What Are You Doing Right Now
-
Have to keep perspective that IT is to Support the Business, not be the Business. If there is a request by a 3rd party for additional security information, then all we can do is verify the request by the CEO. Anything else past that, and we're being insubordinate. We need to assume that the CEO has vetted the 3rd party and that the 3rd party will properly keep our information safe, secured, and not to use it maliciously.
-
We had a curious situation of bringing in some auditor for accounting stuff, which included having to answer questions about our network (password policies, what applications are run on what servers, who supports them, NFTS permission settings). I was also given a template for the expected answers, which was basically answers from another company they've audited -- I can't remember whether or not the name of the company was on the template. I thought it was a bit odd to for that information to be needed, so I raised the question with the CEO. Once I knew the CEO was aware this information was being requested, I shut my trap and completed the documentation.
-
@travisdh1 @scottalanmiller In restrospect, I could've probably been smoother in voicing my concern. I wasn't reprimanded, but it made me finally accept that my job really isn't to protect our network from the company, but rather do the company's bidding to the network.
-
I think verifying with the CEO is important to IT because if the auditor does do something shady, like pwn your whole network, then IT gets to do the cleanup (and take the blame sometimes, because what CEO will admit they did something wrong?). I don't see any issue with making sure the C-levels are aware and on board before you just hand over info to some outsider.
-
@RojoLoco said in What Are You Doing Right Now:
I think verifying with the CEO is important to IT because if the auditor does do something shady, like pwn your whole network, then IT gets to do the cleanup (and take the blame sometimes, because what CEO will admit they did something wrong?). I don't see any issue with making sure the C-levels are aware and on board before you just hand over info to some outsider.
And I said that... that confirming that the audit was real and really authorized. I even mentioned handing the "hot potato" documents up the chain to be handed over to ensure that someone closer to the relationship did the hand over.
-
@scottalanmiller said in What Are You Doing Right Now:
@RojoLoco said in What Are You Doing Right Now:
I think verifying with the CEO is important to IT because if the auditor does do something shady, like pwn your whole network, then IT gets to do the cleanup (and take the blame sometimes, because what CEO will admit they did something wrong?). I don't see any issue with making sure the C-levels are aware and on board before you just hand over info to some outsider.
And I said that... that confirming that the audit was real and really authorized. I even mentioned handing the "hot potato" documents up the chain to be handed over to ensure that someone closer to the relationship did the hand over.
At least to include the higher ups in the hand over, in something such as an email or a meeting or something.
-
If you are afraid of an audit, then you probably shouldn't work there.
-
@Dashrender said in What Are You Doing Right Now:
If you are afraid of an audit, then you probably shouldn't work there.
That's kind of a bad mindset isn't it?
No one willfully wants to go through an audit, but people plan for it and do it.
Just because one is afraid of the audit, doesn't mean they are doing something wrong or illegal. Maybe they just have super poor documentation.
-
@Dashrender said in What Are You Doing Right Now:
If you are afraid of an audit, then you probably shouldn't work there.
I agree. Although the OP doesn't see to be afraid of the audit in a general sense. Just this one part of it. It's a weird part, IMHO. Like it feels like one of the most obvious things that they would need AND very benign.
-
@DustinB3403 said in What Are You Doing Right Now:
No one willfully wants to go through an audit, but people plan for it and do it.
Sure we do. Good departments should want audited.
President of Brasil literally demanded he be audited yesterday!
-
@DustinB3403 said in What Are You Doing Right Now:
Just because one is afraid of the audit, doesn't mean they are doing something wrong or illegal. Maybe they just have super poor documentation.
Isn't poor docs doing something wrong
-
@scottalanmiller said in What Are You Doing Right Now:
Isn't poor docs doing something wrong
Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.
@scottalanmiller said in What Are You Doing Right Now:
Sure we do. Good departments should want audited.
President of Brasil literally demanded he be audited yesterday!
No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.
-
@Dashrender said in What Are You Doing Right Now:
If you are afraid of an audit, then you probably shouldn't work there.
I actually (despite my griping) liked having a SAM license engagement one time. It gave weight to my "f0 r3@lz, properly licensing software matters."
-
@DustinB3403 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
Isn't poor docs doing something wrong
Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.
But in that case, you'd not care that you were audited, either.
-
@DustinB3403 said in What Are You Doing Right Now:
No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.
Did he get blindsided? I didn't notice that part.
-
@scottalanmiller said in What Are You Doing Right Now:
@DustinB3403 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
Isn't poor docs doing something wrong
Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.
But in that case, you'd not care that you were audited, either.
While true, I still wouldn't want to have to go through an audit.
-
@DustinB3403 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
Isn't poor docs doing something wrong
Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.
@scottalanmiller said in What Are You Doing Right Now:
Sure we do. Good departments should want audited.
President of Brasil literally demanded he be audited yesterday!
No you don't, you'll schedule it at will, not be blind sided by an audit. This is completely different than what is described.
in your case I would want an audit on day one. Someone else to show the bosses the state of the system before you took over. then audited again later to show how things have improved.
-
Just booked my Air BnB in Toronto... and check out the decor:
-
@EddieJennings said in What Are You Doing Right Now:
@Dashrender said in What Are You Doing Right Now:
If you are afraid of an audit, then you probably shouldn't work there.
I actually (despite my griping) liked having a SAM license engagement one time. It gave weight to my "f0 r3@lz, properly licensing software matters."
Yep, some times the only way to get management to "do the right thing" is when they have external pressure basically making them.
-
@DustinB3403 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
@DustinB3403 said in What Are You Doing Right Now:
@scottalanmiller said in What Are You Doing Right Now:
Isn't poor docs doing something wrong
Not if you've just started with the business. I'm on a month at my new job, and would hate having to go through an audit right now as I'm working to get things cleaned up, organized and documented.
But in that case, you'd not care that you were audited, either.
While true, I still wouldn't want to have to go through an audit.
Not wanting vs afraid are two different things. You shouldn't be fearful of an audit.