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >> >> > >> > >> > >> > -- >> >

---

...

...

...

>> > Joshua Amolo >> > Cell: +254 720 263308/+255 783 060052 >> > >> > >> > Managing IT people is like herding cats >> > >> >> >> -- >> -- >> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P >> I.T Security Analyst and Penetration Tester >> infosigmer@inbox.com >> >> {FORUM}http://lists.my.co.ke/pipermail/security/ >> http://nspkenya.blogspot.com/ >> http://chuksjonia.blogspot.com/ >>

---

...

...

...

>> Skunkworks mailing list >> Skunkworks@lists.my.co.ke >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> ------------ >> Skunkworks Rules >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> ------------ >> Other services @ http://my.co.ke >> Other lists >> ------------- >> Announce: >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> > > > > -- >

---

...

...

...

> Joshua Amolo > Cell: +254 720 263308/+255 783 060052 > > > Managing IT people is like herding cats >

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/

---

...

...

...

Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- "Change is slow and gradual. It requires hardwork, a bit of luck, a fair amount of self-sacrifice and a lot of patience."

Roy.

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- ---------------------------------------------------------------- Joshua Amolo Cell: +254 720 263308/+255 783 060052 Managing IT people is like herding cats

Hi All CISSP is for Security Professional just like CISM is for Security Manager. Let us think of MBA or Bsc and then we will know how deep we can go with the discussion. Preston --- On Wed, 10/21/09, Gichuki John Chuksjonia <chuksjonia@gmail.com> wrote:

From: Gichuki John Chuksjonia <chuksjonia@gmail.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Wednesday, October 21, 2009, 12:01 PM Personally i think a CISSP is much more better than a CISA, since he see things the technical way and also Managerial way. The other day in Ghana some CISA guys were doing security audit and they were asking for files in a SUSE server that never exist. I don't know where they heard that from, and as far as as am concerned, such info can be Googled.

So such audits depends on what the customer wants and how knowing he is, coz if you are concerned about something you will need it done. So Audit Policies should always have a questionnaires when picking up Security Vendors which helps to narrow down to the right auditing firm.

The other day i was doing a penetration testing for a client who have a set of servers with one Portal on the bonder. A big company had done a pentest a month before but they client wasn't satisfied, so he needed a real penetration test. So amazingly there was a plugin in the webserver that gave me way to root since it had a sql injection on it though blind. so i blindly uploaded code that would run arbitrary commands and soon i had a bindshell. One thing a pentester would do is try all means to get root, and see if he can read history of all the users. So one thing i noticed is that if these guys had a good security admin like they had specified, they should have seen that Apache tried to bind and was already a privileged user. Secondly the security administrator should have seen that guys miss to write their passwords when sshing and leaving them in their history.

What amazed me was that this Company that had done the audit before was a well proclaimed companies that was assigned with this same task and failed to deliver. They have CISAs, CISSPs, CEHs, proffessionals but Risk Part of the Assessment wasn't done.

So the question is, are the these Auditors just doing it for the money, or just having so much fun leaving Gaping holes for the clients, or is it that they just don't know what they are supposed to look for?

Secondly do these papers(Certs) matter these days in the world of IT, coz i have seen Bedroom coders who end being better than even guys who went to school. Look-up at the Kenyan BDS developer, @kasina in tweeter, that guy didn't learn C in school.

So what i think is real change as far such issues are concerned otherwise, all organizations in Africa/Kenya are open to serious compromise especially Govt Infrastructure.

Two Cents!

./Chuks

On 10/21/09, Walubengo J <jwalu@yahoo.com> wrote:

...

I agree with Ikua/Preston.  CISA (Certified Information Systems Auditors) tend to have the big picture - and that's by design.  They dont drill down to specific vendor technologies - even though they know what to expect from such technologies.  Maybe a snapshot of the course content would help as given below :(ref: www.isaca.org)

1.IS Audit Process 2.IT Governance 3.Infrastructure Lifecycle Development 4.Protection of Information Assets. 5.Business Continuity and Disaster Mngt

And so If am a CISA with a financial/accounting background but need to inspect a Cisco PIX firewall  I would be obliged to hire the expertise rather pretend to do it. Ofcourse, If am a CISA and a techie in that area (and there are many like that) I would just proceed and perform the inspection accordingly.

The point is, the Security Ecosystem is so large and each professional in the Security field has an important role to play. Trying to establish who is better than the other would be like trying to see who btwn the following is better than the other: The Architect who designs the building or the Electrical/Civil/Structural Engineers who provide specialized services within the buildings...rather than begin to research for an answer, I would say it's really a misplaced question to ask.

walu. nb: am a CISA but not an Accountant (so feel free to consider my views biased ;-)

--- On Tue, 10/20/09, Preston <podera@k90ea.com> wrote:

From: Preston <podera@k90ea.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 2:09 PM

If we start from the premise that you cannot be a master of all then Certified Penetration Testers, Systems Engineers, Network Vulnerabilty Experts can only handle their areas but only to the level their knowledge can allow with a scale (1 to 10) depending on whether you gained it from Karamaindo as a college or company. Also hands-on experience plays a greater part including organization culture.

Depending on what has to be audited you need a team of experts!! in the areas being audited. The experts might not be the better than those being audited (Even on Financial Audits this is sometimes the case where junior auditors are sent to companies with least audit experience)but has to make an assurance that the areas being audited are meeting some standards both as defined by the company being audited or guided by international standards.

What is also required is a team leader and that is where Certified Information Systems Auditors come in. These are from various backgrounds including teckies, financials etc..

As Evans indicates One of the ISACA audit standards states that an auditor should use the right expert for the right audit process.  This is quite true for all professions. I realized this when putting up a modest palace (needed Architect, Quantity Engineer, Structural Engineer, Foreman Man, Plumber, Electrical Engieer, Loader and a host of other professions while the single process was Putting Up the Palace=IT Audit). In all of these a team work of different professions are required guided by a leader who has received certain qualification where CISA is one of them

Preston

--- On Tue, 10/20/09, Evans Ikua <ikua.evans@gmail.com> wrote:

...

From: Evans Ikua <ikua.evans@gmail.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 10:58 AM I am a member of the local ISACA chapter, but I will speak for myself. Amolo, I dont agree with you. I recently spoke to a guy from a local shop of the big 5 audit (Finance) firms. He said they do IT audits alright. But they are more interested in seeing how far the IT infrastructure supports the financial figures that they are reporting on. You realize most of accounting nowadays is dependent on IT, as is most of business processes.

But how does an accountant (majority of CISAs are) tell if a DB has been compromised if he does not understand the deep workings of a DB?

As I have said before, the best a CISA can do is to manage the whole process of the IT audit, but not to pretend to be what they are not. One of the ISACA audit standards states that an auditor should use the right expert for the right audit process. If you want to audit a data base, hire a data base expert. If you want to gauge network vulnerability, hire a vulnerability expert, and so on. It's professional negligence, which should attract hefty legal penalties, for a firm to conduct an IT audit, give a clean bill of health, and leave an organization at risk.

Just wait till you hear someone taken to court for professional negligence.

Ikua

On Mon, Oct 19, 2009 at 10:51 PM, Areba Collins <arebacollins@gmail.com> wrote:

...

Slunks! Whats so hard? IT audit, IT. Finance audit, FINANCE.

On 10/19/09, Paul Roy <roykoikai@gmail.com> wrote:

...

am liking this... so far Chucks is leading :)

On Mon, Oct 19, 2009 at 5:36 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

...

So their scope would be Financial Audit?

