[SCADASEC] The Difference Between Audits, Assessments, and Analysis
Clint Bodungen
clint at cidgcorp.com
Sat Feb 16 11:04:38 CST 2008
Exactly. I agree with their use of the terminology. It doesn't become an
"audit" until it is performed formally and is legally enforceable by a
regulation authority.
One of the biggest differences between an "audit" and an "assessment" is
that an audit is a *formal* process usually performed by a representative of
an authority of sorts and usually carries penalties for non-compliance.
Whereas, an assessment is usually an informal process used as a preliminary
indicator of your current posture. In fact, most *audit* criteria will now
require that you've performed a vulnerability *assessment*.
Clint Bodungen
-----Original Message-----
From: scadasec-bounces at news.infracritical.com
[mailto:scadasec-bounces at news.infracritical.com] On Behalf Of ljknews
Sent: Saturday, February 16, 2008 10:18 AM
To: scadasec at news.infracritical.com
Subject: Re: [SCADASEC] The Difference Between Audits, Assessments, and
Analysis
At 9:05 AM -0600 2/16/08, Clint Bodungen wrote:
> I agree that NIST SP800-53 (possibly combined with the GAO Federal
Auditor's
> Handbook) might be the closest we have to "formal audit" process and any
> sort measurable metrics (of any real quality) thereof.
NIST 800-53 calls what you do to measure compliance with
NIST 800-53 an "assessment". See control CA-2 on page F-20
of NIST 800-53 Revision 2.
--
Larry Kilgallen
_______________________________________________
To unsubscribe from this mailing list, please visit:
http://news.infracritical.com/mailman/listinfo/scadasec
To review our privacy statement, please visit:
http://www.infracritical.com/privacy.html
scadasec at news.infracritical.com
http://news.infracritical.com/mailman/listinfo/scadasec
More information about the scadasec
mailing list