Enterprise Security: Cheating on Your IT Security Audits
I recently read a good article regarding IT Security Audits which I thought many readers would be interested in. Cheating on IT Audits by IT staffs is not unheard of to most of us in the auditing business. However, it is a taboo subject that rarely gets any media attention and few ever discuss in public. When ever we Auditors perform an audit, all the information provided to us is accurate, never doctored, performed within the time frame or scope of the audit and properly authorized by management (if you believe this you may be on drugs). Cheating on audits, on purpose or out of ignorance is common, and this is one of the reasons we have to verify the authenticity and relevancy of the samples and evidence provided to us before we can accept them.
The article points out that 20% of the 151 IT Security professionals recently polled at a major InfoSecurity conference admitted to cheating on IT Security Audits of firewalls. Although, this sounds like a high figure and I have never investigated this in any formal way, I will venture to say that in the “field” the number is probably higher than 20%. Here is an excerpt from the eWeek Security Watch article, which you can read in its entirety by clicking the link at the bottom of the post:
“An audit isn’t worth much if the people doing it are cutting corners. Unfortunately, a survey by the folks at Tufin Technologies suggests many IT pros may be doing exactly that.
The survey, which was conducted at the InfoSecurity Europe 2009 Conference in April, took opinions from 151 IT security pros. The aim was to determine companies’ approach to firewall auditing and management.
What Tufin turned up was that 20 percent of the respondents admitted they or a colleague had cheated on an audit to get it passed. The company did not ask specifically how they cheated, citing time constraints. But if applied generally, it could be there are many networks operating a false sense of their own security posture.
Going deeper, 9 percent of the respondents admitted that they never bother to check and audit their firewalls at all….”
To continue reading this interesting story, please click the link below:
What do you think. Am I stretching it here by thinking that the real figure may be higher than 20% ? Leave a comment (anonymously if you like).