News Stay informed about the latest enterprise technology news and product updates.

Make friends with your security auditors

IT managers and security auditors have long had an uneasy relationship. Contributor Derek Melber tells you why its in your best interest, and your company's, to get along.

It is no surprise that every IT department has had to interface with security auditors for over a year now. The new security regulations that Sarbanes-Oxley (SOX), IT Infrastructure Library (ITIL) and HIPAA impose on a company can force additional work that the IT staff has never had to be concerned with before.

It is not the fault of the IT security auditor that companies must accomplish the compulsory work, but it is their job to ensure that the results are correct. Working with IT security auditors for the past five years and IT professionals for the past 15 years, I have learned some easy-to-follow steps that make the process of auditing IT security easier for everyone involved.

Change your attitude

Most IT employees have little respect for the IT security auditor. And, not surprisingly, auditors don't like to work with IT because of their poor attitude.

Security auditors are only doing their jobs, which helps protect a company from attacks and regulatory fines.
This poor attitude that IT has toward security auditors is unprofessional and counter productive. Auditors are only doing their jobs, which helps protect a company from attacks and regulatory fines. It is best for the IT staff to help an auditor learn as much about the security of the company's networks as possible, so the overall result is improved every time an audit is performed.

Make the time

Auditors often tell me that the IT staff does not make the time to perform a good analysis of network security, causing more iteration for data collection. If the IT staff would simply gather the key information initially, the overall process would be reduced. It is like the old "measure twice, cut once" philosophy. If IT gathers the information correctly the first time, by double-checking its work, the overall process will be less time consuming.

Let technology work for you

With Windows in your enterprise, you have a lot of technology that can help you maintain a secure environment that will remain consistent between audits. A consistent security environment will dramatically reduce the time required to perform subsequent audits.

Some key technology practices you need to have in place include:

  • Delegation of administration for Active Directory, Group Policy, data management and so on
  • Use of Group Policy to establish and maintain security
  • Use of Least-Privilege User Account (LUA) to eliminate users from being local administrators on their desktops
  • Implementation of security templates to establish baseline security for servers, domain controllers and desktops
  • Methodology for desktop deployment using simple images
  • Post image installation technologies that install software, configure operating system settings and format the user's profile automatically (and change these settings when a user moves from one organizational unit to another)
  • Software and scripts that help document change management for all security-related aspects within Active Directory, Group Policy and deployment

Make it easier on yourself

Working with IT security auditors is not difficult; it is just a mindset. The task must be done, so there is nothing to be gained by whining about it. Changing your attitude is the first step toward making the interaction a positive one. The next step can go a long way. It is taking the time to determine what information the security auditor will require. Finally, as IT professionals, we need to start using technology that makes our jobs easier and more efficient. There are plenty of technologies and tools that can help you achieve this goal within a Windows environment.

10 tips in 10 minutes: Windows IT management

  Tip 1: The long-range plan for 64-bit hardware
  Tip 2: A Window into interoperability
  Tip 3: Third-party software: Do you need it?
  Tip 4: Buy 64-bit now; you won't regret it
  Tip 5: Maintaining a secure Active Directory network
  Tip 6: Firewalls can help or hurt, so plan carefully
  Tip 7: Weak passwords can make your company vulnerable
  Tip 8: Keys to finalizing your Active Directory migration
  Tip 9: Network safety relies on reaction time to Patch Tuesday
  Tip 10: Make friends with your security auditors

Derek Melber, MCSE, MVP and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore, and he also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at

Dig Deeper on Enterprise desktop management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.