Originally posted here by catch
Not sure what that "real world" comment means, as if polices don't exist there...

What is you job as the auditor if not to audit and report non-compliance issues with regard to the policy? Just because other people are messing up doesn't mean that you need to change the way you are doing things. Determine what standards if any, are mentioned in the policy. The result of your audit should be a red flag to senior management that either the policy needs to change or the organization does... however unless you measure against something, the audit is useless. (No audit can exist in a vacuum. )

Also the reason why knowning what standards are applicable is because many have predefined audit report schemes and this will save you a lot of time from trying to reinvent the wheel.

cheers,

catch
"my real world" comment is this...

maybe for you guys out there working in banking, gov., military, e.t.c.. - places where secuirty is paramount, the "security 101" stuff does get followed to the dot and you as IT/Info Sec. dept. are able to implement changes. but, not all places are military, gov., banks. business units are seeing "security" all over the media, and are buying into it. *as long* as they don't have to move a finger or be put out by the inconvenience.

the only time security gets a big push around here is when a web server gets hacked by a kid who just uses it to distribure warez & moviez. the server gets rebuilt and security becomes a big topic at the meetings; but after a week or 2, things go right back to the way they were.

this audit ain't gonna change squat! i am doing it because it's good experience. I have always wanted to creep out of "sys admin" and into "info. sec.", and this is an opportunity to put something relevent under my belt and on the resume.

IMHO, things are going to change when a major thing happens that burns everyone. meaning, something malicious will infiltrate the system and nuke a lot of data. the restore from backups are going to fail and a few years worth of data will be lost. thats probably when the manglers will burst a blood valve and implement chang recommened by IT.