Lazy Auditors?

SC Magazine has an article entitled "Lazy auditors lay Australia's security bare" that extensively quotes fellow CSU alumni Craig Wright. Good article, but the blame can hardly be left solely at the feet of the auditors. Networking equipment is routinely forgotten when audits, vulnerability assessments or even risk assessments are conducted. The focus is often on the database server or the client workstation and commonly overlooks the equipment that allows these devices to communicate. Networking equipment is often hidden away in comms cupboards or deemed 'too risky' to patch or update.

The auditors can however take more blame for the whole 'checkbox compliance' attitude - I know I've sat through audits from major auditors that were little more than a joke, conducted by (often junior) auditors who had little idea of the meaning of the questions they were asking. If this is combined with management that are happy to see a box checked  rather than try and understand the details (such as the scope and depth of the audit, the experience of the auditor, the real gaps and risks, etc.) - in a fashion most would never do for a financial audit - then the problem is multiplied.

Does your organization's patch policy include these often forgotten items such as it's networking equipment? Have your auditors assessed them? Do they even know what they are or how these devices (if not properly managed) are a risk to the organization?

0 Response to "Lazy Auditors?"

Post a Comment

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme