Shostack + Friends Blog Archive


Compliance for auditors?

The frequent loss of laptops and data disks by outside auditors in recent months has caused me to think about best practices for controlling auditors. The latest case involved the laptop of the auditor for Wellsfargo Bank. The laptop was stolen from the trunk of the auditor’s car and contained confidential information on bank employees.
Auditors provide a critical function. In many cases they are part of the security solution. But with the glare of public disclosure the practices around performing an audit need to be tightened up. I posted what I think would be basic best practises for auditing auditor laptops here. I will also be posting it to the IT-Harvest Data Protection Weekly which goes out every Monday morning. It’s free btw, and you can sign up by clicking here:

Data Protection Weekly

I am reminded of the problems faced by IRS auditors. Those guys are paranoid. There are 20,000 of them running around with laptops that VPN back into the IRS mainframes where they have access to EVERYTHING on corporate finances. Imagine how worried they are about someone sniffing their passwords or installing spyware or doing a man in the middle attack.

One comment on "Compliance for auditors?"

  • Duncan says:

    The dog food that I eat on my XP laptop:
    1. Use truecrypt (excellent freeware) to create an AES encrypted virtual disk.
    2. Place keyfile on a USB attached to my keyring (I have a backup in my safe at home)
    3. Configure laytop to prevent hibernation.
    4. Store all sensitive and important data on this drive including outlook – backup is really each – USB external disk
    5. Run personal firewall, virus scanner (daily update), malware detector.
    Price: $0, Value:priceless, degree of difficulty:low

Comments are closed.