How to Cheat at Managing Information Security

The purpose of this chapter is to:
Provide a brief overview of information security standards
Provide a brief overview of various types of security audits
I don t dislike auditors, but as a profession it does seem to attract herds of the wrong kind of people all cufflinks and unsupported arrogance. I should know; I worked with them for long enough.
At the time I was well on the way to becoming a partner in one of these audit firms, mainly because I kept being engaged in very large security assignments. In Hong Kong, I was doing a job for a world-class bank. Everything was decidedly barely adequate in terms of firewalls, but I had yet to look at the routers and switches. In fact, the truth was, the firewalls were so bad that I was looking for good news on the routers to soften the blow. As a courtesy, I, the fledgling partner, was taken to meet the IT auditors (who had recently completed a review of the e-commerce firewalls and routers); the rest of the team had to stay and work. All the way up the stairs to the meeting, the senior partner told me how wonderful this team was, so when I arrived I was not surprised to see them perfectly dressed and well spoken.
Halfway through our meeting, I mentioned I had yet to do the routers and I immediately was reassured by the senior auditor, I checked the routers personally, no problems there. He even...