No announcement yet.

Audit question

  • Filter
  • Time
  • Show
Clear All
new posts

  • Curtis Baillie
    Sounds like you know way more than your client. I once had a "client" that hired me to do an audit of their in-house security operations. This was quite an undertaking and when I gave the client my report his only reply was (even to this day) "I think I know more about this than you do." A few years down the road they were sued (and lost) over several of the recommendations my report outlined that they never implemented.

    I was paid in full for this review and their payout was many-many times more than my report. The fact that my report was discoverable didn't help them.

    Leave a comment:

  • ScottFree
    Ahh Sec Trainer, its good to hear from you, and it appears i did not make myself clear that i was tasked with conducting this audit, but fully agree that this is a job for an outside consultant. Since my client is head of EH&S he was sure there was some kind of single standard against which this audit would be conducted, and when i assured him that there isnt any single standard, he became skeptical, so i reached out to the place where i was sure a knowledgeable answer would come from.

    What i really want to come out of this is a list of recommendations i can bring to the stakeholders at my facility and their corporate security department, with risks and costs associated, to develop a multi year strategy to accomplish any goals we take away from this list.

    I do greatly appreciate your assistance, and i will PM you if i have any other questions if you dont mind. I just wanted to make sure that how i felt (which i agree, there is no 1 standard that covers all this) matched the facts, so i came here to ask, which is a good thing. Thanks again, and i promise to come contribute and visit more often.

    Leave a comment:

  • SecTrainer
    The first question I have to ask is whether you're qualified to conduct a survey of this nature. Considering the nature of your organization's business, which raises questions in my mind about such things as vulnerabilities to everything from industrial espionage to terrorism (especially domestic), it really seems to me that this is likely a job for a consultant - and, in particular, a consultant with experience in your organization's industry.

    I'm sure it can be very difficult to tell your boss that you're not qualified to be tasked with this responsibility, but it really is an expert undertaking and presumably $millions in assets and the lives of the people working in and visiting the facility depend on it being done right. An audit performed by someone who is unqualified to perform such an audit actually puts your facility at greater risk - and with greater legal liability - rather than less. THIS IS NOT THE PLACE WHERE YOUR ORGANIZATION SHOULD TRY TO SAVE THE COST OF A CONSULTANT, which is paltry compared to the risks.

    Furthermore, an outside audit by an expert is much more likely to reveal shortcomings that organizational blindness and short-sightedness often conceal. It's much more likely to be objective, and it's much more likely to be free of organizational cultural influences, etc.

    If you're confident the answer to the first question is "yes", the next question is: What are you auditing, specifically? The phrase "security program" is a broad, vague concept that starts with organizational policies and cuts all the way through the organization down to the locks on the doors, campus lighting, fencing, etc., and you won't find a single standard that covers all of that - there are dozens of them. The Physical Security Criteria for Federal Facilities probably comes closest to a "comprehensive standard", but you can't get that unless you're a gov't employee with the necessary clearance, and I doubt it would serve much purpose in your case (it certainly wouldn't preserve that "open campus feeling"!).

    Toss in that security measures must also comply with various other laws, codes - i.e., OSHA, fire and life-safety codes, etc.

    You can start with ASIS/ANSI SPC.1.2009: Organizational Resilience: Security, Preparedness and Continuity Management Systems - Requirements with Guidance for Use Standard. It's a bit pricey through ASIS, but in looking for a source for you, I was surprised to discover that you can get the Kindle version for 99 cents (and the Kindle Reader for computers is free).

    This standard lays out the organizational principles, policies, roles and other elements that should be implemented. For instance:

    "The organization should identify and establish relationships with public service agencies and officials responsible for intelligence, warnings, prevention, response and recovery related to potential disruptions identified in the risk assessment. Arrangements should be made for communication and warnings both internally and externally for normal and abnormal conditions."

    Which illustrates the point that a security audit only has relevance in the context of a risk analysis/survey. There is no "standard" that would apply to everything from an airport to a hospital to a biotech company to a college campus. It depends on the nature of the organization, the type of activities that it conducts, the kind of equipment, technology, materials that it uses and produces, and other features. These are the factors that help to define what you're protecting, what you're protecting it from, and only in that context do any security measures of any kind make any sense at all, much less applying any standards to the measures that do make sense.

    Then, there is the ASIS Protection of Assets set.

    Another source of authority might be security standards (often called "guidelines" or "recommendations") that are published by industry organizations. For instance, the chemical industry, hospitality industry, healthcare industry, etc. publish such guidelines. I'm not sure if "biotech" is really an industry per se (more a grab-bag description), but if you can identify a relevant industry group whether it's pharmaceuticals, genetics research, or whatever - the relevant industry group would be the place to look for such material.

    For information system security, see the NIST standard:

    Many well-respected physical security authors have written standards. It doesn't have to be ISO, etc. to be authoritative, except perhaps to your boss.

    As a last resort, you can google "physical security checklist". You'll get a slough of hits, and perhaps by sifting down through them you might find something from a source that you think your boss would find acceptable. Not exactly the way I'd do it, but you might find a nugget that serves your purposes. On the other hand, I must reiterate that if you're forced to such measures to come up with an "audit checklist", THIS IS THE JOB FOR A CONSULTANT.
    Last edited by SecTrainer; 08-01-2013, 10:54 AM.

    Leave a comment:

  • ScottFree
    started a topic Audit question

    Audit question

    Been a real long time since i have posted here, but i have a question that i am sure you all can help me out with. I was tasked with doing an audit of my clients security program, and was asked what standard i would use. Being as i report to the head of Environmental Health and Safety, he wanted an ANSI/ISO/NIST standard he could look at with a checklist. I work for a biotech company that does R&D with an open campus "feel" as part of our culture, and i would love to have some kind of checklist. The best direction i could come up with so far is the ANSI/ASIS PSC.1-2012.

    Can anyone tell me if they are tasked or hired to audit someone, what "standard" would you apply, and does that standard have a checklist, a best practice list, or how do you provide a written standard if asked?