Solved

IT auditors and the cheeky auditee :)

Posted on 2011-09-29
13
410 Views
Last Modified: 2012-05-12
Has anyone come across similar to what our auditors are up against – and if so is there a protocol to adhere sort of the auditee’s code of conduct?

Our audit section has an agreement with a 3rd party partner who host some of our servers that we can audit them as and when as its essentially “our data”. The agreement states we must give them 2 weeks prior notice with some form of scope on what areas will be reviewed before we can come in to audit whatever system. In this case there is an audit of a new payroll application; they also want to look at the security of the DB server (SQL server on Windows 2008 server – virtual box).

Debate 1:

One of the checks they wanted to run would identify all software installed on the server – they said as they don’t currently have a test server they have serious concerns about running tools on the live server – so as it is a virtual machine they will clone it and then run the tool on the test instance. However, in cloning the system – they have gone through an exercise to remove unsupported or unnecessary software, close certain ports – and patch 3rd party software that was un-patched. Which is all well and good – but issues the auditor would have flagged up.

Debate 2:

Another of the checks they wanted to run was to test for weak passwords associated with local admin passwords on the server. The IT section responsible for this server state that this server has known weak passwords associated with local admin accounts – as this is how the application developers configured the server. They know its an issue and will take it up with the app owners to determine the impact in strengthening the passwords. However they state as it’s a know issue there is no need for the auditors to flag it in their report?

--

Would appreciate your input into both debate 1 and 2 and your take on it. This is very frustrating for the auditors. Is it ok for the company being audited to use the cloning of a live system to change all the settings so the auditors don’t find anything?
0
Comment
Question by:pma111
13 Comments
 
LVL 82

Assisted Solution

by:Dave Baldwin
Dave Baldwin earned 150 total points
ID: 36813512
To me, both of those things are Wrong.  If I was me, I'd try to find a way to write them up for even suggesting such things.  Then I'd hold an internal conference about "Do we want to keep on working this way?"
0
 
LVL 4

Accepted Solution

by:
WilsonsITDept earned 175 total points
ID: 36813539
Hi.

Regarding the first part of the question: If the server someone is going to be using in production isn't actually the one they'll be auditing, then there's no point auditing it. If the hosting company are capable of removing all unwanted software and closing all unecessary ports on the cloned machine, then ask them to replicate that on the live machine. It might be a last minute way of fixing the problems, but if it works it works. I'm a bit confused as to who has responsibility for the patching/updating of that server. Normally a hosting company would host it and leave the rest up to you, unless you're talking about the virtualisation platform patches, which would be totally in their hands and part of your SLA.

Are they actually running all your normal services/software on the clone while they audit it, or might their actions on the clone result in a failue in the real production server, should the changes be replicated? There's a difference between fixing a problem and masking it temporarily.


Secondly: It sounds like a typical case of "We set the software up with weak passwords, we'll get round to changing that... whenever..."
This is very common. If it's a known (AKA ignored) issue, then flagging it isn't going to change anything; however, if flagging it in a report will get someone a foot up the backside and prompt the changes, then go for it, get the ball rolling. Audits are their to flag issies that need to be changed, even if no one wants to change them.


At the end of the day, your auditors will have a specification to their audits. If they test a clone of a system and it's fine, then the owners of the system use a different one that isn't fine, then it's the owners fault. You can only audit what they let you audit. If they change it, it's not your fault. Make sure the contract states that. Make sure the auditors cover themselves and you'll be fine.

Unfortunately, people will always try to hide things from auditors. Otherwise, where's the fun in being an aduitor?

Hopefully I'that's in some way constructive?

Tom
0
 
LVL 3

Author Comment

by:pma111
ID: 36813663
Good points.

The way they say "its a known issue - theres no point putting it in the report" to me says the IT team will not be happy with the auditors for reporting the issue - but then who are they to say what they can and cant test. The report, AFAIK is targetted at more senior officials than they, in essence to see if they are doing there job. Its not a report for IT (albeit may help identify problems to them that they didnt no) - surely the report goes to the companies big wigs and its they who need to be aware of these problems - not an IT manager who choses what does and does not get reported.
0
 
LVL 4

Expert Comment

by:WilsonsITDept
ID: 36813685
All you can do as an auditor is test a certain system a certain way. If they give you the wrong system to test, or don't let you test it in an appropriate way, then what can you do?