On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote: > If you check my mail again Chuks, i talked about SCOPE > > On Mon, Oct 19, 2009 at 4:00 PM, Gichuki John Chuksjonia < > chuksjonia@gmail.com> wrote: > >> @Joshua, yah mistaken. What does an IT Audit compose of. Because a >> Code Audit is part of IT Audit, tell us, how can an Finance guy look >> for loop holes and bugs in a php code if he doesn't even know how to >> write one? >> >> >> >> >> On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote: >> > I dont think there is naything wrong with a Finance guy auditing IT. >> > >> > The issue should be what's the purpose of the audit. The purpose will >> give a >> > clear scope and the necessary competence to undertake the the audit. >> > >> > For example if you were to audit the financial sense of having a unit >> within >> > IT, you dont need another IT guy to do this audit. If an auditor >> > wants >> > to >> > check conformity to certain standards of your network for example, there >> are >> > very powerful tools a Finance guy can use. >> > >> > Cynthia I agree with you sometimes you can endure very unnecessary >> questions >> > from an incompetent auditor I remember a case where an auditor was >> checking >> > the competence of a hardware technician and he asked him 'Does the >> computer >> > has a motherboard?', the technician was so pissed he plainly just >> > said >> 'no >> > this one uses a fatherboard' >> > >> > >> > On Mon, Oct 19, 2009 at 3:04 PM, Joseph McDonald >> > <mcdonaldoj@gmail.com>wrote: >> > >> >> The confusion started,because there are few companies that normally do >> >> independent IT audits.In most cases the IT audit is done as an >> >> extension >> >> of >> >> the Financial audits hence you will find many accountants rushed to do >> >> CISA. >> >> >> >> Secondly in any organisation the three P's are important >> (People,Products >> >> and Profits) systems and IT for that matter,in most cases are enablers >> to >> >> help the people,to move the products faster to the market and to >> increase >> >> efficiency hence profits. >> >> >> >> There are some IT audits which finance people with can perform >> well.While >> >> there are some areas which definately require some IT expertise for you >> do >> >> benefit fully from the said audit. >> >> >> >> Because a good audit should give the auditee and the organisation ways >> for >> >> corrective and preventive actions, and continual improvement. >> >> >> >> >> >> On Mon, Oct 19, 2009 at 9:25 AM, Eric Mugo <kabugum@gmail.com> wrote: >> >> >> >>> A Finance person auditing an IT infrastructure is like a Security >> >>> Assessor >> >>> auditing the end year results of a company. I find it very ironical >> >>> and >> >>> old >> >>> school thinking from those days when I.T used to Fall under Finance >> >>> department/Division. Back then, the systems were simple and geared >> >>> towards >> >>> very specific tasks. That is no longer the case nowadays. >> >>> >> >>> A company's systems infrastructure has become very comples, look at a >> >>> situation where a company has several DMZ,s each hosting different >> >>> systems, >> >>> several Server Farms, Webhosting Facilities, a super big ERP....and >> then >> >>> you >> >>> bring an accountant to do a security audit of the systems or rather >> >>> perform >> >>> an entire audit meaning management, financial and security >> >>> audit....forgive >> >>> me but i find it plain stupid! >> >>> >> >>> The positive thing is that most companies are now realising the >> >>> importance >> >>> of a information security role within their ranks. Once someone in >> charge >> >>> of >> >>> security is in place then chances of being audited on Security by a >> CPA-K >> >>> are reduced because the I.T guy will spot their incomptencies from >> >>> a >> mile >> >>> away... >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> On Mon, Oct 19, 2009 at 8:33 AM, Edmund Okumu >> >>> <edmund.okumu@gmail.com>wrote: >> >>> >> >>>> Most Audit firms do exactly that. It is not right at all to have a >> >>>> finance guy audit IT. Let me state categorically that even if a >> finance >> >>>> person has taken the CISA exams and passed, they still don't qualify >> to >> >>>> audit IT as IT audit requires an IT Audit professional with some >> >>>> level >> >>>> of >> >>>> deep understanding in the particular field of audit. Preferably >> >>>> the >> >>>> IT >> >>>> auditor should come from a technical background e.g. Systems >> >>>> Development, >> >>>> Systems and Network Administration or Database Administration. >> >>>> >> >>>> Such people employed by audit firms usually right nasty audit reports >> >>>> based on findings that do not satisfy the expectations of the >> >>>> forms >> >>>> downloaded from the Internet. The audit reports therefore do not give >> a >> >>>> true >> >>>> reflection of the particular IT department of interest. >> >>>> >> >>>> Can someone from ISACA the kenyan chapter respond to this issue >> >>>> and >> tell >> >>>> us the way forward. We need some level of regulation on this. >> >>>> >> >>>> >> >>>> On Sun, Oct 18, 2009 at 6:07 PM, Cynthia Wahome >> >>>> <cwahome@jambo.co.ke>wrote: >> >>>> >> >>>>> Dear All >> >>>>> Let me get your thoughts on this. >> >>>>> >> >>>>> Is it right for a Finance guy to come and do an audit to an IT >> >>>>> department >> >>>>> yet the Finance guy has no clue about IT. >> >>>>> I wont name the audit firm here but i wonder,when they go to the net >> >>>>> and >> >>>>> download a form then they come and ask you silly questions makes me >> >>>>> question them >> >>>>> >> >>>>> People my question is this >> >>>>> Who should do an IT audit? Finance People? or IT People >> >>>>> I stand to be corrected >> >>>>> >> >>>>> >> >>>>>

---

...

...

...

>> >>>>> This message has been scanned for viruses and >> >>>>> dangerous content by Jambo MailScanner, and is >> >>>>> believed to be clean. >> >>>>>

---

...

...

...

>> >>>>> "easy access to the world" >> >>>>> >> >>>>>

---

...

...

...

>> >>>>> Skunkworks mailing list >> >>>>> Skunkworks@lists.my.co.ke >> >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>>>>

---

...

...

...

...

...

>> >>>>> Skunkworks Rules >> >>>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>>>>

---

...

...

...

...

...

>> >>>>> Other services @ http://my.co.ke >> >>>>> Other lists >> >>>>>

---

...

...

...

...

...

>> >>>>> Announce: >> >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>>>> Science: >> >>>>>  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>>>> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>>>> >> >>>> >> >>>> >> >>>> >> >>>> -- >> >>>> Edmund C. O. Okumu >> >>>> P.O Box 8490-00200, >> >>>> Nairobi, Kenya. >> >>>> TEL: 254-721-734935 >> >>>> >> >>>> >> >>>>

---

...

...

...

>> >>>> Skunkworks mailing list >> >>>> Skunkworks@lists.my.co.ke >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>>>

---

...

...

...

...

...

>> >>>> Skunkworks Rules >> >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>>>

---

...

...

...

...

...

>> >>>> Other services @ http://my.co.ke >> >>>> Other lists >> >>>>

---

...

...

...

...

...

>> >>>> Announce: >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>>> Science: >> >>>>  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>>> kazi: >> >>>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>>> >> >>> >> >>> >> >>>

---

...

...

...

>> >>> Skunkworks mailing list >> >>> Skunkworks@lists.my.co.ke >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>> ------------ >> >>> Skunkworks Rules >> >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>> ------------ >> >>> Other services @ http://my.co.ke >> >>> Other lists >> >>> ------------- >> >>> Announce: >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>> Science: >> >>>  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>> kazi: >> >>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>> >> >> >> >> >> >>

---

...

...

...

>> >> Skunkworks mailing list >> >> Skunkworks@lists.my.co.ke >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >> ------------ >> >> Skunkworks Rules >> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >> ------------ >> >> Other services @ http://my.co.ke >> >> Other lists >> >> ------------- >> >> Announce: >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >> Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >> kazi: >> >> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >> >> > >> > >> > >> > -- >> >

---

...

...

...

...

...

>> > Joshua Amolo >> > Cell: +254 720 263308/+255 783 060052 >> > >> > >> > Managing IT people is like herding cats >> > >> >> >> -- >> -- >> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P >> I.T Security Analyst and Penetration Tester >> infosigmer@inbox.com >> >> {FORUM}http://lists.my.co.ke/pipermail/security/ >> http://nspkenya.blogspot.com/ >> http://chuksjonia.blogspot.com/ >>

---

...

...

...

>> Skunkworks mailing list >> Skunkworks@lists.my.co.ke >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> ------------ >> Skunkworks Rules >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> ------------ >> Other services @ http://my.co.ke >> Other lists >> ------------- >> Announce: >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> > > > > -- >

---

...

...

...

...

...

> Joshua Amolo > Cell: +254 720 263308/+255 783 060052 > > > Managing IT people is like herding cats >

-- --  Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/

---

...

...

...

Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- "Change is slow and gradual. It requires hardwork, a bit of luck, a fair amount of self-sacrifice and a lot of patience."

Roy.

---

...

...

...

Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

@Walu, So in short, should CISAs be taking Security Assessment Jobs? On 10/22/09, Walubengo J <jwalu@yahoo.com> wrote:

@./Chuks

I hear you...however I must still repeat that CISAs are by design NOT Penetration Testers. So it is harsh to judge their relevance based on their failure to execute a PenTest.

Just to repeat, CISAs evaluate and focus on the big picture of the Security ecosystem - i.e the relationship between People, Processes and Systems that is necessary to provide assurance that risk is mitigated.   And taking your Penetration test example further, indeed you may have exposed and sealed the loophole in the Webserver (if your focus being ONLY on "Systems") but if the "People" and the "Process" aspects are weak, your superior technical solutions may still fail to address the overall Security objectives.

That said, if I was a CISA and had that Audit job that required Penetration testing, I would have definitely hired you ;-)

walu. --- On Thu, 10/22/09, Preston <podera@k90ea.com> wrote:

From: Preston <podera@k90ea.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Thursday, October 22, 2009, 12:32 AM

Hi All

CISSP is for Security Professional just like CISM is for Security Manager. Let us think of MBA or Bsc and then we will know how deep we can go with the discussion.

Preston

--- On Wed, 10/21/09, Gichuki John Chuksjonia <chuksjonia@gmail.com> wrote:

...

From: Gichuki John Chuksjonia <chuksjonia@gmail.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Wednesday, October 21, 2009, 12:01 PM Personally i think a CISSP is much more better than a CISA, since he see things the technical way and also Managerial way. The other day in Ghana some CISA guys were doing security audit and they were asking for files in a SUSE server that never exist. I don't know where they heard that from, and as far as as am concerned, such info can be Googled.

So such audits depends on what the customer wants and how knowing he is, coz if you are concerned about something you will need it done. So Audit Policies should always have a questionnaires when picking up Security Vendors which helps to narrow down to the right auditing firm.

The other day i was doing a penetration testing for a client who have a set of servers with one Portal on the bonder. A big company had done a pentest a month before but they client wasn't satisfied, so he needed a real penetration test. So amazingly there was a plugin in the webserver that gave me way to root since it had a sql injection on it though blind. so i blindly uploaded code that would run arbitrary commands and soon i had a bindshell. One thing a pentester would do is try all means to get root, and see if he can read history of all the users. So one thing i noticed is that if these guys had a good security admin like they had specified, they should have seen that Apache tried to bind and was already a privileged user. Secondly the security administrator should have seen that guys miss to write their passwords when sshing and leaving them in their history.

What amazed me was that this Company that had done the audit before was a well proclaimed companies that was assigned with this same task and failed to deliver. They have CISAs, CISSPs, CEHs, proffessionals but Risk Part of the Assessment wasn't done.

So the question is, are the these Auditors just doing it for the money, or just having so much fun leaving Gaping holes for the clients, or is it that they just don't know what they are supposed to look for?

Secondly do these papers(Certs) matter these days in the world of IT, coz i have seen Bedroom coders who end being better than even guys who went to school. Look-up at the Kenyan BDS developer, @kasina in tweeter, that guy didn't learn C in school.

So what i think is real change as far such issues are concerned otherwise, all organizations in Africa/Kenya are open to serious compromise especially Govt Infrastructure.

Two Cents!

./Chuks

On 10/21/09, Walubengo J <jwalu@yahoo.com> wrote:

...

