October 5th, 2004, 12:50 PM
"my real world" comment is this...
Originally posted here by catch
Not sure what that "real world" comment means, as if polices don't exist there...
What is you job as the auditor if not to audit and report non-compliance issues with regard to the policy? Just because other people are messing up doesn't mean that you need to change the way you are doing things. Determine what standards if any, are mentioned in the policy. The result of your audit should be a red flag to senior management that either the policy needs to change or the organization does... however unless you measure against something, the audit is useless. (No audit can exist in a vacuum. )
Also the reason why knowning what standards are applicable is because many have predefined audit report schemes and this will save you a lot of time from trying to reinvent the wheel.
maybe for you guys out there working in banking, gov., military, e.t.c.. - places where secuirty is paramount, the "security 101" stuff does get followed to the dot and you as IT/Info Sec. dept. are able to implement changes. but, not all places are military, gov., banks. business units are seeing "security" all over the media, and are buying into it. *as long* as they don't have to move a finger or be put out by the inconvenience.
the only time security gets a big push around here is when a web server gets hacked by a kid who just uses it to distribure warez & moviez. the server gets rebuilt and security becomes a big topic at the meetings; but after a week or 2, things go right back to the way they were.
this audit ain't gonna change squat! i am doing it because it's good experience. I have always wanted to creep out of "sys admin" and into "info. sec.", and this is an opportunity to put something relevent under my belt and on the resume.
IMHO, things are going to change when a major thing happens that burns everyone. meaning, something malicious will infiltrate the system and nuke a lot of data. the restore from backups are going to fail and a few years worth of data will be lost. thats probably when the manglers will burst a blood valve and implement chang recommened by IT.
October 5th, 2004, 02:44 PM
What is done with the audit isn't your concern. It is Sr. Managment's concern.
Your concern is audit report templates, as such it is important to look over the corporate policy to determine which standards are applicable (if not outright called for) then see if said standards have a defined audit procedure.
It doesn't matter if you find a zillion instances of non-complaince that never get fixed, your original question was: "does anyone know of where one can go to see what a security audit report looks like?" and the answer is, as I stated above... review the applicable standards.
October 5th, 2004, 08:02 PM
Anyone interested? Look for me in the bar after 5 pm.
Audit strategy, templates , business planning and remediation is the MO.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.