Shooting the breeze with an old colleague recently who we’re about to start some serious work with. He’s just not sure of the timing as yet because he needs to “clear” one of those IT “audits” that are performed as part of the yearly financial audit by some Big guys. You know the ones.
He can’t start on serious security review and testing until he’s fixed up some major issues identified by them like his IT Security Policy not being aligned to the latest revision of 27001, 7799 whatever, etc etc, plus a few other major issues such as password lengths on some non-critical systems that few people use. It doesn’t matter whether the policies themselves are actually being complied with so he’s going to be able to clear that point by creating a bit of policy documentation, that in reality has no relevance to the environment but, at least that will please the auditor and he’ll then be one step closer to “passing” the audit. Management will be happy and the organisation deemed secure. He’s in a good position though in that his management also realises that it’s all BS and they have set aside money to undertake some real assessment of their security position. Few companies though see it this way sadly.
Hey, still not convinced it didn’t happen and then the bloody error message pops up! “Come on!!! I still wanted to play the other 400 odd thousand!”.