It is no surprise that every IT department has had to interface with security auditors for over a year now. The new security regulations that Sarbanes-Oxley (SOX), IT Infrastructure Library (ITIL) and HIPAA impose on a company can force additional work that the IT staff has never had to be concerned with before.
It is not the fault of the IT security auditor that companies must accomplish the compulsory work, but it is their job to ensure that the results are correct. Working with IT security auditors for the past five years and IT professionals for the past 15 years, I have learned some easy-to-follow steps that make the process of auditing IT security easier for everyone involved.
Change your attitude
Most IT employees have little respect for the IT security auditor. And, not surprisingly, auditors don't like to work with IT because of their poor attitude.
Make the time
Auditors often tell me that the IT staff does not make the time to perform a good analysis of network security, causing more iteration for data collection. If the IT staff would simply gather the key information initially, the overall process would be reduced. It is like the old "measure twice, cut once" philosophy. If IT gathers the information correctly the first time, by double-checking its work, the overall process will be less time consuming.
Let technology work for you
With Windows in your enterprise, you have a lot of technology that can help you maintain a secure environment that will remain consistent between audits. A consistent security environment will dramatically reduce the time required to perform subsequent audits.
Some key technology practices you need to have in place include:
- Delegation of administration for Active Directory, Group Policy, data management and so on
- Use of Group Policy to establish and maintain security
- Use of Least-Privilege User Account (LUA) to eliminate users from being local administrators on their desktops
- Implementation of security templates to establish baseline security for servers, domain controllers and desktops
- Methodology for desktop deployment using simple images
- Post image installation technologies that install software, configure operating system settings and format the user's profile automatically (and change these settings when a user moves from one organizational unit to another)
- Software and scripts that help document change management for all security-related aspects within Active Directory, Group Policy and deployment
Make it easier on yourself
Working with IT security auditors is not difficult; it is just a mindset. The task must be done, so there is nothing to be gained by whining about it. Changing your attitude is the first step toward making the interaction a positive one. The next step can go a long way. It is taking the time to determine what information the security auditor will require. Finally, as IT professionals, we need to start using technology that makes our jobs easier and more efficient. There are plenty of technologies and tools that can help you achieve this goal within a Windows environment.
10 tips in 10 minutes: Windows IT management
Tip 1: The long-range plan for 64-bit hardware
Tip 2: A Window into interoperability
Tip 3: Third-party software: Do you need it?
Tip 4: Buy 64-bit now; you won't regret it
Tip 5: Maintaining a secure Active Directory network
Tip 6: Firewalls can help or hurt, so plan carefully
Tip 7: Weak passwords can make your company vulnerable
Tip 8: Keys to finalizing your Active Directory migration
Tip 9: Network safety relies on reaction time to Patch Tuesday
Tip 10: Make friends with your security auditors
Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at firstname.lastname@example.org.