nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Points to address during a security audit in this scenario.

yzT

Recently I started to work for a company where the security controls are close to null. For instance, since the very first day I got root access to every system, they share passwords through Skype, write them down on notebooks, most of them let the session logged when they leave, they use pirate software, passwords in clear text on scripts...

I couldn't let go this lack of security awareness, and yesterday a conversation arose and I spoke about the need to implement security controls, though they are not very convinced.. LOL!

Today speaking with the coordinator of the area, she says we should take actions against this problem. Although I'm new and do not have so much hands-on experience, for what I've seen so far, I'm the only one who know something about security in this job, after all, I'm pursuing a career in information security.

I'd like to leverage this situation to start to perform security tasks, and I thought that I could perform an internal security audit exposing the points stated above and then provide a little training about security awareness.

What else do you recommend me to look for?

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

wes allen

Might start with these two...

CSIS: 20 Critical Security Controls - Version 4.1

Strategies to Mitigate Targeted Cyber Intrusions (formerly Top 35): ASD Australian Signals Directorate (formerly DSD)

jibbajabba

We were in a similar situation and one approach was to make staff going through Bob's Business ..

Information Security Training courses delivered online, ISO27001 compliant, cost effective, online information security training.

Not bad really ..

tpatt100

Don't forget to analyze the financial impact of implementing changes, if they are using pirated software is it for personal use or to overcome lack of proper funding and employees taking shortcuts. Some companies really don't want to know the truth.

Also make sure to get permission from management before you start documenting anything. Snooping where you shouldn't thinking you are helping might get you into trouble.

it_consultant

My buddy started work at a company who went through a Microsoft audit a week after he started. Pirating software is never OK and it is ESPECIALLY not OK in a professional organization.

yzT

it_consultant wrote: »

My buddy started work at a company who went through a Microsoft audit a week after he started. Pirating software is never OK and it is ESPECIALLY not OK in a professional organization.

at least Windows is original because we use laptops xD