100 Security De-engineering
Joneses” where rms will reach a certain level in their audit compli-
ance that is similar to their competitors in the same industry sector.
Many countries have a central banking authority, which dictates
that in order to carry out nancially oriented business, the rm must
have passed an audit program laid down by the central monetary
authority.
Passing the audit is one thing, but making your entire information
risk management strategy as minimal as possible to merely pass the
audit—that is quite another—but unfortunately, this is the strategy
used by more than 90% of rms these days.
I will rst outline roughly what happens in an external audit and
cover some problems with the typical approach, and then I will cover ...