Imagine this …
You’re an IT Security Manager for a large company. You organise an audit of IT Security.
The external auditors identify many issues*, and you ask a support team for feedback on one issue.
When the support team asks for further details, do you:
- say no, as it’s the whole document is security-in-confidence.
- for the particular issue, extract the details out of the report, and provide that extract to the support team.
- provide a link to the whole security audit report, which details every security flaw found throughout the whole organisation.
If you picked "3", you too can have a job as an "Information Warrior".
* – it’s the nature of external security auditors to find every flaw. Some would say it would be to justify their exorbitant fees. Poor security auditors seem to just run though the Microsoft Security Checklists, and leave it at that.
… Dale has been involved in desktop security audits since Windows 95/NT4, and its all been a blur.