Sonotsky   660 pts.  |   Jun 22 2009  6:03PM GMT

IMHO, the answer to this question depends on whether the auditor in question is an employee of your organization, or an external auditor/consultant.

If the former, I would ask that they submit some kind of paperwork, authorized by their manager and hopefully yours (or your information security officer). That way, should things go sideways, you’re not held liable.

If the latter, never, ever give any credentials out. In my audits, the auditors are free to sit with me, request that I perform various tasks, take notes, request screenshots (scrubbed where necessary to obfuscate proprietary or confidential details (details of client records, IPs, URLs, things of that nature). The fact that they’re asking might be an underhanded way of testing access controls.

Hope that helps.

Troy Tate   0 pts.  |   Jun 22 2009  6:04PM GMT

The account should be set with an expiration date and monitoring so that their activities can be tracked also. The other alternative is to have a security manager run the reports in a read-only format (PDF or screenshots) for the auditor’s use.

KevinBeaver   7610 pts.  |   Jun 29 2009  2:35PM GMT

This is something I do all the time in my security assessments…I have my clients setup test accounts that expire after a certain period. I also remind them to disable those accounts when I’m done.

Take Sonotsky’s latter route and you nor your auditor are going to get what you need. It’s just too impractical. If there’s mistrust or paranoia involved, perhaps you can look over the auditor’s shoulder. Something that’ll last for an hour or so at best until the auditor proves his trust and value…and because you have better things to be doing.