If Webster is my auditor, we are going to spend a lot of time eating crab cakes while my minions 'prepare' the documentation. <grin>
Jim From: Webster [mailto:[email protected]] Sent: Monday, December 20, 2010 9:38 AM To: NT System Admin Issues Subject: RE: Experience with doing IT Audits Jim is right. Do not give (me) the auditor more info than was requested. I don't want more stinking paperwork to do than necessary. Policies and Procedures need to be in writing and signed off by all the required upper level people specified in the P&P that state who is supposed to sign-off on what. All lists and reports must have a date and time printed on them and they must be within 24 hours of the audit. Don't give me last month's report. And if you do give me last month's report at least change the date and time printed on it some way! J In SOX audits, we didn't care about specifics. Do you have a P&P in place and are you following it to the letter. If you insist on having 48 people in Domain and Enterprise admins, make a list of the users, delete them all for the audit and add them back in when I walk out the door! J If you have a P&P stating that ALL antivirus software must be updated, don't forget that most backup software has built-in AV capabilities and I have to ding you when Backup Exec AV hasn't been updated since it was installed 5 years ago. Did I ever mention I hate doing these audits? Webster From: Jim Holmgren [mailto:[email protected]] Subject: RE: Experience with doing IT Audits BTDT too many times to count. For what it is worth, my advice when dealing with Auditors: 1) Only give the auditors what they ask for - do not volunteer any additional information. Most of the time, they just want to check the boxes and move on to the next person. You aren't doing yourself any favors by asking for more work. 2) Have written, approved policies and some way to prove that you follow them. Most of the time the guidelines do not get into specifics about the contents of the policies. They only say "you must have a retention policy and abide by it" - they generally don't say "you must keep emails for X days". ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin CONFIDENTIALITY NOTICE: This email, including attachments, is for the sole use of the intended recipient(s) and may contain confidential and/or protected health information. Under the Federal Law (HIPAA), the intended recipient is obligated to keep this information secure and confidential. Any disclosure to third parties without authorization from the member of as permitted by law is prohibited and punishable under Federal Law. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. NOTA DE CONFIDENCIALIDAD: Este facsímile, incluyendo lo adjunto, es para el uso exclusivo del destinatario(s) y puede contener información confidencial y/o información protegida de salud. En virtud de la Ley Federal (HIPAA), el destinatario tiene la obligación de mantener esta información segura y confidencial. Cualquier divulgación a terceros sin la autorización de los miembros de lo permitido por la ley está prohibido y penado en virtud de la Ley Federal. Si usted no es el destinatario, por favor, póngase en contacto con el remitente por teléfono y destruir todas las copias del mensaje original ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
