Solved

Read-only access for auditors

Posted on 2016-11-06
5
47 Views
Last Modified: 2016-11-11
What's the industry practice on granting read-only access accounts to
auditors ?  Or generally request are sent to IT Ops who will extract it
& send to them?

I guess the lowest privilege account in Windows can still make changes
to the systems but for certain appliances (eg: proxy, AV EPO, IPS), any
risk of inadvertent changes being made?

I'm assuming the auditors are not trained (or semi-trained) in the specific
platforms / products only
What about UNIX Solaris & AIX?
0
Comment
Question by:sunhux
  • 2
  • 2
5 Comments
 

Author Comment

by:sunhux
ID: 41876262
Certainly there's a concern that auditor dig too much info which
creates unnecessary overheads
0
 
LVL 78

Assisted Solution

by:David Johnson, CD, MVP
David Johnson, CD, MVP earned 150 total points
ID: 41876339
Depends upon the audit and what you are being audited on. A licensing audit may ask for a tool to be run that enumerates the machines and compares the count of specific software against your purchase records.

A PKI audit may examine your policies and setup (which is why we use powershell scripting so we can just show them the script vice having them hover behind us while we type in commands) and you can show them logs that you are actually performing the policies.
0
 
LVL 61

Assisted Solution

by:btan
btan earned 350 total points
ID: 41876632
I was thinking if we really need to even issued machine for auditor to access and view or we can have admin grab the required for their sighting of evidence. In other words, they do not have direct access.

By default, most of the "configuration" settings you want to view are only accessible at all to administrative users, who can also modify them. So to create a read-only user that can access everything, you're basically looking at modifying everything (file system, registry, application permissions) to add read-only access for a given user.

Have the auditors request information from the admins.  if necessary, auditors watch the admins retrieve the required information. Even an adhoc account or time based expiry restricted account still need certain privileged group membership, which most of the time is not comfortable with the auditee. There is need to manage the auditor as their role is to sight evidence to proof claim of compliance. The adequacy of control is separate matter to review the security report which can be sighted Offline based on sampling.
0
 

Author Comment

by:sunhux
ID: 41877186
Guess for Windows, you'll need administrative priv to view many items.

But for AV EPO (incl Deep Security) & Cisco switches/routers, you don't need
admin privilege to see most of the info.  Going to be quite a justification to
stop such a request for readonly account.

To me, an untrained person will keep asking lots of questions & this is
highly disruptive to work/normal operations
0
 
LVL 61

Accepted Solution

by:
btan earned 350 total points
ID: 41877247
Yes for Windows, at least in those privileged group for authorised membership.

Yes for other non-Windows like the network device, there is not necessary for admin but they also have some level of access between user EXEC mode (level 1) and privileged EXEC mode (level 15). This is as per the principle of least privilege — only give access to what's necessary and no more. So in this case, it can be the case the command allow for auditor has the lowest level and they will not be able to run other privileged commands.  The command depends on what they ant to see which you can allow then.

No matter what auditor access if granted will still be logged. The log is to proof they are not doing more that they should be. There is no access to external storage and anything to be read is onsite for sighting and nothing brought out of premise unless approved.
0

Featured Post

Why do Marketing keep bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now