Everyone in IT knows the word – Audit. But, after years in this industry, and speaking with countless IT folks, it is apparent that not everyone has the same definition. For some, it means checking the current state of security. For others, it’s a review of a maintained log of changes over a period of time. And still for others, it’s a review of the defined standards (that is, without actually looking at whether those standards are properly implemented).
So, is there a “correct” definition of an audit?
I like to use the most everyday use of the term audit to find some common ground that we all can agree on – an IRS audit. We all either know first hand or get what the IRS is doing – they are examining your submitted tax records and validating them. In essence, the IRS is providing an external review of that which you believe to be true. And they don’t just take your word on it; they cross-reference all the forms from external sources – like your W-2, 1099s, a year-end mortgage interest statement, etc. – all to corroborate your “story”.
IT audits should be looked at the same way. You need an external review of what you believe to be the state of changes and security. Otherwise, you’re just fooling yourself into believing that your network is, and has been, secure and without incident.
So, what constitutes an external review? Does it mean that you absolutely must hire an independent auditor? Or some security expert with their set of best practices? Not necessarily. In fact, the external part is in reference to that which you believe to be true. It means, if you rely on, say, a change log of some kind (which represents the list of what you believe has happened on your network), you need to have another means to corroborate that every change was logged.
And once that’s verified, then someone needs to go through it in detail to validate the ever-changing state of your security and environment. In fact, if every change to configurations, security, and policies is documented, finding just about any answer an auditor can conceive of should be a somewhat easy task (because the answers are there).
Without changing your definition, you’ll fall into the same patterns of reassuring yourself everything’s been documented, and have little need to ensure your environment is properly configured and secure.
In this webinar, I’ll discuss more on how to properly define auditing, what kinds of detail auditors require so you can successfully pass an audit, and what kind of expectation you should have when it comes to proper time frame to address audits – all when using a 2.0 definition of an IT Audit.
Nick Cavalancia, Founder/Chief, Techvangelism
Nick Cavalancia has over 20 years of enterprise IT experience, 10 years as a tech marketing executive and is an accomplished technology writer, consultant, trainer, speaker, and columnist.
Nick has attained industry certifications including MCNE, MCNI, MCSE and MCT and was once accused at TechEd of "not having enough digits" in his MCP number (which only has 5). He has authored, co-authored and contributed to over a dozen books on Windows, Active Directory, Exchange and other Microsoft technologies and has spoken at many technical conferences on a wide variety of topics.
Previously, Nick has held executive marketing positions at ScriptLogic (acquired by Quest, now DELL Software), SpectorSoft and Netwrix where he was responsible for the global messaging, branding, lead generation and demand generation strategies to market technology solutions to an IT-centric customer base.