Preparing for an audit

[stevehoot]

Hi all,

I work as the infrastructure admin for a company in the UK, with our sister company in the states. We are both owned by a holding/investment company.

The US IT dept have just given us a heads up that they are having an audit by the company owners / investment organisation, an as such we're probably going to have one too.

Which brings me on to my question / plea for help... I don't actually know what to do in terms of preperation. I've only been with the company for 2 months, and to be honest our DR facilites are non-existant, licensing is screwed and we have a 8 year old firewall. Oh, and all remote users (40 or so) and site-to-site VPN's are PPTP on Windows 2000 Servers.....

But, I have been informed that the auditors are more "change management consultants" (makes you want to be sick doesn't it!), so I doubt they are looking at techy stuff, but more the paperwork.

Anyone have any ideas what exactly they are looking for? I've got a reasonable network diagram, we're already looking into a new firewall (have a lovely "on-loan" juniper on my desk!) and our licensing has just been signed off. We do have a basic change management procedure in place that goes back around about 4-5 months, as well as having service management reports (when stuff breaks.)

Any suggestions / ideas what else we can do?

Cheers,

Steve.

[thejohnnyq]

Hi all,

I work as the infrastructure admin for a company in the UK, with our sister company in the states. We are both owned by a holding/investment company.

The US IT dept have just given us a heads up that they are having an audit by the company owners / investment organisation, an as such we're probably going to have one too.

Which brings me on to my question / plea for help... I don't actually know what to do in terms of preperation. I've only been with the company for 2 months, and to be honest our DR facilites are non-existant, licensing is screwed and we have a 8 year old firewall. Oh, and all remote users (40 or so) and site-to-site VPN's are PPTP on Windows 2000 Servers.....

But, I have been informed that the auditors are more "change management consultants" (makes you want to be sick doesn't it!), so I doubt they are looking at techy stuff, but more the paperwork.

Anyone have any ideas what exactly they are looking for? I've got a reasonable network diagram, we're already looking into a new firewall (have a lovely "on-loan" juniper on my desk!) and our licensing has just been signed off. We do have a basic change management procedure in place that goes back around about 4-5 months, as well as having service management reports (when stuff breaks.)

Any suggestions / ideas what else we can do?

Cheers,

Steve.

Prepare your self what is called a SOX audit.

Document the following:

Network, System, OS, User configuration (include diagrams)

Security (user account access, user rights, security logs, account request, audit of user rights)

Standard (OS, patches, systems rights, User, VPN)

These are just the basics, but would go along way to having the bases covered.

[Shaun N.]

eeergh SOX. SUX :D I've had a ton of work to present reports for auditors

[MrA]

Prepare your self what is called a SOX audit.

Document the following:

Network, System, OS, User configuration (include diagrams)

Security (user account access, user rights, security logs, account request, audit of user rights)

Standard (OS, patches, systems rights, User, VPN)

These are just the basics, but would go along way to having the bases covered.

SOX? As in Sarbanes-Oxley? I thought that was only for money related stuff. Where I used to work, stuff that involved money like ads, shopping carts & checkout, credit card processing, etc has to be documented (and probably audited) with SOX in mind, but everything else didn't. If the company he works for's network has nothing to do with money, does SOX come into play?