As security becomes more and more important each day, there is a need for the IT community to understand the differences between auditors and administrators. The reason we need to keep these different job roles separate is that they are completely different.
Auditors
Auditors have two primary functions. First, auditors are responsible for ensuring the company meets all required compliance regulations. Whether HIPAA, PCI, SOX, or otherwise, auditors have a responsibility to know the compliance regulations and ensure that the company meets them. When the external auditor comes into the organization, all security, procedures, and other regulatory compliance issues need to be correct to meet compliance.
The second function of auditors is to ensure that security for the organization is correct. These may or may not match the compliance regulations. Auditors must ensure that the security for all systems is correct: Windows, Unix, AS400, SQL, Cisco, and more.
Administrators
Administrators have one primary function. The primary function for administrators is to ensure that all systems are functional for employees to perform their job tasks. Administrators must work with the variety of operating systems to ensure compatibility and communication. One small patch could destroy a computer’s ability to function and communicate.
Administrators are concerned about security, but only to the point where they can ensure their primary function is completed. Applying patches, making security configurations, and adding unknown tools can cause disruption in their overall goals. Thus, they are apprehensive to patch, secure, and add tools.
Suggestions for the two working together
With such a diverse difference in the function of the auditor and administrator, how do they work together? The reality is that they must work together, so there needs to be some compromise. What does that compromise look like?
First, administrators should have a solution to give auditors access to reports that do not require the auditor to ask the administrator for the report.
Second, key security controls such as privilege access, resource access, and compliance controls need to be monitored constantly.
Third, communication is key! Auditors need to be understanding, as do administrators. Each role and function is key, so open communication regarding goals, desires, and needs must be established. No longer should it be “us vs. them”, but how can we meet in the middle and create the most secure and most reliable infrastructure?
Finally, we must understand that we are all many steps behind the attackers. We must come up with more sophisticated approaches to ensure security and combat attacks. We have built a security hardening website that can help administrators accomplish this goal and all of the information is free!
We at ManageEngine know the stress and responsibility put on both auditors and administrators. We try to give you guidance, tools, and solutions that help secure and solidify your environment. Please let us know how we can better help you accomplish your goals. Send your emails to me at Derek@manageengine.com and I will help find answers!
