What Are You Doing Right Now

DustinB3403

@Dashrender said in What Are You Doing Right Now:

If you are afraid of an audit, then you probably shouldn't work there.

That's kind of a bad mindset isn't it?

No one willfully wants to go through an audit, but people plan for it and do it.

Just because one is afraid of the audit, doesn't mean they are doing something wrong or illegal. Maybe they just have super poor documentation.

scottalanmiller

@Dashrender said in What Are You Doing Right Now:

If you are afraid of an audit, then you probably shouldn't work there.

I agree. Although the OP doesn't see to be afraid of the audit in a general sense. Just this one part of it. It's a weird part, IMHO. Like it feels like one of the most obvious things that they would need AND very benign.

scottalanmiller

@DustinB3403 said in What Are You Doing Right Now:

No one willfully wants to go through an audit, but people plan for it and do it.

Sure we do. Good departments should want audited.

President of Brasil literally demanded he be audited yesterday!

scottalanmiller

@DustinB3403 said in What Are You Doing Right Now:

Just because one is afraid of the audit, doesn't mean they are doing something wrong or illegal. Maybe they just have super poor documentation.

Isn't poor docs doing something wrong

DustinB3403

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

@scottalanmiller said in What Are You Doing Right Now:

Sure we do. Good departments should want audited.

President of Brasil literally demanded he be audited yesterday!

No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.

EddieJennings

@Dashrender said in What Are You Doing Right Now:

If you are afraid of an audit, then you probably shouldn't work there.

I actually (despite my griping) liked having a SAM license engagement one time. It gave weight to my "f0 r3@lz, properly licensing software matters."

scottalanmiller

@DustinB3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

But in that case, you'd not care that you were audited, either.

scottalanmiller

@DustinB3403 said in What Are You Doing Right Now:

No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.

Did he get blindsided? I didn't notice that part.

DustinB3403

@scottalanmiller said in What Are You Doing Right Now:

@DustinB3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

But in that case, you'd not care that you were audited, either.

While true, I still wouldn't want to have to go through an audit.

Dashrender

@DustinB3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

@scottalanmiller said in What Are You Doing Right Now:

Sure we do. Good departments should want audited.

President of Brasil literally demanded he be audited yesterday!

No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.

in your case I would want an audit on day one. Someone else to show the bosses the state of the system before you took over. then audited again later to show how things have improved.

RojoLoco

Just booked my Air BnB in Toronto... and check out the decor:

Dashrender

@EddieJennings said in What Are You Doing Right Now:

@Dashrender said in What Are You Doing Right Now:

If you are afraid of an audit, then you probably shouldn't work there.

I actually (despite my griping) liked having a SAM license engagement one time. It gave weight to my "f0 r3@lz, properly licensing software matters."

Yep, some times the only way to get management to "do the right thing" is when they have external pressure basically making them.

Dashrender

@DustinB3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

@DustinB3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

But in that case, you'd not care that you were audited, either.

While true, I still wouldn't want to have to go through an audit.

Not wanting vs afraid are two different things. You shouldn't be fearful of an audit.

DustinB3403

@Dashrender said in What Are You Doing Right Now:

@DustinB3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

@scottalanmiller said in What Are You Doing Right Now:

Sure we do. Good departments should want audited.

President of Brasil literally demanded he be audited yesterday!

No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.

in your case I would want an audit on day one. Someone else to show the bosses the state of the system before you took over. then audited again later to show how things have improved.

While having value in that (I agree) how would you get the business to pay for an audit as soon as you've started?

Dashrender

@DustinB3403 said in What Are You Doing Right Now:

@Dashrender said in What Are You Doing Right Now:

@DustinB3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

@scottalanmiller said in What Are You Doing Right Now:

Sure we do. Good departments should want audited.

President of Brasil literally demanded he be audited yesterday!

No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.

in your case I would want an audit on day one. Someone else to show the bosses the state of the system before you took over. then audited again later to show how things have improved.

While having value in that (I agree) how would you get the business to pay for an audit as soon as you've started?

By telling the company about the value it brings to both you and them.

They learn the current condition of the setup. It gives you and the company the easy ability to set goals for improvement. Tell them that a person can rarely audit themselves unbiasly. having it be external means the auditors have no skin in the game other than to show you how good or bad the environment is.

Then a future audit will show how good of a job you are doing, and might point out some suggestions on how somethings can be done better, etc.

scottalanmiller

@DustinB3403 said in What Are You Doing Right Now:

@Dashrender said in What Are You Doing Right Now:

@DustinB3403 said in What Are You Doing Right Now:

@scottalanmiller said in What Are You Doing Right Now:

Isn't poor docs doing something wrong

Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.

@scottalanmiller said in What Are You Doing Right Now:

Sure we do. Good departments should want audited.

President of Brasil literally demanded he be audited yesterday!

No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.

in your case I would want an audit on day one. Someone else to show the bosses the state of the system before you took over. then audited again later to show how things have improved.

While having value in that (I agree) how would you get the business to pay for an audit as soon as you've started?

I've talked to a place just yesterday that is looking for a CIO and plans an audit the moment that the CIO starts. They are waiting on the CIO to start so that they can have the audit with him (or her) there to review it.

dafyre

I think the OP of https://community.spiceworks.com/topic/1997727-outside-auditor-is-requesting-firewall-configuration-files-is-this-safe

Would be right to bring his concerns to management. However, I also do not see an issue with sending the file as-is -- if management approves and understands that if passwords are in that file, they can ultimately be recovered by various means. I'd get that in writing from everybody as high up in the chain it needs to go before sending that file out.

Of course, my recommendation would be to redact the passwords, and in the config file, they would clearly be labelled *REDACTED* . If I can redact the passwords, I'd see no problems with sending out the config files to a third party.

Either way, the auditors would get what they need.

scottalanmiller

@Dashrender said in What Are You Doing Right Now:

in your case I would want an audit on day one. Someone else to show the bosses the state of the system before you took over. then audited again later to show how things have improved.

I agree, that's great to do.

scottalanmiller

@dafyre said in What Are You Doing Right Now:

Would be right to bring his concerns to management. However, I also do not see an issue with sending the file as-is -- if management approves and understands that if passwords are in that file, they can ultimately be recovered by various means. I'd get that in writing from everybody as high up in the chain it needs to go before sending that file out.

You think his network config file has passwords in it? If so, hiding that woudl be a BIG deal. How do passwords even get ni there?

dafyre

@scottalanmiller said in What Are You Doing Right Now:

@dafyre said in What Are You Doing Right Now:

Would be right to bring his concerns to management. However, I also do not see an issue with sending the file as-is -- if management approves and understands that if passwords are in that file, they can ultimately be recovered by various means. I'd get that in writing from everybody as high up in the chain it needs to go before sending that file out.

You think his network config file has passwords in it? If so, hiding that woudl be a BIG deal. How do passwords even get ni there?

It's been a while since I've looked, but the last Cisco router I worked on had them encrypted. My HP Networking gear (much more recently) had them encrypted. My Fortigate 110C and 500D also had passwords encrypted in the config file. So yes, I consider that a strong possibility.