I agree with Ikua/Preston.  CISA (Certified Information Systems Auditors) tend to have the big picture - and that's by design. They dont drill down to specific vendor technologies - even though they know what to expect from such technologies.  Maybe a snapshot of the course content would help as given below :(ref: www.isaca.org)

1.IS Audit Process 2.IT Governance 3.Infrastructure Lifecycle Development 4.Protection of Information Assets. 5.Business Continuity and Disaster Mngt

And so If am a CISA with a financial/accounting background but need to inspect a Cisco PIX firewall  I would be obliged to hire the expertise rather pretend to do it. Ofcourse, If am a CISA and a techie in that area (and there are many like that) I would just proceed and perform the inspection accordingly.

The point is, the Security Ecosystem is so large and each professional in the Security field has an important role to play. Trying to establish who is better than the other would be like trying to see who btwn the following is better than the other: The Architect who designs the building or the Electrical/Civil/Structural Engineers who provide specialized services within the buildings...rather than begin to research for an answer, I would say it's really a misplaced question to ask.

walu. nb: am a CISA but not an Accountant (so feel free to consider my views biased ;-)

--- On Tue, 10/20/09, Preston <podera@k90ea.com> wrote:

From: Preston <podera@k90ea.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 2:09 PM

If we start from the premise that you cannot be a master of all then Certified Penetration Testers, Systems Engineers, Network Vulnerabilty Experts can only handle their areas but only to the level their knowledge can allow with a scale (1 to 10) depending on whether you gained it from Karamaindo as a college or company. Also hands-on experience plays a greater part including organization culture.

Depending on what has to be audited you need a team of experts!! in the areas being audited. The experts might not be the better than those being audited (Even on Financial Audits this is sometimes the case where junior auditors are sent to companies with least audit experience)but has to make an assurance that the areas being audited are meeting some standards both as defined by the company being audited or guided by international standards.

What is also required is a team leader and that is where Certified Information Systems Auditors come in. These are from various backgrounds including teckies, financials etc..

As Evans indicates One of the ISACA audit standards states that an auditor should use the right expert for the right audit process.  This is quite true for all professions. I realized this when putting up a modest palace (needed Architect, Quantity Engineer, Structural Engineer, Foreman Man, Plumber, Electrical Engieer, Loader and a host of other professions while the single process was Putting Up the Palace=IT Audit). In all of these a team work of different professions are required guided by a leader who has received certain qualification where CISA is one of them

Preston

--- On Tue, 10/20/09, Evans Ikua <ikua.evans@gmail.com> wrote:

...

From: Evans Ikua <ikua.evans@gmail.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 10:58 AM I am a member of the local ISACA chapter, but I will speak for myself. Amolo, I dont agree with you. I recently spoke to a guy from a local shop of the big 5 audit (Finance) firms. He said they do IT audits alright. But they are more interested in seeing how far the IT infrastructure supports the financial figures that they are reporting on. You realize most of accounting nowadays is dependent on IT, as is most of business processes.

But how does an accountant (majority of CISAs are) tell if a DB has been compromised if he does not understand the deep workings of a DB?

As I have said before, the best a CISA can do is to manage the whole process of the IT audit, but not to pretend to be what they are not. One of the ISACA audit standards states that an auditor should use the right expert for the right audit process. If you want to audit a data base, hire a data base expert. If you want to gauge network vulnerability, hire a vulnerability expert, and so on. It's professional negligence, which should attract hefty legal penalties, for a firm to conduct an IT audit, give a clean bill of health, and leave an organization at risk.

Just wait till you hear someone taken to court for professional negligence.

Ikua

On Mon, Oct 19, 2009 at 10:51 PM, Areba Collins <arebacollins@gmail.com> wrote:

...

Slunks! Whats so hard? IT audit, IT. Finance audit, FINANCE.

On 10/19/09, Paul Roy <roykoikai@gmail.com> wrote:

...

am liking this... so far Chucks is leading :)

On Mon, Oct 19, 2009 at 5:36 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

> So their scope would be Financial Audit? > > > > On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote: > > If you check my mail again Chuks, i talked about SCOPE > > > > On Mon, Oct 19, 2009 at 4:00 PM, Gichuki John Chuksjonia < > > chuksjonia@gmail.com> wrote: > > > >> @Joshua, yah mistaken. What does an IT Audit compose of. Because a > >> Code Audit is part of IT Audit, tell us, how can an Finance guy look > >> for loop holes and bugs in a php code if he doesn't even know how to > >> write one? > >> > >> > >> > >> > >> On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote: > >> > I dont think there is naything wrong with a Finance guy auditing IT. > >> > > >> > The issue should be what's the purpose of the audit. The purpose will > >> give a > >> > clear scope and the necessary competence to undertake the the audit. > >> > > >> > For example if you were to audit the financial sense of having a unit > >> within > >> > IT, you dont need another IT guy to do this audit. If an auditor > >> > wants > >> > to > >> > check conformity to certain standards of your network for example, > there > >> are > >> > very powerful tools a Finance guy can use. > >> > > >> > Cynthia I agree with you sometimes you can endure very unnecessary > >> questions > >> > from an incompetent auditor I remember a case where an auditor was > >> checking > >> > the competence of a hardware technician and he asked him 'Does the > >> computer > >> > has a motherboard?', the technician was so pissed he plainly just > >> > said > >> 'no > >> > this one uses a fatherboard' > >> > > >> > > >> > On Mon, Oct 19, 2009 at 3:04 PM, Joseph McDonald > >> > <mcdonaldoj@gmail.com>wrote: > >> > > >> >> The confusion started,because there are few companies that normally > do > >> >> independent IT audits.In most cases the IT audit is done as an > >> >> extension > >> >> of > >> >> the Financial audits hence you will find many accountants rushed to > do > >> >> CISA. > >> >> > >> >> Secondly in any organisation the three P's are important > >> (People,Products > >> >> and Profits) systems and IT for that matter,in most cases are > enablers > >> to > >> >> help the people,to move the products faster to the market and to > >> increase > >> >> efficiency hence profits. > >> >> > >> >> There are some IT audits which finance people with can perform > >> well.While > >> >> there are some areas which definately require some IT expertise for > you > >> do > >> >> benefit fully from the said audit. > >> >> > >> >> Because a good audit should give the auditee and the organisation > ways > >> for > >> >> corrective and preventive actions, and continual improvement. > >> >> > >> >> > >> >> On Mon, Oct 19, 2009 at 9:25 AM, Eric Mugo <kabugum@gmail.com> > wrote: > >> >> > >> >>> A Finance person auditing an IT infrastructure is like a Security > >> >>> Assessor > >> >>> auditing the end year results of a company. I find it very ironical > >> >>> and > >> >>> old > >> >>> school thinking from those days when I.T used to Fall under Finance > >> >>> department/Division. Back then, the systems were simple and geared > >> >>> towards > >> >>> very specific tasks. That is no longer the case nowadays. > >> >>> > >> >>> A company's systems infrastructure has become very comples, look at > a > >> >>> situation where a company has several DMZ,s each hosting different > >> >>> systems, > >> >>> several Server Farms, Webhosting Facilities, a super big ERP....and > >> then > >> >>> you > >> >>> bring an accountant to do a security audit of the systems or rather > >> >>> perform > >> >>> an entire audit meaning management, financial and security > >> >>> audit....forgive > >> >>> me but i find it plain stupid! > >> >>> > >> >>> The positive thing is that most companies are now realising the > >> >>> importance > >> >>> of a information security role within their ranks. Once someone in > >> charge > >> >>> of > >> >>> security is in place then chances of being audited on Security by a > >> CPA-K > >> >>> are reduced because the I.T guy will spot their incomptencies from > >> >>> a > >> mile > >> >>> away... > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> > >> >>> On Mon, Oct 19, 2009 at 8:33 AM, Edmund Okumu > >> >>> <edmund.okumu@gmail.com>wrote: > >> >>> > >> >>>> Most Audit firms do exactly that. It is not right at all to have a > >> >>>> finance guy audit IT. Let me state categorically that even if a > >> finance > >> >>>> person has taken the CISA exams and passed, they still don't > qualify > >> to > >> >>>> audit IT as IT audit requires an IT Audit professional with some > >> >>>> level > >> >>>> of > >> >>>> deep understanding in the particular field of audit. Preferably > >> >>>> the > >> >>>> IT > >> >>>> auditor should come from a technical background e.g. Systems > >> >>>> Development, > >> >>>> Systems and Network Administration or Database Administration. > >> >>>> > >> >>>> Such people employed by audit firms usually right nasty audit > reports > >> >>>> based on findings that do not satisfy the expectations of the > >> >>>> forms > >> >>>> downloaded from the Internet. The audit reports therefore do not > give > >> a > >> >>>> true > >> >>>> reflection of the particular IT department of interest. > >> >>>> > >> >>>> Can someone from ISACA the kenyan chapter respond to this issue > >> >>>> and > >> tell > >> >>>> us the way forward. We need some level of regulation on this. > >> >>>> > >> >>>> > >> >>>> On Sun, Oct 18, 2009 at 6:07 PM, Cynthia Wahome > >> >>>> <cwahome@jambo.co.ke>wrote: > >> >>>> > >> >>>>> Dear All > >> >>>>> Let me get your thoughts on this. > >> >>>>> > >> >>>>> Is it right for a Finance guy to come and do an audit to an IT > >> >>>>> department > >> >>>>> yet the Finance guy has no clue about IT. > >> >>>>> I wont name the audit firm here but i wonder,when they go to the > net > >> >>>>> and > >> >>>>> download a form then they come and ask you silly questions makes > me > >> >>>>> question them > >> >>>>> > >> >>>>> People my question is this > >> >>>>> Who should do an IT audit? Finance People? or IT People > >> >>>>> I stand to be corrected > >> >>>>> > >> >>>>> > >> >>>>>

---

...

...

