Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, IT audit, Security
When I go out on exams to client sites, I am often amazed that I find things in bad shape – terminated users on systems, unpatched servers, holes in firewalls, secret 5 on Cisco routers…..Why? Because it’s not rocket science. Whether it’s SOX, SAS 70 or PCI, auditors will be checking pretty much the same things.
First – Policies and procedures? Got em? Don’t make ME do it. If I write your policies (by requiring you to do it to become compliant), you have no investment or interest in implementing them or maintaining them. Write your own, and you own the procedure. I recently got an “Incident Response Policy” which had been flagrantly plagiarized from a university. The author, an admin in a service bureau, didn’t bother to read the complete document and at least Find|Replace the appropriate nouns and names. He had actually set himself up to fail with a policy that would be impossible for him to implement.
Second – Access Controls? Who is in charge of requesting adds/changes/deletes, and who completes the request? DON’T make me do it. Don’t tell me you track it by emails, because those get lost and deleted. Email is NOT an access control. Who wanted it, who approved it, and who did it? When? I’ll be asking…..
Third – System Security? Are your servers patched? Don’t make me do it. If you give me a bunch of MBSA reports, you’d better READ THEM FIRST. That way, when I start asking you why there are so many local administrators on your database server, you’ll have an answer ready….especially if those IDs belong to users who have left the company. Do you REALLY want to explain why you’re missing 37 patches? While your manager and CSO grind their teeth behind you? I understand why you haven’t applied IE7 or the Windows Malicious Software Removal Tool (which Micro$oft says is a “critical” item), but security updates labeled “critical” and are over two months old WILL require an explanation. Count on it, and better yet, get it patched.
Any good auditor will give you the test AND the answers you need to pass. If you flunk, it’s not me. Do you really want to have to implement security the way an auditor (who does NOT know your network) recommends? Please don’t make me do it. If you know what I’m going to ask for, build it in, own it, make it yours, not mine.
And, I’m sorry to say, all of the examples are based on my experience in the real world of IT.