[Dshield] Query on win2k security

Justin S jgs316 at gmail.com
Wed Dec 14 14:41:08 GMT 2005

On 12/14/05, Faber, Sidney wrote:
> Second, a general comment on audits:
> Just because an auditor has a finding, it doesn't necessarily mean the
> finding is justified.  Good auditors will discuss the finding with you
> before they put it in writing, and strive to understand what's going on.
> They should be working off of a specific line item, a particular control
> that they want to see in place.  Try to find the control and what they
> feel is missing.  Try to show them any other controls you have in place
> to mitigate the issue.  And if you can't get an understanding, then just
> be assertive in your response.  Quote current industry standards from
> CIS, NIS and Microsoft in your response to their findings, so that when
> senior management review the finding, they can tell that its bogus.

Responding to auditors and examiners is becoming almost a full time job.
One thing to try and remember is that you can never elimiate all risks, but
you do have to be aware of them.  It may be as simple as doing a "risk
assesment", and writing a policy that states something like "this is the
risk, this is what we do to limit it, but it is an acceptable business risk
or we don't have the resources to effectivly elliminate it".  I wouldn't use
that exact wording though :-)

If you were going to actually 100% eliminate all risks, you would have to
unplug the internet connection, and not let anybody use the computers.  Even
if you can't eliminate a risk, you need to be aware that it exists.

More information about the list mailing list