> >> >>>>> This message has been scanned for viruses and > >> >>>>> dangerous content by Jambo MailScanner, and is > >> >>>>> believed to be clean. > >> >>>>>

---

...

...

> >> >>>>> "easy access to the world" > >> >>>>> > >> >>>>>

---

...

...

> >> >>>>> Skunkworks mailing list > >> >>>>> Skunkworks@lists.my.co.ke > >> >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >> >>>>>

---

...

...

...

...

> >> >>>>> Skunkworks Rules > >> >>>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >> >>>>>

---

...

...

...

...

> >> >>>>> Other services @ http://my.co.ke > >> >>>>> Other lists > >> >>>>>

---

...

...

...

...

> >> >>>>> Announce: > >> >>>>> > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > >> >>>>> Science: > >> >>>>>  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > >> >>>>> kazi: > http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general > >> >>>>> > >> >>>> > >> >>>> > >> >>>> > >> >>>> -- > >> >>>> Edmund C. O. Okumu > >> >>>> P.O Box 8490-00200, > >> >>>> Nairobi, Kenya. > >> >>>> TEL: 254-721-734935 > >> >>>> > >> >>>> > >> >>>>

---

...

...

> >> >>>> Skunkworks mailing list > >> >>>> Skunkworks@lists.my.co.ke > >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >> >>>>

---

...

...

...

...

> >> >>>> Skunkworks Rules > >> >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >> >>>>

---

...

...

...

...

> >> >>>> Other services @ http://my.co.ke > >> >>>> Other lists > >> >>>>

---

...

...

...

...

> >> >>>> Announce: > >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > >> >>>> Science: > >> >>>>  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > >> >>>> kazi: > >> >>>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general > >> >>>> > >> >>> > >> >>> > >> >>>

---

...

...

> >> >>> Skunkworks mailing list > >> >>> Skunkworks@lists.my.co.ke > >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >> >>> ------------ > >> >>> Skunkworks Rules > >> >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >> >>> ------------ > >> >>> Other services @ http://my.co.ke > >> >>> Other lists > >> >>> ------------- > >> >>> Announce: > >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > >> >>> Science: > >> >>>  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > >> >>> kazi: > >> >>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general > >> >>> > >> >> > >> >> > >> >>

---

...

...

> >> >> Skunkworks mailing list > >> >> Skunkworks@lists.my.co.ke > >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >> >> ------------ > >> >> Skunkworks Rules > >> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >> >> ------------ > >> >> Other services @ http://my.co.ke > >> >> Other lists > >> >> ------------- > >> >> Announce: > >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > >> >> Science: > >> >>  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > >> >> kazi: > >> >> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general > >> >> > >> > > >> > > >> > > >> > -- > >> >

---

...

...

...

...

> >> > Joshua Amolo > >> > Cell: +254 720 263308/+255 783 060052 > >> > > >> > > >> > Managing IT people is like herding cats > >> > > >> > >> > >> -- > >> -- > >> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P > >> I.T Security Analyst and Penetration Tester > >> infosigmer@inbox.com > >> > >> {FORUM}http://lists.my.co.ke/pipermail/security/ > >> http://nspkenya.blogspot.com/ > >> http://chuksjonia.blogspot.com/ > >>

---

...

...

> >> Skunkworks mailing list > >> Skunkworks@lists.my.co.ke > >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > >> ------------ > >> Skunkworks Rules > >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > >> ------------ > >> Other services @ http://my.co.ke > >> Other lists > >> ------------- > >> Announce: > >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > >> Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > >> kazi: > >> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general > >> > > > > > > > > -- > >

---

...

...

...

...

> > Joshua Amolo > > Cell: +254 720 263308/+255 783 060052 > > > > > > Managing IT people is like herding cats > > > > > -- > -- >  Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P > I.T Security Analyst and Penetration Tester > infosigmer@inbox.com > > {FORUM}http://lists.my.co.ke/pipermail/security/ > http://nspkenya.blogspot.com/ > http://chuksjonia.blogspot.com/ >

---

...

...

> Skunkworks mailing list > Skunkworks@lists.my.co.ke > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > ------------ > Skunkworks Rules > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > ------------ > Other services @ http://my.co.ke > Other lists > ------------- > Announce: > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >

-- "Change is slow and gradual. It requires hardwork, a bit of luck, a fair amount of self-sacrifice and a lot of patience."

Roy.

---

...

...

...

Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science:  http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi:     http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com {FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/

hehe...i have to agree with Evans on that one....he answered your question and even added that he would hire you.... :-) On Thu, Oct 22, 2009 at 3:45 PM, Evans Ikua <ikua.evans@gmail.com> wrote:

Chuks you are taking this discussion round in circles. Walubengo has just cleared that. Ikua

On Thu, Oct 22, 2009 at 3:16 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

...

@Walu, So in short, should CISAs be taking Security Assessment Jobs?

On 10/22/09, Walubengo J <jwalu@yahoo.com> wrote:

...

@./Chuks

I hear you...however I must still repeat that CISAs are by design NOT Penetration Testers. So it is harsh to judge their relevance based on their failure to execute a PenTest.

Just to repeat, CISAs evaluate and focus on the big picture of the Security ecosystem - i.e the relationship between People, Processes and Systems that is necessary to provide assurance that risk is mitigated. And taking your Penetration test example further, indeed you may have exposed and sealed the loophole in the Webserver (if your focus being ONLY on "Systems") but if the "People" and the "Process" aspects are weak, your superior technical solutions may still fail to address the overall Security objectives.

That said, if I was a CISA and had that Audit job that required Penetration testing, I would have definitely hired you ;-)

walu. --- On Thu, 10/22/09, Preston <podera@k90ea.com> wrote:

From: Preston <podera@k90ea.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Thursday, October 22, 2009, 12:32 AM

Hi All

CISSP is for Security Professional just like CISM is for Security Manager. Let us think of MBA or Bsc and then we will know how deep we can go with the discussion.

Preston

--- On Wed, 10/21/09, Gichuki John Chuksjonia <chuksjonia@gmail.com> wrote:

...

From: Gichuki John Chuksjonia <chuksjonia@gmail.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Wednesday, October 21, 2009, 12:01 PM Personally i think a CISSP is much more better than a CISA, since he see things the technical way and also Managerial way. The other day in Ghana some CISA guys were doing security audit and they were asking for files in a SUSE server that never exist. I don't know where they heard that from, and as far as as am concerned, such info can be Googled.

So such audits depends on what the customer wants and how knowing he is, coz if you are concerned about something you will need it done. So Audit Policies should always have a questionnaires when picking up Security Vendors which helps to narrow down to the right auditing firm.

The other day i was doing a penetration testing for a client who have a set of servers with one Portal on the bonder. A big company had done a pentest a month before but they client wasn't satisfied, so he needed a real penetration test. So amazingly there was a plugin in the webserver that gave me way to root since it had a sql injection on it though blind. so i blindly uploaded code that would run arbitrary commands and soon i had a bindshell. One thing a pentester would do is try all means to get root, and see if he can read history of all the users. So one thing i noticed is that if these guys had a good security admin like they had specified, they should have seen that Apache tried to bind and was already a privileged user. Secondly the security administrator should have seen that guys miss to write their passwords when sshing and leaving them in their history.

What amazed me was that this Company that had done the audit before was a well proclaimed companies that was assigned with this same task and failed to deliver. They have CISAs, CISSPs, CEHs, proffessionals but Risk Part of the Assessment wasn't done.

So the question is, are the these Auditors just doing it for the money, or just having so much fun leaving Gaping holes for the clients, or is it that they just don't know what they are supposed to look for?

Secondly do these papers(Certs) matter these days in the world of IT, coz i have seen Bedroom coders who end being better than even guys who went to school. Look-up at the Kenyan BDS developer, @kasina in tweeter, that guy didn't learn C in school.

So what i think is real change as far such issues are concerned otherwise, all organizations in Africa/Kenya are open to serious compromise especially Govt Infrastructure.

Two Cents!

./Chuks

On 10/21/09, Walubengo J <jwalu@yahoo.com> wrote:

...

I agree with Ikua/Preston. CISA (Certified Information Systems Auditors) tend to have the big picture - and that's by design. They dont drill down to specific vendor technologies - even though they know what to expect from such technologies. Maybe a snapshot of the course content would help as given below :(ref: www.isaca.org)

1.IS Audit Process 2.IT Governance 3.Infrastructure Lifecycle Development 4.Protection of Information Assets. 5.Business Continuity and Disaster Mngt

And so If am a CISA with a financial/accounting background but need to inspect a Cisco PIX firewall I would be obliged to hire the expertise rather pretend to do it. Ofcourse, If am a CISA and a techie in that area (and there are many like that) I would just proceed and perform the inspection accordingly.

The point is, the Security Ecosystem is so large and each professional in the Security field has an important role to play. Trying to establish who is better than the other would be like trying to see who btwn the following is better than the other: The Architect who designs the building or the Electrical/Civil/Structural Engineers who provide specialized services within the buildings...rather than begin to research for an answer, I would say it's really a misplaced question to ask.

walu. nb: am a CISA but not an Accountant (so feel free to consider my views biased ;-)

--- On Tue, 10/20/09, Preston <podera@k90ea.com> wrote:

From: Preston <podera@k90ea.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 2:09 PM

If we start from the premise that you cannot be a master of all then Certified Penetration Testers, Systems Engineers, Network Vulnerabilty Experts can only handle their areas but only to the level their knowledge can allow with a scale (1 to 10) depending on whether you gained it from Karamaindo as a college or company. Also hands-on experience plays a greater part including organization culture.

Depending on what has to be audited you need a team of experts!! in the areas being audited. The experts might not be the better than those being audited (Even on Financial Audits this is sometimes the case where junior auditors are sent to companies with least audit experience)but has to make an assurance that the areas being audited are meeting some standards both as defined by the company being audited or guided by international standards.

What is also required is a team leader and that is where Certified Information Systems Auditors come in. These are from various backgrounds including teckies, financials etc..

