We have finished our IT controls testing last last last week and were able to discuss them with our “process owners” last week only to receive their action plans yesterday.
It’s funny how these process owners react to the observations made by their auditors. They would dearly accept those observations which they are aware of even before the audit and tell you to include them in your report for them to act on it. Can’t they just do what they are supposed to do without being told?
Sometimes you’d just wonder if we, human, are generally “lazy” beings. I seldom know people doing things they know they should do… like me. I’m supposed to prepare the test scripts (some sort of like a script for those in theatres/ plays) where the reviews will be based… but I’m sick… I got caught by Friday sickness and am very eager at the moment… eager to go home.. 
*****
Nevertheless, I don’t want to end my week wasted so I’ll try to share something to all my colleagues and give me even a little personal satisfaction (sort of being sorry for my wasted working hours ).
When our IT controls were audited last year, they were found to be very satisfactory with only a single minor deficiency passed on to us from Paris. We don’t know what the auditors did but during our independent review this year, we noted several issues, most of which relate to IT security (physical and logical security). I believe having Somarsoft’s DumpSec as our audit tool made a big difference between our independent reviews and the prior year’s reviews.
Unlike in the previous year when the review was done only on the Active Directory System (ADS) security policy level, we were able to do detailed review of the logical security (at least for the OS access) detailed on a user level using the tool. We were able to identify, at individual user level, those accounts which poses increased vulnerability to attacks due to control overrides in the password policies (no passwords, passwords not changed, passwords do not expire, etc.).
The tool does not only provide information on password policies on user account level but also information regarding group membership of every user account within the network. This information is helpful in identifying segregation issues by matching the access/ group membership granted to the individual’s function/ job description.
When remote access is used, the tool can also identify the users accessing the network though this medium. You can then match the users with remote access against those included in the authorized list of remote access users.
*****
Seems like the IT audit training provided to us by P&A were very useful, at one point, but the experiences gained while working with them was far more useful and fully complimented the knowledge gained from the training.
*****
The stock market is back to where it was 8 weeks ago… and it’s starting to rise again. It’s also good to note that my small investment is now on the recovery room and will be back to work in a short period of time… i’ll keep my fingers crossed..
*****
graphics by inkytwist of deviantart
Discussions