IT Audits - anyone know much about these?

[Kawazaki]

Would be for a school.

Typically what would an audit cover, how long would it take and what kind of reporting would it provide back? I understand there are non-invasive and invasive style as well.

Any expertise of this sort of thing in here?

[JM2K6]

I don't remember the specifics of our last one but off the top of my head I'd expect an IT audit to cover some or all of this:

- Software licenses
- Software and OS patching / updates policies
- User & group security policies
- Antivirus
- Asset management (i.e. is every bit of hardware given a unique identifier and tracked somewhere)
- Backups and disaster recovery policies / business continuity
- Mobile device security policies
- Standards compliance (no idea what standards would be relevant here)
- Any outsourcing of management or IT infrastructure ("Network dependency")
- Any e-commerce stuff (wouldn't be relevant here I expect)
- GPDR stuff for sensitive data handling
- Details of various network security things, i.e. do you have a data protection officer, a chief privacy officer or CIO, do you do regular reviews of security policies and user accounts, how do you handle contractors and guests, what firewalls and other access control items do you have, what encryption do you use
- Privacy policy stuff (do you have it viewable online, has it been reviewed by a lawyer, does it adhere to standards, how do you store your personal data, etc)
- Last few years history of outages, interruptions, compromised data, etc

re: Invasive, I guess that means things like penetration testing and the like, which can be a pain in the arse. Documentation & written policies will cover a lot of the audit I'd expect.

[Kawazaki]

Shit.

Quite a comprehensive bit of work by the looks of it. Is much of that a box ticking exercise or does it require more forensic investigation to find and/or cross-reference against written/verbal statements about what has or hasn't been done?

Basically, the IT at my kid's school is, we suspect, a bit of a shambles. There is an external IT company that comes in every couple of weeks but I don't know what he does, maybe he just does Windows updates for a few hours then leaves, no idea. There is a job logger to report any problems. Not even sure if the school has an up to date asset register but even a small primary school has quite a bit of IT kit, must be at least 40 desktops, 30 laptops, iPads, Chromebooks and there's a server room.

Would an IT audit include a device/asset count?

[ASMO]

What does the statement of work say? an IT Audit is such a broad subject and can pretty much mean anything

With any audit, the most important thing is to nail that, if you dont, they cold go places you really don't want them to go.

[ASMO]

I don't remember the specifics of our last one but off the top of my head I'd expect an IT audit to cover some or all of this:

- Software licenses
- Software and OS patching / updates policies
- User & group security policies
- Antivirus
- Asset management (i.e. is every bit of hardware given a unique identifier and tracked somewhere)
- Backups and disaster recovery policies / business continuity
- Mobile device security policies
- Standards compliance (no idea what standards would be relevant here)
- Any outsourcing of management or IT infrastructure ("Network dependency")
- Any e-commerce stuff (wouldn't be relevant here I expect)
- GPDR stuff for sensitive data handling
- Details of various network security things, i.e. do you have a data protection officer, a chief privacy officer or CIO, do you do regular reviews of security policies and user accounts, how do you handle contractors and guests, what firewalls and other access control items do you have, what encryption do you use
- Privacy policy stuff (do you have it viewable online, has it been reviewed by a lawyer, does it adhere to standards, how do you store your personal data, etc)
- Last few years history of outages, interruptions, compromised data, etc

re: Invasive, I guess that means things like penetration testing and the like, which can be a pain in the arse. Documentation & written policies will cover a lot of the audit I'd expect.

No single audit would ever cover that much.

[ASMO]

As an aside, i have participated in literally hundreds of these of varying sizes over the course of my career, both as an auditor and an auditee

[JM2K6]

I don't remember the specifics of our last one but off the top of my head I'd expect an IT audit to cover some or all of this:

- Software licenses
- Software and OS patching / updates policies
- User & group security policies
- Antivirus
- Asset management (i.e. is every bit of hardware given a unique identifier and tracked somewhere)
- Backups and disaster recovery policies / business continuity
- Mobile device security policies
- Standards compliance (no idea what standards would be relevant here)
- Any outsourcing of management or IT infrastructure ("Network dependency")
- Any e-commerce stuff (wouldn't be relevant here I expect)
- GPDR stuff for sensitive data handling
- Details of various network security things, i.e. do you have a data protection officer, a chief privacy officer or CIO, do you do regular reviews of security policies and user accounts, how do you handle contractors and guests, what firewalls and other access control items do you have, what encryption do you use
- Privacy policy stuff (do you have it viewable online, has it been reviewed by a lawyer, does it adhere to standards, how do you store your personal data, etc)
- Last few years history of outages, interruptions, compromised data, etc

re: Invasive, I guess that means things like penetration testing and the like, which can be a pain in the arse. Documentation & written policies will cover a lot of the audit I'd expect.

No single audit would ever cover that much.

I did say some - but we had an audit that covered pretty much all of this IIRC

[JM2K6]

Shit.

Quite a comprehensive bit of work by the looks of it. Is much of that a box ticking exercise or does it require more forensic investigation to find and/or cross-reference against written/verbal statements about what has or hasn't been done?

Basically, the IT at my kid's school is, we suspect, a bit of a shambles. There is an external IT company that comes in every couple of weeks but I don't know what he does, maybe he just does Windows updates for a few hours then leaves, no idea. There is a job logger to report any problems. Not even sure if the school has an up to date asset register but even a small primary school has quite a bit of IT kit, must be at least 40 desktops, 30 laptops, iPads, Chromebooks and there's a server room.

Would an IT audit include a device/asset count?

I would expect it to! ASMO can say for sure as this is apparently his specific area of knowledge, but knowing what kit you've got, where it is, and who has access to it is fairly standard stuff.

[Kawazaki]

As an aside, i have participated in literally hundreds of these of varying sizes over the course of my career, both as an auditor and an auditee

That's handy! Do we have DMs in here?

[vball]

It also depends on who are the auditing body. If it is somebody like FDA, IT is part of the overall audit. The FDA would not specifically target (and auditors are there to help you ... oh yeah). Plenty of experience with this sort of audit as I worked in healthcare manufacturing.
If it is a financial audit, it will be more aligned to money, how it is forecasted, spent and proving it was spent on what it was said it was. Think Sarbanes Oxley.

[sefton]

I’m starting at a new Multi Academy Trust in July once the exams are completed and one of my initial responsibilities is to look at the IT provision across the 10 schools and come up with a improvement plan, I’m expecting to find some serious underinvestment. Fortunately I’ll have a nice budget.

[ASMO]

It also depends on who are the auditing body. If it is somebody like FDA, IT is part of the overall audit. The FDA would not specifically target (and auditors are there to help you ... oh yeah). Plenty of experience with this sort of audit as I worked in healthcare manufacturing.
If it is a financial audit, it will be more aligned to money, how it is forecasted, spent and proving it was spent on what it was said it was. Think Sarbanes Oxley.

SOX is more about governance and controls of finance primarily focused on fraid.

[ASMO]

As an aside, i have participated in literally hundreds of these of varying sizes over the course of my career, both as an auditor and an auditee

That's handy! Do we have DMs in here?

you in the UK? if so i can give you my mobile number and happy to have a chat. If not we can use whatsapp, let me know and i can message you my number

[Kawazaki]

As an aside, i have participated in literally hundreds of these of varying sizes over the course of my career, both as an auditor and an auditee

That's handy! Do we have DMs in here?

you in the UK? if so i can give you my mobile number and happy to have a chat. If not we can use whatsapp, let me know and i can message you my number

Email I used for this place was a burner I think.

Here's another burner email you can send your number and I'll send you a text so you have my number.

wadapow440@cupbest.com

[JM2K6]

For some clarification, the audit stuff I mentioned was probably influenced by needing to adhere to standards from various international government agencies (no, not the sexy spy ones) and multinational corporations, despite us being an SME. I think I probably rolled some of our insurance stuff in there too.

It'll be some old geezer checking your wires and asking to see the Windows 98 CD.

[Kawazaki]

As an aside, i have participated in literally hundreds of these of varying sizes over the course of my career, both as an auditor and an auditee

That's handy! Do we have DMs in here?

you in the UK? if so i can give you my mobile number and happy to have a chat. If not we can use whatsapp, let me know and i can message you my number

ASMO - have you sent your contact details? Number ends ********879?

Just making sure it's you before I reply!

[ASMO]

Yep, thats me and not OS's Grindr number

[ASMO]

I am free this evening if you want to call.

[JM2K6]

First MissI, now Toga. You do have a type

[ASMO]

First MissI, now Toga. You do have a type

I have found over the years that for the vast majority whom i have met, their online persona and real life ones are miles apart. There are exceptions of course, Seft is a Scouse git in real life, Yeeb was Yeeb, and a few others who shall remain nameless

[Kawazaki]

I am free this evening if you want to call.

Ok cheers, I'll call after 8 if ok as got some kids stuff to do first or can call tomorrow if you have a gap?

I'll ping over my phone number now...

[SaintK]

First MissI, now Toga. You do have a type

I have found over the years that for the vast majority whom i have met, their online persona and real life ones are miles apart. There are exceptions of course, Seft is a Scouse git in real life, Yeeb was Yeeb, and a few others who shall remain nameless

Toga must be a nice chap.....he bought me several beers when he visited my club

[Kawazaki]

First MissI, now Toga. You do have a type

I have found over the years that for the vast majority whom i have met, their online persona and real life ones are miles apart. There are exceptions of course, Seft is a Scouse git in real life, Yeeb was Yeeb, and a few others who shall remain nameless

Toga must be a nice chap.....he bought me several beers when he visited my club

One of the last games I played, 2nd or 3rds wasn't it?

[SaintK]

I have found over the years that for the vast majority whom i have met, their online persona and real life ones are miles apart. There are exceptions of course, Seft is a Scouse git in real life, Yeeb was Yeeb, and a few others who shall remain nameless

Toga must be a nice chap.....he bought me several beers when he visited my club

One of the last games I played, 2nd or 3rds wasn't it?

Reckon you retired a few years before
Promotion play off. We just did enough to win but only managed to stay up for 2 seasons