As Evans indicates One of the ISACA audit standards states that an auditor should use the right expert for the right audit process. This is quite true for all professions. I realized this when putting up a modest palace (needed Architect, Quantity Engineer, Structural Engineer, Foreman Man, Plumber, Electrical Engieer, Loader and a host of other professions while the single process was Putting Up the Palace=IT Audit). In all of these a team work of different professions are required guided by a leader who has received certain qualification where CISA is one of them

Preston

--- On Tue, 10/20/09, Evans Ikua <ikua.evans@gmail.com> wrote:

...

From: Evans Ikua <ikua.evans@gmail.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Tuesday, October 20, 2009, 10:58 AM I am a member of the local ISACA chapter, but I will speak for myself. Amolo, I dont agree with you. I recently spoke to a guy from a local shop of the big 5 audit (Finance) firms. He said they do IT audits alright. But they are more interested in seeing how far the IT infrastructure supports the financial figures that they are reporting on. You realize most of accounting nowadays is dependent on IT, as is most of business processes.

But how does an accountant (majority of CISAs are) tell if a DB has been compromised if he does not understand the deep workings of a DB?

As I have said before, the best a CISA can do is to manage the whole process of the IT audit, but not to pretend to be what they are not. One of the ISACA audit standards states that an auditor should use the right expert for the right audit process. If you want to audit a data base, hire a data base expert. If you want to gauge network vulnerability, hire a vulnerability expert, and so on. It's professional negligence, which should attract hefty legal penalties, for a firm to conduct an IT audit, give a clean bill of health, and leave an organization at risk.

Just wait till you hear someone taken to court for professional negligence.

Ikua

On Mon, Oct 19, 2009 at 10:51 PM, Areba Collins <arebacollins@gmail.com> wrote: > Slunks! Whats so hard? IT audit, IT. Finance audit, FINANCE. > > On 10/19/09, Paul Roy <roykoikai@gmail.com> wrote: >> am liking this... so far Chucks is leading :) >> >> On Mon, Oct 19, 2009 at 5:36 PM, Gichuki John Chuksjonia < >> chuksjonia@gmail.com> wrote: >> >>> So their scope would be Financial Audit? >>> >>> >>> >>> On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote: >>> > If you check my mail again Chuks, i talked about SCOPE >>> > >>> > On Mon, Oct 19, 2009 at 4:00 PM, Gichuki John Chuksjonia < >>> > chuksjonia@gmail.com> wrote: >>> > >>> >> @Joshua, yah mistaken. What does an IT Audit compose of. Because a >>> >> Code Audit is part of IT Audit, tell us, how can an Finance guy look >>> >> for loop holes and bugs in a php code if he doesn't even know how to >>> >> write one? >>> >> >>> >> >>> >> >>> >> >>> >> On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> wrote: >>> >> > I dont think there is naything wrong with a Finance guy auditing IT. >>> >> > >>> >> > The issue should be what's the purpose of the audit. The purpose will >>> >> give a >>> >> > clear scope and the necessary competence to undertake the the audit. >>> >> > >>> >> > For example if you were to audit the financial sense of having a unit >>> >> within >>> >> > IT, you dont need another IT guy to do this audit. If an auditor >>> >> > wants >>> >> > to >>> >> > check conformity to certain standards of your network for example, >>> there >>> >> are >>> >> > very powerful tools a Finance guy can use. >>> >> > >>> >> > Cynthia I agree with you sometimes you can endure very unnecessary >>> >> questions >>> >> > from an incompetent auditor I remember a case where an auditor was >>> >> checking >>> >> > the competence of a hardware technician and he asked him 'Does the >>> >> computer >>> >> > has a motherboard?', the technician was so pissed he plainly just >>> >> > said >>> >> 'no >>> >> > this one uses a fatherboard' >>> >> > >>> >> > >>> >> > On Mon, Oct 19, 2009 at 3:04 PM, Joseph McDonald >>> >> > <mcdonaldoj@gmail.com>wrote: >>> >> > >>> >> >> The confusion started,because there are few companies that normally >>> do >>> >> >> independent IT audits.In most cases the IT audit is done as an >>> >> >> extension >>> >> >> of >>> >> >> the Financial audits hence you will find many accountants rushed to >>> do >>> >> >> CISA. >>> >> >> >>> >> >> Secondly in any organisation the three P's are important >>> >> (People,Products >>> >> >> and Profits) systems and IT for that matter,in most cases are >>> enablers >>> >> to >>> >> >> help the people,to move the products faster to the market and to >>> >> increase >>> >> >> efficiency hence profits. >>> >> >> >>> >> >> There are some IT audits which finance people with can perform >>> >> well.While >>> >> >> there are some areas which definately require some IT expertise for >>> you >>> >> do >>> >> >> benefit fully from the said audit. >>> >> >> >>> >> >> Because a good audit should give the auditee and the organisation >>> ways >>> >> for >>> >> >> corrective and preventive actions, and continual improvement. >>> >> >> >>> >> >> >>> >> >> On Mon, Oct 19, 2009 at 9:25 AM, Eric Mugo <kabugum@gmail.com> >>> wrote: >>> >> >> >>> >> >>> A Finance person auditing an IT infrastructure is like a Security >>> >> >>> Assessor >>> >> >>> auditing the end year results of a company. I find it very ironical >>> >> >>> and >>> >> >>> old >>> >> >>> school thinking from those days when I.T used to Fall under Finance >>> >> >>> department/Division. Back then, the systems were simple and geared >>> >> >>> towards >>> >> >>> very specific tasks. That is no longer the case nowadays. >>> >> >>> >>> >> >>> A company's systems infrastructure has become very comples, look at >>> a >>> >> >>> situation where a company has several DMZ,s each hosting different >>> >> >>> systems, >>> >> >>> several Server Farms, Webhosting Facilities, a super big ERP....and >>> >> then >>> >> >>> you >>> >> >>> bring an accountant to do a security audit of the systems or rather >>> >> >>> perform >>> >> >>> an entire audit meaning management, financial and security >>> >> >>> audit....forgive >>> >> >>> me but i find it plain stupid! >>> >> >>> >>> >> >>> The positive thing is that most companies are now realising the >>> >> >>> importance >>> >> >>> of a information security role within their ranks. Once someone in >>> >> charge >>> >> >>> of >>> >> >>> security is in place then chances of being audited on Security by a >>> >> CPA-K >>> >> >>> are reduced because the I.T guy will spot their incomptencies from >>> >> >>> a >>> >> mile >>> >> >>> away... >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> >>> >> >>> On Mon, Oct 19, 2009 at 8:33 AM, Edmund Okumu >>> >> >>> <edmund.okumu@gmail.com>wrote: >>> >> >>> >>> >> >>>> Most Audit firms do exactly that. It is not right at all to have a >>> >> >>>> finance guy audit IT. Let me state categorically that even if a >>> >> finance >>> >> >>>> person has taken the CISA exams and passed, they still don't >>> qualify >>> >> to >>> >> >>>> audit IT as IT audit requires an IT Audit professional with some >>> >> >>>> level >>> >> >>>> of >>> >> >>>> deep understanding in the particular field of audit. Preferably >>> >> >>>> the >>> >> >>>> IT >>> >> >>>> auditor should come from a technical background e.g. Systems >>> >> >>>> Development, >>> >> >>>> Systems and Network Administration or Database Administration. >>> >> >>>> >>> >> >>>> Such people employed by audit firms usually right nasty audit >>> reports >>> >> >>>> based on findings that do not satisfy the expectations of the >>> >> >>>> forms >>> >> >>>> downloaded from the Internet. The audit reports therefore do not >>> give >>> >> a >>> >> >>>> true >>> >> >>>> reflection of the particular IT department of interest. >>> >> >>>> >>> >> >>>> Can someone from ISACA the kenyan chapter respond to this issue >>> >> >>>> and >>> >> tell >>> >> >>>> us the way forward. We need some level of regulation on this. >>> >> >>>> >>> >> >>>> >>> >> >>>> On Sun, Oct 18, 2009 at 6:07 PM, Cynthia Wahome >>> >> >>>> <cwahome@jambo.co.ke>wrote: >>> >> >>>> >>> >> >>>>> Dear All >>> >> >>>>> Let me get your thoughts on this. >>> >> >>>>> >>> >> >>>>> Is it right for a Finance guy to come and do an audit to an IT >>> >> >>>>> department >>> >> >>>>> yet the Finance guy has no clue about IT. >>> >> >>>>> I wont name the audit firm here but i wonder,when they go to the >>> net >>> >> >>>>> and >>> >> >>>>> download a form then they come and ask you silly questions makes >>> me >>> >> >>>>> question them >>> >> >>>>> >>> >> >>>>> People my question is this >>> >> >>>>> Who should do an IT audit? Finance People? or IT People >>> >> >>>>> I stand to be corrected >>> >> >>>>> >>> >> >>>>> >>> >> >>>>> ---------------------------------------------- >>> >> >>>>> This message has been scanned for viruses and >>> >> >>>>> dangerous content by Jambo MailScanner, and is >>> >> >>>>> believed to be clean. >>> >> >>>>> --------------------------------------------- >>> >> >>>>> "easy access to the world" >>> >> >>>>> >>> >> >>>>> _______________________________________________ >>> >> >>>>> Skunkworks mailing list >>> >> >>>>> Skunkworks@lists.my.co.ke >>> >> >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> >> >>>>>

---

...

...

>>> >> >>>>> Skunkworks Rules >>> >> >>>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> >> >>>>>

---

...

...

>>> >> >>>>> Other services @ http://my.co.ke >>> >> >>>>> Other lists >>> >> >>>>>

---

...

...

