</rant> So as an auditor that's done plenty of banks, medical facilities.. what I have found is you see a very BROAD level of auditing capability and levels .. as outside of regulation most people are not encouraged to do or request more; and I believe that's because most auditors are seen as Evil(tm).
When I started.. the first instruction I tool on auditing, the instructor said something that's stuck with me for some time.. "If your customer doesn't say \"Yay, the auditor is here!\" .. then you're doing it wrong." This goes along with my other rants about how security and sysadmin should be working together. I swear I am gonna coin the idea of SecOps along side DevOps to encourage that. Anyway. When you talk to a a potential auditor .. you really want to see if you can work with them instead of them merely working for you. Ask: - Can I sit in with you as you're performing the audit? And watch/learn? - Can I get copies of the tools you used? - Can I get copies of any raw-reports? - Would you mind using zsh | tee shell.log? I believe it's probably a bit self-serving to be providing remediation as well as auditing in the same group ( kinda like lawyers working in congress.. but i digress ) .. however, if they have remediation recommendations.. you should certainly take advantage of them. Many tools give you that information in the raw output (CISecuriy Benchmarks for instance) Your auditor should be someone you can depend on to help you improve state.. not just point out problems. - b > On Dec 4, 2014, at 10:53 AM, Carolyn Rowland <[email protected]> wrote: > > I guess I've always seen security as a core skill for a sysadmin; it's always > been a priority. The auditor can be helpful by making me think about areas > where I haven't focused or can be like a cloud of black flies by coming up > with makework exercises. > > Carolyn > > On Thu, Dec 4, 2014 at 10:28 AM, leam hall <[email protected] > <mailto:[email protected]>> wrote: > On Thu, Dec 4, 2014 at 10:15 AM, Carolyn Rowland <[email protected] > <mailto:[email protected]>> wrote: > > It's these kinds of audits that distract sysadmins from the security that > > actually makes things more secure. It drives a wedge between security people > > and the sysadmins. > > > > Carolyn > > Yes and no. Keep in mind that security is one of the many skills a > sysadmin must have. Not everyone can or has made it a priority. So > auditable tasks become a minimal baseline for those that need it. > > Once that's done, however, you've met the absolute bare bones "keep > your job" minimum. Then you start pulling in ideas from security > experts, using tools like Puppet, nmap, nessus, and continuous > improvement to harden your area. > > Leam > > > -- > Mind on a Mission > _______________________________________________ > Discuss mailing list > [email protected] <mailto:[email protected]> > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > <https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss> > This list provided by the League of Professional System Administrators > http://lopsa.org/ <http://lopsa.org/> > > _______________________________________________ > Discuss mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss > This list provided by the League of Professional System Administrators > http://lopsa.org/ - b Branson Matheson [email protected]
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Discuss mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
