If you don't know how to report a security violation, but would ask your boss if you encountered one, just say so. And, if you are prepared to say who you would report a violation to if your boss was unavailable, so much the better.
Don't take an audit as an opportunity to criticize your boss, your coworkers, or your company. Doing so is likely to have repercussions that you won't like.
Don't criticize the audit process itself or argue with the auditors. Just make sure your answers are clear and move on.
And if that auditor hasn't quite turned your doorknob yet, ask yourself the following kind of questions to be better prepared:
Where are the security policies that you're working under? Are they accessible to you? Do you know how to find them?
Which policies apply to the work you specifically do? Are you aware of their major clauses and requirements?
Where are records kept that show how you comply with your policies? Do you keep records that demonstrate, for example, when accounts are reviewed or disabled?
Can you provide records that show that accounts on the systems you manage have been properly authorized?
What is your policy on password aging (if you have one)? Can you demonstrate that it's in use?
How often do you patch your systems? Do you keep a log showing when this work is done?
How do you assess your systems for vulnerabilities? Do you retain scan reports? Do you follow up by addressing the vulnerabilities?
How often do you review log files for evidence of problems? How long do you retain log files? Do your policies address this?
How do you control root or other administrative access to your systems?
The questions you should be asking yourself can be derived from the security policies that govern your organization and your role within that organization. The list above is probably a good start, but there may be many others that you can add to this list. Once you know
what's required of you and can show that you meet those requirements, being visited by the auditor will feel more like a friendly chat than an interrogation.
Read more of Sandra Henry-Stocker's Unix as a Second Language blog and follow the latest
href="http://www.itworld.com/news">IT newsat ITworld, Twitter and Facebook.
flickr / dpstyles