It always pains me when I get this question from a client’s IT staff. It usually means that auditing has never penetrated to that level, and people are used to doing pretty much what they please around the network. It usually goes with:
“This is a development shop. Those are not production servers or databases – so why are you asking to see users, patching, inventory, etc????”
These are the kinds of questions that will keep me employed as a successful penetration tester AND a digital forensics analyst. When I’m dead someone will prop me up to keep going.
A development environment is EXACTLY where a penetration tester goes first for exactly this reason. When you don’t know what’s running on your network, you don’t know who is on your network.
If it’s on your network, the company is responsible. Legally responsible. And that question will not hold up in court.
It’s a great version of the “sniff test:” Imagine saying it on the witness stand to a judge.