Security audits: what they’re like

In the previous post we saw that data breaches in higher education can affect a large number of people, and that state legislatures and university administrations really want this problem to go away. (Spoiler: it’s not going away.)

One result of this is more and more information security audits at universities. Auditors start by reading the university’s policies pertaining to information resources, and then they look to see if the university is following its own policies. The auditors interview people all over the university about the details of their processes, and they portscan networks looking for out-of-date software and poorly-configured servers. They inevitably find fault with the policies and/or some discrepancy between what’s written in policy and what’s actually happening. The auditors write up their findings in a report, and they submit the report to high-level administrators. The administrators read the report and send it (along with some harshly-worded threats) down to the next level of management, and this process repeats until the report finally reaches someone who can actually do something about it (the hapless front-line pukes who administer networks and servers).

Reactions frequently include one or more of the following:

  • Why did the auditors have to tell all of my bosses about this? Why couldn’t they just tell me so that I could fix it (quietly)?
  • This is a purely theoretical vulnerability that couldn’t possibly affect us, and I don’t want to fix it.
  • This is a false positive, and I don’t want to fix it.
  • I could fix this, but I’m afraid that it would break something else, so I don’t want to fix it
  • Correcting this is too difficult, and I don’t want to fix it.
  • Well we’ve had this condition for a long time, and nothing bad has happened, so I don’t want to fix it.
  • I’m a new employee, and I’ve inherited all this stuff that someone else left in this sad state, and I don’t want to fix it.
  • The auditors are jerks, and they couldn’t find anything really wrong, so they’re picking on this unimportant little thing, and I don’t want to fix it.

Administrators and auditors have little sympathy for these reactions (however legitimate they may be), and these audits are becoming increasingly adversarial. People at all levels of the organization lose their jobs over these things.

So if you’re writing about a character who works in IT, and you want to increase the tension this character is experiencing, put her through an audit.


Author: carl

A web programmer and Linux system administrator who would like to be a writer.