Points to address during a security audit in this scenario.
Recently I started to work for a company where the security controls are close to null. For instance, since the very first day I got root access to every system, they share passwords through Skype, write them down on notebooks, most of them let the session logged when they leave, they use pirate software, passwords in clear text on scripts...
I couldn't let go this lack of security awareness, and yesterday a conversation arose and I spoke about the need to implement security controls, though they are not very convinced.. LOL!
Today speaking with the coordinator of the area, she says we should take actions against this problem. Although I'm new and do not have so much hands-on experience, for what I've seen so far, I'm the only one who know something about security in this job, after all, I'm pursuing a career in information security.
I'd like to leverage this situation to start to perform security tasks, and I thought that I could perform an internal security audit exposing the points stated above and then provide a little training about security awareness.
What else do you recommend me to look for?
I couldn't let go this lack of security awareness, and yesterday a conversation arose and I spoke about the need to implement security controls, though they are not very convinced.. LOL!
Today speaking with the coordinator of the area, she says we should take actions against this problem. Although I'm new and do not have so much hands-on experience, for what I've seen so far, I'm the only one who know something about security in this job, after all, I'm pursuing a career in information security.
I'd like to leverage this situation to start to perform security tasks, and I thought that I could perform an internal security audit exposing the points stated above and then provide a little training about security awareness.
What else do you recommend me to look for?
Comments
-
wes allen
Member Posts: 540 ■■■■■□□□□□
-
jibbajabba
Member Posts: 4,317 ■■■■■■■■□□
We were in a similar situation and one approach was to make staff going through Bob's Business ..
Information Security Training courses delivered online, ISO27001 compliant, cost effective, online information security training.
Not bad really ..My own knowledge base made public: http://open902.com
-
tpatt100
Member Posts: 2,991 ■■■■■■■■■□
Don't forget to analyze the financial impact of implementing changes, if they are using pirated software is it for personal use or to overcome lack of proper funding and employees taking shortcuts. Some companies really don't want to know the truth.
Also make sure to get permission from management before you start documenting anything. Snooping where you shouldn't thinking you are helping might get you into trouble. -
it_consultant
Member Posts: 1,903
My buddy started work at a company who went through a Microsoft audit a week after he started. Pirating software is never OK and it is ESPECIALLY not OK in a professional organization.
-
yzT
Member Posts: 365 ■■■□□□□□□□
at least Windows is original because we use laptops xDit_consultant wrote: »My buddy started work at a company who went through a Microsoft audit a week after he started. Pirating software is never OK and it is ESPECIALLY not OK in a professional organization.