>>> >> >>>>> Announce: >>> >> >>>>> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >>> >> >>>>> Science: >>> >> >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >>> >> >>>>> kazi: >>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >>> >> >>>>> >>> >> >>>> >>> >> >>>> >>> >> >>>> >>> >> >>>> -- >>> >> >>>> Edmund C. O. Okumu >>> >> >>>> P.O Box 8490-00200, >>> >> >>>> Nairobi, Kenya. >>> >> >>>> TEL: 254-721-734935 >>> >> >>>> >>> >> >>>> >>> >> >>>> _______________________________________________ >>> >> >>>> Skunkworks mailing list >>> >> >>>> Skunkworks@lists.my.co.ke >>> >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> >> >>>>

---

...

...

>>> >> >>>> Skunkworks Rules >>> >> >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> >> >>>>

---

...

...

>>> >> >>>> Other services @ http://my.co.ke >>> >> >>>> Other lists >>> >> >>>>

---

...

...

>>> >> >>>> Announce: >>> >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >>> >> >>>> Science: >>> >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >>> >> >>>> kazi: >>> >> >>>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >>> >> >>>> >>> >> >>> >>> >> >>> >>> >> >>> _______________________________________________ >>> >> >>> Skunkworks mailing list >>> >> >>> Skunkworks@lists.my.co.ke >>> >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> >> >>> ------------ >>> >> >>> Skunkworks Rules >>> >> >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> >> >>> ------------ >>> >> >>> Other services @ http://my.co.ke >>> >> >>> Other lists >>> >> >>> ------------- >>> >> >>> Announce: >>> >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >>> >> >>> Science: >>> >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >>> >> >>> kazi: >>> >> >>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >>> >> >>> >>> >> >> >>> >> >> >>> >> >> _______________________________________________ >>> >> >> Skunkworks mailing list >>> >> >> Skunkworks@lists.my.co.ke >>> >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> >> >> ------------ >>> >> >> Skunkworks Rules >>> >> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> >> >> ------------ >>> >> >> Other services @ http://my.co.ke >>> >> >> Other lists >>> >> >> ------------- >>> >> >> Announce: >>> >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >>> >> >> Science: >>> >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >>> >> >> kazi: >>> >> >> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >>> >> >> >>> >> > >>> >> > >>> >> > >>> >> > -- >>> >> >

---

...

...

>>> >> > Joshua Amolo >>> >> > Cell: +254 720 263308/+255 783 060052 >>> >> > >>> >> > >>> >> > Managing IT people is like herding cats >>> >> > >>> >> >>> >> >>> >> -- >>> >> -- >>> >> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P >>> >> I.T Security Analyst and Penetration Tester >>> >> infosigmer@inbox.com >>> >> >>> >> {FORUM}http://lists.my.co.ke/pipermail/security/ >>> >> http://nspkenya.blogspot.com/ >>> >> http://chuksjonia.blogspot.com/ >>> >> _______________________________________________ >>> >> Skunkworks mailing list >>> >> Skunkworks@lists.my.co.ke >>> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> >> ------------ >>> >> Skunkworks Rules >>> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> >> ------------ >>> >> Other services @ http://my.co.ke >>> >> Other lists >>> >> ------------- >>> >> Announce: >>> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >>> >> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >>> >> kazi: >>> >> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >>> >> >>> > >>> > >>> > >>> > -- >>> >

---

...

...

>>> > Joshua Amolo >>> > Cell: +254 720 263308/+255 783 060052 >>> > >>> > >>> > Managing IT people is like herding cats >>> > >>> >>> >>> -- >>> -- >>> Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P >>> I.T Security Analyst and Penetration Tester >>> infosigmer@inbox.com >>> >>> {FORUM}http://lists.my.co.ke/pipermail/security/ >>> http://nspkenya.blogspot.com/ >>> http://chuksjonia.blogspot.com/ >>> _______________________________________________ >>> Skunkworks mailing list >>> Skunkworks@lists.my.co.ke >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >>> ------------ >>> Skunkworks Rules >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >>> ------------ >>> Other services @ http://my.co.ke >>> Other lists >>> ------------- >>> Announce: >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >>> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >>> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >>> >> >> >> >> -- >> "Change is slow and gradual. It requires hardwork, a bit of >> luck, a fair amount of self-sacrifice and a lot of patience." >> >> Roy. >> >

---

...

...

> Skunkworks mailing list > Skunkworks@lists.my.co.ke > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks > ------------ > Skunkworks Rules > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 > ------------ > Other services @ http://my.co.ke > Other lists > ------------- > Announce: > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce > Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science > kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general > _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

@techies, We need to understand that rogue skills have no place in the modern world. I know so many techinal sound pple very good in either dev, hacking, etc but since their skills are not polished they need not even claim those skills in the job market as no one will recruit you. Certification is extremely important it helps polish the skills one has... to undergo a certification process which is credible enough is a solution to world most problems. For example when you want to book a nice hotel you can either go online and get all the beautiful marketing sweet words on how every hotel meets your need. However to verify their claims you could either visit every single hotel and verify for yourself or rely on a third party who has done that verification on your behalf. So you end up simply looking for the star rating. I stand by every credible certification be it CISA, CISM, CISSP, CEH because that is the only way you can differentiate a skilled rogue techie and a polished skilled techie BTW before becoming a CISSP they do background checks to ensure you have never been involved in unprofessional practices i.e. Hacking! On Thu, Oct 22, 2009 at 4:20 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

Hey, we gotta go clear on this, LOL!

On 10/22/09, Eric Mugo <kabugum@gmail.com> wrote:

...

hehe...i have to agree with Evans on that one....he answered your question and even added that he would hire you.... :-)

On Thu, Oct 22, 2009 at 3:45 PM, Evans Ikua <ikua.evans@gmail.com> wrote:

...

Chuks you are taking this discussion round in circles. Walubengo has just cleared that. Ikua

On Thu, Oct 22, 2009 at 3:16 PM, Gichuki John Chuksjonia < chuksjonia@gmail.com> wrote:

...

@Walu, So in short, should CISAs be taking Security Assessment Jobs?

On 10/22/09, Walubengo J <jwalu@yahoo.com> wrote:

...

@./Chuks

I hear you...however I must still repeat that CISAs are by design NOT Penetration Testers. So it is harsh to judge their relevance based on their failure to execute a PenTest.

Just to repeat, CISAs evaluate and focus on the big picture of the Security ecosystem - i.e the relationship between People, Processes and Systems that is necessary to provide assurance that risk is mitigated. And taking your Penetration test example further, indeed you may have exposed and sealed the loophole in the Webserver (if your focus being ONLY on "Systems") but if the "People" and the "Process" aspects are weak, your superior technical solutions may still fail to address the overall Security objectives.

That said, if I was a CISA and had that Audit job that required Penetration testing, I would have definitely hired you ;-)

walu. --- On Thu, 10/22/09, Preston <podera@k90ea.com> wrote:

From: Preston <podera@k90ea.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Thursday, October 22, 2009, 12:32 AM

Hi All

CISSP is for Security Professional just like CISM is for Security Manager. Let us think of MBA or Bsc and then we will know how deep we can go with the discussion.

Preston

--- On Wed, 10/21/09, Gichuki John Chuksjonia <chuksjonia@gmail.com> wrote:

...

From: Gichuki John Chuksjonia <chuksjonia@gmail.com> Subject: Re: [Skunkworks] AUDIT OF IT To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> Date: Wednesday, October 21, 2009, 12:01 PM Personally i think a CISSP is much more better than a CISA, since he see things the technical way and also Managerial way. The other day in Ghana some CISA guys were doing security audit and they were asking for files in a SUSE server that never exist. I don't know where they heard that from, and as far as as am concerned, such info can be Googled.

So such audits depends on what the customer wants and how knowing he is, coz if you are concerned about something you will need it done. So Audit Policies should always have a questionnaires when picking up Security Vendors which helps to narrow down to the right auditing firm.

The other day i was doing a penetration testing for a client who have a set of servers with one Portal on the bonder. A big company had done a pentest a month before but they client wasn't satisfied, so he needed a real penetration test. So amazingly there was a plugin in the webserver that gave me way to root since it had a sql injection on it though blind. so i blindly uploaded code that would run arbitrary commands and soon i had a bindshell. One thing a pentester would do is try all means to get root, and see if he can read history of all the users. So one thing i noticed is that if these guys had a good security admin like they had specified, they should have seen that Apache tried to bind and was already a privileged user. Secondly the security administrator should have seen that guys miss to write their passwords when sshing and leaving them in their history.

What amazed me was that this Company that had done the audit before was a well proclaimed companies that was assigned with this same task and failed to deliver. They have CISAs, CISSPs, CEHs, proffessionals but Risk Part of the Assessment wasn't done.

So the question is, are the these Auditors just doing it for the money, or just having so much fun leaving Gaping holes for the clients, or is it that they just don't know what they are supposed to look for?

Secondly do these papers(Certs) matter these days in the world of IT, coz i have seen Bedroom coders who end being better than even guys who went to school. Look-up at the Kenyan BDS developer, @kasina in tweeter, that guy didn't learn C in school.

So what i think is real change as far such issues are concerned otherwise, all organizations in Africa/Kenya are open to serious compromise especially Govt Infrastructure.

Two Cents!

