What Can I Expect in a Security Audit ? 2

[JohnBates]

Hi everyone,

We have Fortune 500 client who will visit our office soon to conduct a "Security audit".

I would like to hear from anyone that has "survived" a security audit. What kinds of things do I need to be prepared for? Will they actually do hands-on investigating of the database? What was the outcome of your audit.... did they give you a detailed report ? did they shoot the DBA

Thanks, John

 

[ptheriault]

I survived a SAS70 audit. It was bloody, but I made it. It depends on how smart your auditor is. My auditor was checking everything from strength of passwords to who has access to the 'sa' account. Either way be prepared for them to tear everything apart looking for security weeknesses. They actually had me run traces.

Here is a tool from Microsoft that checks for best practices. It will help you make sure the obvious is OK.

http://www.microsoft.com/downloads/...1F-D3CA-44EE-893E-9E07339C1F22&displaylang=en

- Paul
- If at first you don't succeed, find out if the loser gets anything.

 

[monksnake]

We JUST had a security scan done on our production server. The things we had to change and look out for were the following:

encrypted SSNs
encrypted passwords
inactive accounts
correct permissions (based on company policy)

Hmm, I guess these were the only SQL things I can think of off my head.

<.