Quocirca saw an estimate recently that IT security managers can spend as much as 30% of their time preparing for and delivering audits. This is mundane and uninteresting work and if it can be automated – all the better. However, recent Quocirca research, sponsored by sys-admin tools vendor Osirium, shows that less than 20% of organisations fully automate the gathering of data for audits and less than 10% automate the remediation of audit gaps.
What’s more, over 70% admitted that in some cases system administrators (sys-admins) made informal, uncontrolled changes to sys-admin procedures immediately prior to audits in order to meet the audit requirements, which then lapse following the audit, with 8% saying this was a regular practice. Obviously, this is extremely bad practice; if auditors uncovered the fact the procedures had been temporarily changed to satisfy them, then the audit would surely be failed anyway?
Osirium has published the research and some suggestions for achieving better practices as the first of its Alpha Files, a series of short reports on sys-admin, privileged user management and auditing practices. Quocirca will be publishing a new free report later in 2011 that will detail and analyse in detail all the new research.