Friday, May 14, 2010

Tips for auditors

I left this awesome post from this SANS blog pass without saying anything here. It has 10 tips for IT auditors, and in my opinion it nailed down the key issues that I generally have with auditors. Some of the best pieces:

  • Trying to find everything is often a mistake
  • Auditing is never about catching people doing things wrong
  • The primary role of an auditor is to measure and report on risk to the business and business objectives

I really like the last one. It's perfect to remind those auditors that work with that checklist mindset and don't understand that sometimes a non-ticked box doesn't necessarily translate into risks or goes against business objectives. If they could take only one of these tips with them, this one is the most important. The job of security professionals would be quite easier if we could work with auditors that understand that.