./Chuks

On 10/21/09, Walubengo J <jwalu@yahoo.com> wrote: > I agree with Ikua/Preston. CISA (Certified Information Systems Auditors) > tend to have the big picture - and that's by design. They dont drill down > to specific vendor technologies - even though they know what to expect from > such technologies. Maybe a snapshot of the course content would help as > given below :(ref: www.isaca.org) > > 1.IS <http://1.is/> Audit Process > 2.IT <http://2.it/> Governance > 3.Infrastructure Lifecycle Development > 4.Protection of Information Assets. > 5.Business Continuity and Disaster Mngt > > And so If am a CISA with a financial/accounting background but need to > inspect a Cisco PIX firewall I would be obliged to hire the expertise > rather pretend to do it. Ofcourse, If am a CISA and a techie in that area > (and there are many like that) I would just proceed and perform the > inspection accordingly. > > The point is, the Security Ecosystem is so large and each professional in > the Security field has an important role to play. Trying to establish who is > better than the other would be like trying to see who btwn the following is > better than the other: The Architect who designs the building or the > Electrical/Civil/Structural Engineers who provide specialized services > within the buildings...rather than begin to research for an answer, I would > say it's really a misplaced question to ask. > > walu. > nb: am a CISA but not an Accountant (so feel free to consider my views > biased ;-) > > --- On Tue, 10/20/09, Preston <podera@k90ea.com> wrote: > > From: Preston <podera@k90ea.com> > Subject: Re: [Skunkworks] AUDIT OF IT > To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> > Date: Tuesday, October 20, 2009, 2:09 PM > > If we start from the premise that you cannot be a master of all then > Certified Penetration Testers, Systems Engineers, Network Vulnerabilty > Experts can only handle their areas but only to the level their knowledge > can allow with a scale (1 to 10) depending on whether you gained it from > Karamaindo as a college or company. Also hands-on experience plays a greater > part including organization culture. > > Depending on what has to be audited you need a team of experts!! in the > areas being audited. The experts might not be the better than those being > audited (Even on Financial Audits this is sometimes the case where junior > auditors are sent to companies with least audit experience)but has to make > an assurance that the areas being audited are meeting some standards both as > defined by the company being audited or guided by international standards. > > What is also required is a team leader and that is where Certified > Information Systems Auditors come in. These are from various backgrounds > including teckies, financials etc.. > > As Evans indicates One of the ISACA audit standards states that an auditor > should use the right expert for the right audit process. This is quite true > for all professions. I realized this when putting up a modest palace (needed > Architect, Quantity Engineer, Structural Engineer, Foreman Man, Plumber, > Electrical Engieer, Loader and a host of other professions while the single > process was Putting Up the Palace=IT Audit). In all of these a team work of > different professions are required guided by a leader who has received > certain qualification where CISA is one of them > > > Preston > > > > --- On Tue, 10/20/09, Evans Ikua <ikua.evans@gmail.com> wrote: > >> From: Evans Ikua <ikua.evans@gmail.com> >> Subject: Re: [Skunkworks] AUDIT OF IT >> To: "Skunkworks Forum" <skunkworks@lists.my.co.ke> >> Date: Tuesday, October 20, 2009, 10:58 AM >> I am a member of the local ISACA >> chapter, but I will speak for myself. >> Amolo, I dont agree with you. I recently spoke to a guy >> from a local >> shop of the big 5 audit (Finance) firms. He said they do IT >> audits >> alright. But they are more interested in seeing how far the >> IT >> infrastructure supports the financial figures that they are >> reporting >> on. You realize most of accounting nowadays is dependent on >> IT, as is >> most of business processes. >> >> But how does an accountant (majority of CISAs are) tell if >> a DB has >> been compromised if he does not understand the deep >> workings of a DB? >> >> As I have said before, the best a CISA can do is to manage >> the whole >> process of the IT audit, but not to pretend to be what they >> are not. >> One of the ISACA audit standards states that an auditor >> should use the >> right expert for the right audit process. If you want to >> audit a data >> base, hire a data base expert. If you want to gauge >> network >> vulnerability, hire a vulnerability expert, and so on. >> It's >> professional negligence, which should attract hefty legal >> penalties, >> for a firm to conduct an IT audit, give a clean bill of >> health, and >> leave an organization at risk. >> >> Just wait till you hear someone taken to court for >> professional negligence. >> >> Ikua >> >> On Mon, Oct 19, 2009 at 10:51 PM, Areba Collins <arebacollins@gmail.com> >> wrote: >> > Slunks! Whats so hard? IT audit, IT. Finance audit, >> FINANCE. >> > >> > On 10/19/09, Paul Roy <roykoikai@gmail.com> >> wrote: >> >> am liking this... so far Chucks is leading :) >> >> >> >> On Mon, Oct 19, 2009 at 5:36 PM, Gichuki John >> Chuksjonia < >> >> chuksjonia@gmail.com> >> wrote: >> >> >> >>> So their scope would be Financial Audit? >> >>> >> >>> >> >>> >> >>> On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> >> wrote: >> >>> > If you check my mail again Chuks, i >> talked about SCOPE >> >>> > >> >>> > On Mon, Oct 19, 2009 at 4:00 PM, Gichuki >> John Chuksjonia < >> >>> > chuksjonia@gmail.com> >> wrote: >> >>> > >> >>> >> @Joshua, yah mistaken. What does an >> IT Audit compose of. Because a >> >>> >> Code Audit is part of IT Audit, tell >> us, how can an Finance guy look >> >>> >> for loop holes and bugs in a php code >> if he doesn't even know how to >> >>> >> write one? >> >>> >> >> >>> >> >> >>> >> >> >>> >> >> >>> >> On 10/19/09, Joshua Amolo <joshua.amolo@gmail.com> >> wrote: >> >>> >> > I dont think there is naything >> wrong with a Finance guy auditing IT. >> >>> >> > >> >>> >> > The issue should be what's the >> purpose of the audit. The purpose will >> >>> >> give a >> >>> >> > clear scope and the necessary >> competence to undertake the the audit. >> >>> >> > >> >>> >> > For example if you were to audit >> the financial sense of having a unit >> >>> >> within >> >>> >> > IT, you dont need another IT guy >> to do this audit. If an auditor >> >>> >> > wants >> >>> >> > to >> >>> >> > check conformity to certain >> standards of your network for example, >> >>> there >> >>> >> are >> >>> >> > very powerful tools a Finance >> guy can use. >> >>> >> > >> >>> >> > Cynthia I agree with you >> sometimes you can endure very unnecessary >> >>> >> questions >> >>> >> > from an incompetent auditor I >> remember a case where an auditor was >> >>> >> checking >> >>> >> > the competence of a hardware >> technician and he asked him 'Does the >> >>> >> computer >> >>> >> > has a motherboard?', the >> technician was so pissed he plainly just >> >>> >> > said >> >>> >> 'no >> >>> >> > this one uses a fatherboard' >> >>> >> > >> >>> >> > >> >>> >> > On Mon, Oct 19, 2009 at 3:04 PM, >> Joseph McDonald >> >>> >> > <mcdonaldoj@gmail.com>wrote: >> >>> >> > >> >>> >> >> The confusion >> started,because there are few companies that normally >> >>> do >> >>> >> >> independent IT audits.In >> most cases the IT audit is done as an >> >>> >> >> extension >> >>> >> >> of >> >>> >> >> the Financial audits hence >> you will find many accountants rushed to >> >>> do >> >>> >> >> CISA. >> >>> >> >> >> >>> >> >> Secondly in any organisation >> the three P's are important >> >>> >> (People,Products >> >>> >> >> and Profits) systems and IT >> for that matter,in most cases are >> >>> enablers >> >>> >> to >> >>> >> >> help the people,to move the >> products faster to the market and to >> >>> >> increase >> >>> >> >> efficiency hence profits. >> >>> >> >> >> >>> >> >> There are some IT audits >> which finance people with can perform >> >>> >> well.While >> >>> >> >> there are some areas which >> definately require some IT expertise for >> >>> you >> >>> >> do >> >>> >> >> benefit fully from the said >> audit. >> >>> >> >> >> >>> >> >> Because a good audit should >> give the auditee and the organisation >> >>> ways >> >>> >> for >> >>> >> >> corrective and preventive >> actions, and continual improvement. >> >>> >> >> >> >>> >> >> >> >>> >> >> On Mon, Oct 19, 2009 at 9:25 >> AM, Eric Mugo <kabugum@gmail.com> >> >>> wrote: >> >>> >> >> >> >>> >> >>> A Finance person >> auditing an IT infrastructure is like a Security >> >>> >> >>> Assessor >> >>> >> >>> auditing the end year >> results of a company. I find it very ironical >> >>> >> >>> and >> >>> >> >>> old >> >>> >> >>> school thinking from >> those days when I.T used to Fall under Finance >> >>> >> >>> department/Division. >> Back then, the systems were simple and geared >> >>> >> >>> towards >> >>> >> >>> very specific tasks. >> That is no longer the case nowadays. >> >>> >> >>> >> >>> >> >>> A company's systems >> infrastructure has become very comples, look at >> >>> a >> >>> >> >>> situation where a >> company has several DMZ,s each hosting different >> >>> >> >>> systems, >> >>> >> >>> several Server Farms, >> Webhosting Facilities, a super big ERP....and >> >>> >> then >> >>> >> >>> you >> >>> >> >>> bring an accountant to >> do a security audit of the systems or rather >> >>> >> >>> perform >> >>> >> >>> an entire audit meaning >> management, financial and security >> >>> >> >>> audit....forgive >> >>> >> >>> me but i find it plain >> stupid! >> >>> >> >>> >> >>> >> >>> The positive thing is >> that most companies are now realising the >> >>> >> >>> importance >> >>> >> >>> of a information >> security role within their ranks. Once someone in >> >>> >> charge >> >>> >> >>> of >> >>> >> >>> security is in place >> then chances of being audited on Security by a >> >>> >> CPA-K >> >>> >> >>> are reduced because the >> I.T guy will spot their incomptencies from >> >>> >> >>> a >> >>> >> mile >> >>> >> >>> away... >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> On Mon, Oct 19, 2009 at >> 8:33 AM, Edmund Okumu >> >>> >> >>> <edmund.okumu@gmail.com>wrote: >> >>> >> >>> >> >>> >> >>>> Most