Here’s my list of IT/security basics that I think IT auditors ought to know. If you can’t understand and audit these items, you do not know enough about technology to avoid having the wool pulled over your irises (not matter how good an auditor you are). The list is in no particular order.
If you’re a CISA or CISSP and you don’t know the following, I think you have some work to do.
I started adding some links to explain some of these items in response to a request by ziad (good idea). Some of the links are to more of my own posts, while others are to outside articles that contain good content. While I feel the links cover the material I’m referring to in this post, some of the linked articles contain information and suggestions that I don’t necessarily agree with. I’ll keep adding links, and maybe someday will add more of my own posts to supplement this material.
- In Windows, the difference between network (Active Directory domain) accounts and local server and user accounts.
- The difference between Windows local admin accounts and domain admin accounts.
- How Active Directory groups and permissions control account access.
- Difference between share permissions and folder permissions.
- How the network, applications, and databases work together. First, that they are separate entities. Second, the basic functions that each performs.
- How adding complexity and length to a password makes it more difficult to guess or crack.
- How to map a shared network drive, map a printer, and ping a network device by name AND by IP address.
- While logged into* a Windows PC on a unfamiliar network, determine the device’s IP address, network mask, and gateway. Also determine the DHCP and DNS server the device is using.
- The differences between databases, database instances, database tables, and database views.
Almost all the IT auditors I’ve worked with don’t know half of these. How do you fare?
- How to type (no kidding!). How can you work in IT or audit or anywhere, on a computer all day, if you peck like a bird?
- How to read system logs.
- Fundamental differences between Windows and UNIX operating systems.
- How to read Unix permissions.
- How to perform a whack-whack server audit.
- How to perform basic URL man-ip-ulation.
- How to run simple scanners such as Netstumbler and Superscan (see Top 100 Network Security Tools).
- How to configure wireless network cards and wireless routers for WPA security (at least).
- How to map to a printer on a unfamiliar network without any help (anyone want to guess why I think this is so important? It’s not explicitly related to auditing or security, but is directly related).
What do you think about this list? What technical skill would you add or dispute? I didn’t even touch the soft skills!
For those of you who get audited, what irks you the most about what IT auditors don’t know?
* I realize auditors don’t normally log into devices they are auditing. Assume you’re sitting with the owner of the device and he’s logged in and you need to direct him to display these settings.
Of course there’s a LOT MORE to IT auditing than what’s on this list. I didn’t mention backup, disaster recovery, business continuity, and a host (pardon the pun) of other items. I’ve found the best IT auditors are former IT grunts; if you’re not a former grunt, I’d sure hope you have a good network of IT pros, IT auditors. and security analysts you can go to for a reality check once in a while (outside of the company you’re auditing). I know how much I depend on my network.
So what do you agree with, disagree with, and what would you add?
Do the IT auditors you know KNOW these things?
Check these out: