NPR

JM2K6 wrote: Tue May 17, 2022 1:53 pm I don't remember the specifics of our last one but off the top of my head I'd expect an IT audit to cover some or all of this:

- Software licenses
- Software and OS patching / updates policies
- User & group security policies
- Antivirus
- Asset management (i.e. is every bit of hardware given a unique identifier and tracked somewhere)
- Backups and disaster recovery policies / business continuity
- Mobile device security policies
- Standards compliance (no idea what standards would be relevant here)
- Any outsourcing of management or IT infrastructure ("Network dependency")
- Any e-commerce stuff (wouldn't be relevant here I expect)
- GPDR stuff for sensitive data handling
- Details of various network security things, i.e. do you have a data protection officer, a chief privacy officer or CIO, do you do regular reviews of security policies and user accounts, how do you handle contractors and guests, what firewalls and other access control items do you have, what encryption do you use
- Privacy policy stuff (do you have it viewable online, has it been reviewed by a lawyer, does it adhere to standards, how do you store your personal data, etc)
- Last few years history of outages, interruptions, compromised data, etc

re: Invasive, I guess that means things like penetration testing and the like, which can be a pain in the arse. Documentation & written policies will cover a lot of the audit I'd expect.

ASMO wrote: Tue May 17, 2022 2:41 pm

JM2K6 wrote: Tue May 17, 2022 1:53 pm I don't remember the specifics of our last one but off the top of my head I'd expect an IT audit to cover some or all of this:

- Software licenses
- Software and OS patching / updates policies
- User & group security policies
- Antivirus
- Asset management (i.e. is every bit of hardware given a unique identifier and tracked somewhere)
- Backups and disaster recovery policies / business continuity
- Mobile device security policies
- Standards compliance (no idea what standards would be relevant here)
- Any outsourcing of management or IT infrastructure ("Network dependency")
- Any e-commerce stuff (wouldn't be relevant here I expect)
- GPDR stuff for sensitive data handling
- Details of various network security things, i.e. do you have a data protection officer, a chief privacy officer or CIO, do you do regular reviews of security policies and user accounts, how do you handle contractors and guests, what firewalls and other access control items do you have, what encryption do you use
- Privacy policy stuff (do you have it viewable online, has it been reviewed by a lawyer, does it adhere to standards, how do you store your personal data, etc)
- Last few years history of outages, interruptions, compromised data, etc

re: Invasive, I guess that means things like penetration testing and the like, which can be a pain in the arse. Documentation & written policies will cover a lot of the audit I'd expect.

No single audit would ever cover that much.

Kawazaki wrote: Tue May 17, 2022 2:23 pm Shit.

Quite a comprehensive bit of work by the looks of it. Is much of that a box ticking exercise or does it require more forensic investigation to find and/or cross-reference against written/verbal statements about what has or hasn't been done?

Basically, the IT at my kid's school is, we suspect, a bit of a shambles. There is an external IT company that comes in every couple of weeks but I don't know what he does, maybe he just does Windows updates for a few hours then leaves, no idea. There is a job logger to report any problems. Not even sure if the school has an up to date asset register but even a small primary school has quite a bit of IT kit, must be at least 40 desktops, 30 laptops, iPads, Chromebooks and there's a server room.

Would an IT audit include a device/asset count?

ASMO wrote: Tue May 17, 2022 3:35 pm As an aside, i have participated in literally hundreds of these of varying sizes over the course of my career, both as an auditor and an auditee

vball wrote: Tue May 17, 2022 4:20 pm It also depends on who are the auditing body. If it is somebody like FDA, IT is part of the overall audit. The FDA would not specifically target (and auditors are there to help you ... oh yeah). Plenty of experience with this sort of audit as I worked in healthcare manufacturing.
If it is a financial audit, it will be more aligned to money, how it is forecasted, spent and proving it was spent on what it was said it was. Think Sarbanes Oxley.

Kawazaki wrote: Tue May 17, 2022 3:45 pm

ASMO wrote: Tue May 17, 2022 3:35 pm As an aside, i have participated in literally hundreds of these of varying sizes over the course of my career, both as an auditor and an auditee

That's handy! Do we have DMs in here?

ASMO wrote: Wed May 18, 2022 8:50 am

Kawazaki wrote: Tue May 17, 2022 3:45 pm

ASMO wrote: Tue May 17, 2022 3:35 pm As an aside, i have participated in literally hundreds of these of varying sizes over the course of my career, both as an auditor and an auditee

That's handy! Do we have DMs in here?

you in the UK? if so i can give you my mobile number and happy to have a chat. If not we can use whatsapp, let me know and i can message you my number

ASMO wrote: Wed May 18, 2022 8:50 am

Kawazaki wrote: Tue May 17, 2022 3:45 pm

ASMO wrote: Tue May 17, 2022 3:35 pm As an aside, i have participated in literally hundreds of these of varying sizes over the course of my career, both as an auditor and an auditee

That's handy! Do we have DMs in here?

you in the UK? if so i can give you my mobile number and happy to have a chat. If not we can use whatsapp, let me know and i can message you my number

JM2K6 wrote: Wed May 18, 2022 4:32 pm First MissI, now Toga. You do have a type

ASMO wrote: Wed May 18, 2022 4:25 pm I am free this evening if you want to call.

ASMO wrote: Wed May 18, 2022 4:41 pm

JM2K6 wrote: Wed May 18, 2022 4:32 pm First MissI, now Toga. You do have a type

I have found over the years that for the vast majority whom i have met, their online persona and real life ones are miles apart. There are exceptions of course, Seft is a Scouse git in real life, Yeeb was Yeeb, and a few others who shall remain nameless

SaintK wrote: Wed May 18, 2022 4:54 pm

ASMO wrote: Wed May 18, 2022 4:41 pm

JM2K6 wrote: Wed May 18, 2022 4:32 pm First MissI, now Toga. You do have a type

I have found over the years that for the vast majority whom i have met, their online persona and real life ones are miles apart. There are exceptions of course, Seft is a Scouse git in real life, Yeeb was Yeeb, and a few others who shall remain nameless

Toga must be a nice chap.....he bought me several beers when he visited my club

Kawazaki wrote: Wed May 18, 2022 5:17 pm

SaintK wrote: Wed May 18, 2022 4:54 pm

ASMO wrote: Wed May 18, 2022 4:41 pm

I have found over the years that for the vast majority whom i have met, their online persona and real life ones are miles apart. There are exceptions of course, Seft is a Scouse git in real life, Yeeb was Yeeb, and a few others who shall remain nameless

Toga must be a nice chap.....he bought me several beers when he visited my club

One of the last games I played, 2nd or 3rds wasn't it?