Great advice on working with the auditor and making security a team
effort for everyone.
However:
Your auditor should be someone you can depend on to help you improve
state.. not just point out problems.
Unfortunately, from what I hear (we don't have these kinds of audits)
too many auditors don't even point our problems. Instead the give a list
of items that did not pass an arbitrary check-list that is not relevant
to the site, nor does it improve security.
A good auditor (of course) is using relevant standards and is willing to
work with the staff.
--david
On 12/04/14 10:04, Branson Matheson wrote:
</rant>
So as an auditor that's done plenty of banks, medical facilities..
what I have found is you see a very BROAD level of auditing capability
and levels .. as outside of regulation most people are not encouraged
to do or request more; and I believe that's because most auditors are
seen as Evil(tm).
When I started.. the first instruction I tool on auditing, the
instructor said something that's stuck with me for some time.. "If
your customer doesn't say \"Yay, the auditor is here!\" .. then you're
doing it wrong." This goes along with my other rants about how
security and sysadmin should be working together. I swear I am gonna
coin the idea of SecOps along side DevOps to encourage that. Anyway.
When you talk to a a potential auditor .. you really want to see if
you can work with them instead of them merely working for you. Ask:
- Can I sit in with you as you're performing the audit? And watch/learn?
- Can I get copies of the tools you used?
- Can I get copies of any raw-reports?
- Would you mind using zsh | tee shell.log?
I believe it's probably a bit self-serving to be providing
remediation as well as auditing in the same group ( kinda like lawyers
working in congress.. but i digress ) .. however, if they have
remediation recommendations.. you should certainly take advantage of
them. Many tools give you that information in the raw output
(CISecuriy Benchmarks for instance)
Your auditor should be someone you can depend on to help you improve
state.. not just point out problems.
- b
On Dec 4, 2014, at 10:53 AM, Carolyn Rowland <[email protected]
<mailto:[email protected]>> wrote:
I guess I've always seen security as a core skill for a sysadmin;
it's always been a priority. The auditor can be helpful by making me
think about areas where I haven't focused or can be like a cloud of
black flies by coming up with makework exercises.
Carolyn
On Thu, Dec 4, 2014 at 10:28 AM, leam hall <[email protected]
<mailto:[email protected]>> wrote:
On Thu, Dec 4, 2014 at 10:15 AM, Carolyn Rowland
<[email protected] <mailto:[email protected]>> wrote:
> It's these kinds of audits that distract sysadmins from the
security that
> actually makes things more secure. It drives a wedge between
security people
> and the sysadmins.
>
> Carolyn
Yes and no. Keep in mind that security is one of the many skills a
sysadmin must have. Not everyone can or has made it a priority. So
auditable tasks become a minimal baseline for those that need it.
Once that's done, however, you've met the absolute bare bones "keep
your job" minimum. Then you start pulling in ideas from security
experts, using tools like Puppet, nmap, nessus, and continuous
improvement to harden your area.
Leam
--
Mind on a Mission
_______________________________________________
Discuss mailing list
[email protected] <mailto:[email protected]>
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System
Administrators
http://lopsa.org/
_______________________________________________
Discuss mailing list
[email protected] <mailto:[email protected]>
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
- b
Branson Matheson
[email protected] <mailto:[email protected]>
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
--
David Parter
Director of Academic Computing Services
University of Wisconsin Computer Sciences Department
[email protected]
608-262-0608
_______________________________________________
Discuss mailing list
[email protected]
https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss
This list provided by the League of Professional System Administrators
http://lopsa.org/