It sounds like they've got problems they're trying to hide, and the managers have told them to get an audit to get a full view of the situation; in which case, even a thorough and open audit will get 'reinterpreted' before it goes to management. No one's going to hand a sheet to their boss and say "Here's what I've been doing wrong".

Just make sure your audit specification is watertight and it'll be their fault if anything goes wrong. You don't want the middle tier guys turning round and blaming you when their shoddy systems are failing because of things the audit should have flagged up.  (AKA did flag up!)


Tom
0
 
LVL 3

Author Comment

by:pma111
ID: 36813691
Ok many thanks
0
 
LVL 42

Assisted Solution

by:kevinhsieh
kevinhsieh earned 175 total points
ID: 36815800
If it is a known issue, it still needs to go in the report, because it is an issue. I would say that there is less of a reason to test the system to prove that there is the issue of weak passwords.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 4

Expert Comment

by:WilsonsITDept
ID: 36815851
As an auditor, when you go to run a test and the IT guy tells you not to bother because they know about the problem already, you put down on your report that the test was stopped at his request and get him to sign it off. Then if his manager wants to know why the test wasn't run, you show him the signature and he talks to the IT guy.

You mustn't run a sub-standard test because someone in the company tells you to. If they have the authority to change the audit, make sure they sign for the changes and take responsibility.



Tom
0
 
LVL 42

Expert Comment

by:paulsolov
ID: 36843268
If you don't know what you don't know how are you going to find a solution?  The audit is to detect deficiencies.  Is then up to the management and staff whether to determine risk acceptance, risk avoidance, or if mitigation is the way to proceed.  Don't be afraid of the audit..it's what comes after the audit that's the hard part but unless you know what you don't know you will not be able to address the issues at all.
0
 
LVL 4

Expert Comment

by:WilsonsITDept
ID: 36890300
The "solution" here (purely from the position of auditor) is to have the company sign off exactly what they're expecting from the audit. The worst case scenario is that the IT guys muck around with the audit to make it look good on them, then the boss of the company wants to know why you didn't flag up issues which have since caused problems.

If it says you're going to test a clone of a system, then they're reponsible for that clone, not you. If it says you're not testing the IT passwords, then the passwords aren't your responsibility.

Wouldn't it be nice if all passwords were secure? It's not a perfect world, though.
So focus on your responsibility, and that's perfroming the audit they sign for.

It certainly seems like the managers have asked for an audit and the IT guys don't want it embarrassing them, but that's internal politics you have no control over.


If you think/know that your data is being kept on a server that isn't secure, move you data elsewhere.


Tom
0
 
LVL 3

Author Comment

by:pma111
ID: 36890607
Do you have an agreement whereby if they make any changes to a systems/servers configuration during your audit - ie. the time when you started the review and when you issued the report - that they (those under audit) must let the auditor know?

It makes a bit of a farse of the whole thing if you go in, do some tests, they say "what you testing here - what for" then mysteriously you come back to find for example all the file share ACL's have been tighted, or all the audit logs mysteriously switched on over night.

Dont you need some sort of freeze period with "look we are auditing here - if you make changes tell us as it can affect the findings."

Please discuss.
0
 
LVL 3

Author Comment

by:pma111
ID: 36915752
Anyone sweep up on last comment?
0
 
LVL 4

Expert Comment

by:WilsonsITDept
ID: 36915960
I can only reitterate my last comment. Define your role in this and make sure you keep what ever promises you've made in the audit agreement.

Don't get bogged down in someone else's internal politics.


Tom
0
 
LVL 3

Author Comment

by:pma111
ID: 36915980
@Kevinhsieh -

If it is a known issue, it still needs to go in the report, because it is an issue. I would say that there is less of a reason to test the system to prove that there is the issue of weak passwords.

Is that a bit dangerous though - can you report on hear say - should you still audit password strength to ensure the real situation - and that they havent missed any ?
0

Featured Post

Do email signature updates give you a headache?

Do you feel like you are constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now