A company I know was audited some years ago. One of the findings was that there were no Unix server logs. Over the next year server logging was enabled.
The following audit noted that nobody was reviewing the logs. So the company invested in a SIEM solution and reviewed the alerts. (Of course, no one actually told this company to act on those alerts – but that’s another story.)
The company is a global concern, and the audit was isolated to the Americas only. So then of course a similar audit followed in the other regions, and of course, the same findings emerged. Not only that, it took yet another audit for them to be told to apply the same controls for their Windows environment.
It didn’t take a genius to see that coming. And unfortunately, that was a true story.
I don’t know what was worse – the auditors simply checking boxes, or the client reacting to the letter of the audit and not the spirit or intent of the audit.
Are these sort of technical audits effective? Is there a better solution out there?
I think they could be effective if the clients of those audits were honest with themselves and were committed to improvement. The nature of an independent entity that can speak to the Board if necessary is powerful. It carries weight. But the client must listen to not only the narrow findings, they must see the bigger picture.