Security Audit

less than 1 minute read

We were in an security audit meeting the day before. The morning session was boring. The high-rank officials and excutives blah blah blah, which made us feel sleepy.

It became more interesting in the afternoon. Two auditors asked security-related questions to us, a security engineer and me. The first one asked technical questions, like detect tools, configuration management, site management, etc. We could handle most of them, by just telling the truth. Since the schedule was tight, they could not ask detail questions.

The second one asked about the organization chart, the personnels and their titles. I could predict their conclusion while giving my answers. The head of the security team, they told us later in the conclusion discussion, was not empowered enough to utilize company-wide resource.

I think such auditing is not bad. At least some third-party would straightly point out some problems which may be well-known for all of us, but nobody wants to speak out.

Categories: Tech