IT admins and IT auditors often don’t see eye-to-eye, and they don’t usually think their goals are similar.
The IT auditor just has to work a little harder to convince the IT admin of that. I’ve worn both hats, so I know it can be done.
Goals
I noticed this statement in Derek Melber’s WindowsSecurity.com article:
“The admin’s goal is not to secure, rather to ensure things are available. The auditors are not designed to ensure things are available, rather they are ensuring that the settings are secure, in case of an attack.”
While I agree that admins tend to lean toward availability rather than security, admins DO care about security; likewise, auditors like to see things as tight as possible, but no decent auditor recommends overly tight security at the expense of the business (I said decent auditor).
Think about this way:
- An IT admin can’t have availability without security. If an unauthorized user is accidentally granted admin access to a system, that user can alter the data, which would make the original data unavailable. Also, if security vulnerabilities exist, a hacker can take the system down.
I think most admins simply have too much to do, so they put the must-do tasks for the business ahead of the should-do tasks of security, which is understandable, but short-sighted.
- An IT auditor can’t have security without availability. If the security is so tight that it hampers the business, the auditor is shooting holes in his own feet and all the other wingtips and high heels in the company.
I think many auditors are overzealous, and too many are also too lazy to determine the real risk, impact, and likelihood of issues they find. And they also have managers breathing down their necks to wrap up the audit and move on.
Work Together
Melber also says that
“The moral to the analogy above is that everyone should be doing their own job well, plus understanding the role of the other teammates.”
I agree with that, but I would phrase it this way: everyone needs to understand that they all have the same job: to allow the business to create its products and services in the most efficient manner and meet its goals. To do that, among other things, you have to have availability and security.
And as Melber notes, IT admins and IT auditors should NOT give each other a hard time, but help the other do their job, even when the other makes mistakes or lacks the knowledge to ask for what they need with precision.
If they waste each each other’s time, they are wasting company and customer money, as well as their own.
ITauditSecurity 
I wouldn’t say IT Auditor’s job is to keep things secure as much as keep up with compliance. Yes, there is an overlap, but there are areas in which they are vastly different. From an auditor’s perspective, certain risks can never be mitigated except with the use of specific technology that may severely impair the business bottom line.
LikeLike
Hi Alex,
I have never like the word ‘compliance’. It makes me think of auditors who come in with a checklist that may or may not fit your company, department, process, or risk tolerance and demand changes. You might not have been referring to that, but your comment made me wonder.
I don’t think you can talk about risk without addressing security. And the areas the auditor and admin play in are different, but they all roll up to the same purpose: provide service & products and make money for the company.
I would argue that the CFO, janitor, and marketing director have the same responsibility for security and availability that the admin does, but at a different level. The former 3 should not do anything, stupid or otherwise, that would impact security or availability, but they could. They could leave a back door open to allow unauthorized (auditors love that word) physical access to the building or open an infected attachment.
If I missed your point, please expand it. Thanks.
LikeLike
hi,
i have a question with regards to the level of access an auditor should have with respect to network switches and routers? As COO, i have to adjudicate the squabbles between the head of IT and the IT auditor. Should the IT auditor be given root access to the routers & routers to do their job?
What do you think?
LikeLike
Lanre,
I can’t think of any instance where auditors need any more than read access. In some systems, you might need a little more than that, depending on the access is configured.
I don’t see that auditors ever need access to change data or configurations. If something more than read is required (to run a utility, for example), then have the admin run the utility in the auditor’s presence.
If you are trying to set up some type of automated access or reporting that requires extra access, then it may help to set up a generic ID and let that ID have the access, but let the auditor run the script or program using that ID. Just make sure no one can log in directly with that ID.
Or set up a test system where the data is copied over and give the auditor access to that.
An auditor worth their salt WOULD NOT WANT root access simply because of the danger that represents if errors are made, and no auditor ever wants to be accused of maliciously changing something.
LikeLike
Pingback: What IT Auditors Ought to Know – and Don’t! | ITauditSecurity