Solved

Read-only access for auditors

Posted on 2016-11-06
5
97 Views
Last Modified: 2016-11-11
What's the industry practice on granting read-only access accounts to
auditors ?  Or generally request are sent to IT Ops who will extract it
& send to them?

I guess the lowest privilege account in Windows can still make changes
to the systems but for certain appliances (eg: proxy, AV EPO, IPS), any
risk of inadvertent changes being made?

I'm assuming the auditors are not trained (or semi-trained) in the specific
platforms / products only
What about UNIX Solaris & AIX?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 

Author Comment

by:sunhux
ID: 41876262
Certainly there's a concern that auditor dig too much info which
creates unnecessary overheads
0
 
LVL 81

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 150 total points
ID: 41876339
Depends upon the audit and what you are being audited on. A licensing audit may ask for a tool to be run that enumerates the machines and compares the count of specific software against your purchase records.

A PKI audit may examine your policies and setup (which is why we use powershell scripting so we can just show them the script vice having them hover behind us while we type in commands) and you can show them logs that you are actually performing the policies.
0
 
LVL 63

Assisted Solution

by:btan
btan earned 350 total points
ID: 41876632
I was thinking if we really need to even issued machine for auditor to access and view or we can have admin grab the required for their sighting of evidence. In other words, they do not have direct access.

By default, most of the "configuration" settings you want to view are only accessible at all to administrative users, who can also modify them. So to create a read-only user that can access everything, you're basically looking at modifying everything (file system, registry, application permissions) to add read-only access for a given user.

Have the auditors request information from the admins.  if necessary, auditors watch the admins retrieve the required information. Even an adhoc account or time based expiry restricted account still need certain privileged group membership, which most of the time is not comfortable with the auditee. There is need to manage the auditor as their role is to sight evidence to proof claim of compliance. The adequacy of control is separate matter to review the security report which can be sighted Offline based on sampling.
0
 

Author Comment

by:sunhux
ID: 41877186
Guess for Windows, you'll need administrative priv to view many items.

But for AV EPO (incl Deep Security) & Cisco switches/routers, you don't need
admin privilege to see most of the info.  Going to be quite a justification to
stop such a request for readonly account.

To me, an untrained person will keep asking lots of questions & this is
highly disruptive to work/normal operations
0
 
LVL 63

Accepted Solution

by:
btan earned 350 total points
ID: 41877247
Yes for Windows, at least in those privileged group for authorised membership.

Yes for other non-Windows like the network device, there is not necessary for admin but they also have some level of access between user EXEC mode (level 1) and privileged EXEC mode (level 15). This is as per the principle of least privilege — only give access to what's necessary and no more. So in this case, it can be the case the command allow for auditor has the lowest level and they will not be able to run other privileged commands.  The command depends on what they ant to see which you can allow then.

No matter what auditor access if granted will still be logged. The log is to proof they are not doing more that they should be. There is no access to external storage and anything to be read is onsite for sighting and nothing brought out of premise unless approved.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question