General Requests

List any general requests you have about the second edition here:

• Chapter: name or "all"
• Your name:
• Issue: blah blah blah

Audit is not evil

Having moved from the role of a sysadmin to an IT Auditor over the past 2 years, I think that TPOSANA needs a section on the corporate audit function in general. Especially with the days of more and more regulatory requirements (Privacy, Financial Reporting, etc.), the worlds of audit and operations come together much more frequently. I find that audits often start out as head-to-head battles with operations folks, because they're not used to dealing with auditors; after a few weeks, they finally end up seeing us more as a business partner. WE WANT THE SAME THINGS. Secure environments. Available environments. Reliable environments. Environments where you can see who/what mucked it up, so you can prevent the same problem from happening later on (by process change or re-education).

And yes, I know for every good IT Auditor out there, there's a bone-headed one, stating that "SOX requires you to have different admin passwords on each box" and other bogus claims. Just remember - we're not all evil.

-- MariusStrom^? - 17 Aug 2006

Just a thought; would an extended section in 7.1.5 about "Auditor" work? I've already suggest adding a "Risk Management" role, there.

Unfortunately the "audit" role is frequently used as a hammer by management to get things done (upper management tells a line-of-business 'Do XYZ or audit will fail you and you'll be fined and that'll affect your department profits so your bonus will be hit'), and this doesn't help the audit department get a good reputation. The words "audit failure" is now all that's needed in my place to make people take note and think seriously about things (stuff they should be thinking about, anyway!) However, I've seen this more at a LOB management level; the ops guys work for the business and know the failures and have reported it to management, so the ops guys don't care what Audit think; it's not their problem.

However, your idea does lead to another thought... a chapter based on the different people an SA interacts with. The book has mainly focused on the customer, but mentioned stuff spread over the book (eg management, engineering teams, security teams, audit, law enforcement). Perhaps a chapter or an appendix summarizing the expected contacts and how the interaction between the SA and those roles can be planned would be a good idea.

Oh, PS: Tom, if you don't want discussion like this between us reviewers then lemme know and I'll keep my mouth shut

-- StephenHarris - 17 Aug 2006

Decomissioning

Another section to add somewhere, maybe. At least I haven't noticed this so far. Process for decomissioning a server, and in particular handling of data destruction. What do you do with those disks that have confidential information on them? How do you ensure they have no recoverable data on them before disposal? You sure don't want customer credit card information to be found on a disk recovered from dumpster diving, or even worse from a PC shipped to Nigeria! http://news.bbc.co.uk/1/hi/business/4790293.stm

-- StephenHarris - 18 Aug 2006