Auditing: The Single Biggest Lesson to Learn (Part 1)

The young lady that was reviewing our audit with me sure didn’t look like a vampire.  But as she dug deeper and deeper into our results, I began to feel myself getting weaker and weaker, just as if she were sucking my life blood from me.  What she was sucking away from me was much less than blood, and more pride.    What she was really and truly talking about was Network Security 101a and I’d just gotten an F-.  I’d always prided myself upon being able keep issues at bay, pay attention to Network Security, and here I’d just been told that I’d missed the basics.

Let’s take a look at error number one, one she didn’t have to point out, but one I began to realize was there.  I looked at her and thought, “Who the heck are you to tell . . .”  And I began to realize the lesson was one I’d seen before.  What I was seeing was Pride, and she was trampling all over it.  I also knew that Pride can be a huge failing.   I looked at it and I began to realize I wasn’t alone in that one.  My colleagues in Dallas (no names please), were twice as guilty as I was.  They’d been through audits dozens of times, and had always failed them.  And I’d heard it from their own lips, “These people don’t know how to run an enterprise IT department”.  I began to realize that it was impossible to pass if you let your pride get in the way.  Their pride was preventing them from learning from their own mistakes.

Let me put it another way.  For those of you who have ever been in the US Army, you know of a place called the National Training Center at Ft. Irwin, California.  This place isn’t exactly the middle of nowhere, but there are road signs pointing to it from there.  It’s out in the Mojave Desert, and Americas best go out there to prove their mettle against the Opposition force the rules the desert.  These guys play with inferior equipment, use tactics we look down on, and if you even manage to break even against them, well, you’re doing pretty good.  Failing at NTC wasn’t a bad thing (everyone does), what was bad was failing to learn from your mistakes.  Since I’d been to NTC several times (and of course died a number of wild and embarrassing deaths) I began to realize that just as NTC prepares you for a real war, what I’d just gone through was preparing me for the real audit.

There are two kinds of audits, there’s the internal audit and the external audit.  Of the two, the internal audit is the one that is much more detailed, much more stressful, and much more unforgiving.  Reason being is simple.  The External audit will most likely focus one or two things, and may or may not even be IT related.  Problem is, no one knows what the external audit (and this is the one that generates a report that goes to investors and etc) will look at.  They might even take the Internal Auditors results and call them good if they feel they’re valid.  So Internal Auditors, which the Bride of Dracula was one, are simply hired guns who go out and find your weaknesses.  It’s OK for them to find weakness.  What isn’t OK, is to do nothing about it.

In my own defense, I’ll say, I didn’t know the game yet.  SOX was a mystery wrapped inside a puzzle and clothed in an enigma.  But I also began to realize that if I was ever going to beat the External Auditor, I needed to beat the Internal Auditors first.

So what are the basics, and how do you go from an F- to a Solid A+.  Basics is what they look for in any audit, and part of that is keeping things written down (if you don’t write it down, it didn’t happen) so in this and the next several blogs, we’re going to tear apart the audit process and learn how to beat them at their own game.

What she was talking about was Basic Network Security.  What she was talking about was checks and balances, the very thing I knew was what I was after anyway.  So rather than fight it, I took as a chance to learn.  I needed to learn to beat them, and at the same time, I would enhance my security posture.

So, with that in mind, Let us begin.  In the next several blogs, we’ll cover many of the mistakes people make, learn how to detect them, and what to do about them.  We’ll also begin looking at the hardest thing of all, writing things down.

So, next week, we dive in with both feet and start looking at keeping track of Active Directory changes.

Stay safe out there.