Audit firms do >> exactly that. It is not right at all to have a >> >>> >> >>>> finance guy audit >> IT. Let me state categorically that even if a >> >>> >> finance >> >>> >> >>>> person has taken the >> CISA exams and passed, they still don't >> >>> qualify >> >>> >> to >> >>> >> >>>> audit IT as IT audit >> requires an IT Audit professional with some >> >>> >> >>>> level >> >>> >> >>>> of >> >>> >> >>>> deep understanding >> in the particular field of audit. Preferably >> >>> >> >>>> the >> >>> >> >>>> IT >> >>> >> >>>> auditor should come >> from a technical background e.g. Systems >> >>> >> >>>> Development, >> >>> >> >>>> Systems and Network >> Administration or Database Administration. >> >>> >> >>>> >> >>> >> >>>> Such people employed >> by audit firms usually right nasty audit >> >>> reports >> >>> >> >>>> based on findings >> that do not satisfy the expectations of the >> >>> >> >>>> forms >> >>> >> >>>> downloaded from the >> Internet. The audit reports therefore do not >> >>> give >> >>> >> a >> >>> >> >>>> true >> >>> >> >>>> reflection of the >> particular IT department of interest. >> >>> >> >>>> >> >>> >> >>>> Can someone from >> ISACA the kenyan chapter respond to this issue >> >>> >> >>>> and >> >>> >> tell >> >>> >> >>>> us the way forward. >> We need some level of regulation on this. >> >>> >> >>>> >> >>> >> >>>> >> >>> >> >>>> On Sun, Oct 18, 2009 >> at 6:07 PM, Cynthia Wahome >> >>> >> >>>> <cwahome@jambo.co.ke>wrote: >> >>> >> >>>> >> >>> >> >>>>> Dear All >> >>> >> >>>>> Let me get your >> thoughts on this. >> >>> >> >>>>> >> >>> >> >>>>> Is it right for >> a Finance guy to come and do an audit to an IT >> >>> >> >>>>> department >> >>> >> >>>>> yet the Finance >> guy has no clue about IT. >> >>> >> >>>>> I wont name the >> audit firm here but i wonder,when they go to the >> >>> net >> >>> >> >>>>> and >> >>> >> >>>>> download a form >> then they come and ask you silly questions makes >> >>> me >> >>> >> >>>>> question them >> >>> >> >>>>> >> >>> >> >>>>> People my >> question is this >> >>> >> >>>>> Who should do an >> IT audit? Finance People? or IT People >> >>> >> >>>>> I stand to be >> corrected >> >>> >> >>>>> >> >>> >> >>>>> >> >>> >> >>>>> >> ---------------------------------------------- >> >>> >> >>>>> This message has >> been scanned for viruses and >> >>> >> >>>>> dangerous >> content by Jambo MailScanner, and is >> >>> >> >>>>> believed to be >> clean. >> >>> >> >>>>> >> --------------------------------------------- >> >>> >> >>>>> "easy access to >> the world" >> >>> >> >>>>> >> >>> >> >>>>> >> _______________________________________________ >> >>> >> >>>>> Skunkworks >> mailing list >> >>> >> >>>>> Skunkworks@lists.my.co.ke >> >>> >> >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>> >> >>>>> ------------ >> >>> >> >>>>> Skunkworks >> Rules >> >>> >> >>>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>> >> >>>>> ------------ >> >>> >> >>>>> Other services @ >> http://my.co.ke >> >>> >> >>>>> Other lists >> >>> >> >>>>> ------------- >> >>> >> >>>>> Announce: >> >>> >> >>>>> >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>> >> >>>>> Science: >> >>> >> >>>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>> >> >>>>> kazi: >> >>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>> >> >>>>> >> >>> >> >>>> >> >>> >> >>>> >> >>> >> >>>> >> >>> >> >>>> -- >> >>> >> >>>> Edmund C. O. Okumu >> >>> >> >>>> P.O Box 8490-00200, >> >>> >> >>>> Nairobi, Kenya. >> >>> >> >>>> TEL: 254-721-734935 >> >>> >> >>>> >> >>> >> >>>> >> >>> >> >>>> >> _______________________________________________ >> >>> >> >>>> Skunkworks mailing >> list >> >>> >> >>>> Skunkworks@lists.my.co.ke >> >>> >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>> >> >>>> ------------ >> >>> >> >>>> Skunkworks Rules >> >>> >> >>>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>> >> >>>> ------------ >> >>> >> >>>> Other services @ http://my.co.ke >> >>> >> >>>> Other lists >> >>> >> >>>> ------------- >> >>> >> >>>> Announce: >> >>> >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>> >> >>>> Science: >> >>> >> >>>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>> >> >>>> kazi: >> >>> >> >>>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>> >> >>>> >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> >> _______________________________________________ >> >>> >> >>> Skunkworks mailing list >> >>> >> >>> Skunkworks@lists.my.co.ke >> >>> >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>> >> >>> ------------ >> >>> >> >>> Skunkworks Rules >> >>> >> >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>> >> >>> ------------ >> >>> >> >>> Other services @ http://my.co.ke >> >>> >> >>> Other lists >> >>> >> >>> ------------- >> >>> >> >>> Announce: >> >>> >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>> >> >>> Science: >> >>> >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>> >> >>> kazi: >> >>> >> >>> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>> >> >>> >> >>> >> >> >> >>> >> >> >> >>> >> >> >> _______________________________________________ >> >>> >> >> Skunkworks mailing list >> >>> >> >> Skunkworks@lists.my.co.ke >> >>> >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>> >> >> ------------ >> >>> >> >> Skunkworks Rules >> >>> >> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>> >> >> ------------ >> >>> >> >> Other services @ http://my.co.ke >> >>> >> >> Other lists >> >>> >> >> ------------- >> >>> >> >> Announce: >> >>> >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>> >> >> Science: >> >>> >> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>> >> >> kazi: >> >>> >> >> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>> >> >> >> >>> >> > >> >>> >> > >> >>> >> > >> >>> >> > -- >> >>> >> > >> ---------------------------------------------------------------- >> >>> >> > Joshua Amolo >> >>> >> > Cell: +254 720 263308/+255 783 >> 060052 >> >>> >> > >> >>> >> > >> >>> >> > Managing IT people is like >> herding cats >> >>> >> > >> >>> >> >> >>> >> >> >>> >> -- >> >>> >> -- >> >>> >> Gichuki John Ndirangu, C.E.H , >> C.P.T.P, O.S.C.P >> >>> >> I.T Security Analyst and Penetration >> Tester >> >>> >> infosigmer@inbox.com >> >>> >> >> >>> >> {FORUM}http://lists.my.co.ke/pipermail/security/ >> >>> >> http://nspkenya.blogspot.com/ >> >>> >> http://chuksjonia.blogspot.com/ >> >>> >> >> _______________________________________________ >> >>> >> Skunkworks mailing list >> >>> >> Skunkworks@lists.my.co.ke >> >>> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>> >> ------------ >> >>> >> Skunkworks Rules >> >>> >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>> >> ------------ >> >>> >> Other services @ http://my.co.ke >> >>> >> Other lists >> >>> >> ------------- >> >>> >> Announce: >> >>> >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>> >> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>> >> kazi: >> >>> >> http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>> >> >> >>> > >> >>> > >> >>> > >> >>> > -- >> >>> > >> ---------------------------------------------------------------- >> >>> > Joshua Amolo >> >>> > Cell: +254 720 263308/+255 783 060052 >> >>> > >> >>> > >> >>> > Managing IT people is like herding cats >> >>> > >> >>> >> >>> >> >>> -- >> >>> -- >> >>> Gichuki John Ndirangu, C.E.H , C.P.T.P, >> O.S.C.P >> >>> I.T Security Analyst and Penetration Tester >> >>> infosigmer@inbox.com >> >>> >> >>> {FORUM}http://lists.my.co.ke/pipermail/security/ >> >>> http://nspkenya.blogspot.com/ >> >>> http://chuksjonia.blogspot.com/ >> >>> >> _______________________________________________ >> >>> Skunkworks mailing list >> >>> Skunkworks@lists.my.co.ke >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> >>> ------------ >> >>> Skunkworks Rules >> >>> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> >>> ------------ >> >>> Other services @ http://my.co.ke >> >>> Other lists >> >>> ------------- >> >>> Announce: >> >>> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> >>> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> >>> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> >>> >> >> >> >> >> >> >> >> -- >> >> "Change is slow and gradual. It requires hardwork, >> a bit of >> >> luck, a fair amount of self-sacrifice and a lot of >> patience." >> >> >> >> Roy. >> >> >> > _______________________________________________ >> > Skunkworks mailing list >> > Skunkworks@lists.my.co.ke >> > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> > ------------ >> > Skunkworks Rules >> > http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> > ------------ >> > Other services @ http://my.co.ke >> > Other lists >> > ------------- >> > Announce: >> > http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> > Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> > kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> > >> _______________________________________________ >> Skunkworks mailing list >> Skunkworks@lists.my.co.ke >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks >> ------------ >> Skunkworks Rules >> http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 >> ------------ >> Other services @ http://my.co.ke >> Other lists >> ------------- >> Announce: >> http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce >> Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science >> kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general >> > > > >

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

_______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- -- Gichuki John Ndirangu, C.E.H , C.P.T.P, O.S.C.P I.T Security Analyst and Penetration Tester infosigmer@inbox.com

{FORUM}http://lists.my.co.ke/pipermail/security/ http://nspkenya.blogspot.com/ http://chuksjonia.blogspot.com/ _______________________________________________ Skunkworks mailing list Skunkworks@lists.my.co.ke http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks ------------ Skunkworks Rules http://my.co.ke/phpbb/viewtopic.php?f=24&t=94 ------------ Other services @ http://my.co.ke Other lists ------------- Announce: http://lists.my.co.ke/cgi-bin/mailman/listinfo/skunkworks-announce Science: http://lists.my.co.ke/cgi-bin/mailman/listinfo/science kazi: http://lists.my.co.ke/cgi-bin/mailman/admin/kazi/general

-- "Change is slow and gradual. It requires hardwork, a bit of luck, a fair amount of self-sacrifice and a lot of patience." Roy.