The BSOFH On Dorky, Auditor-Friendly Policies

Posted January 16th, 2008 by

Roger writes about his workplace instituting a bag-check on a Friday afternoon. My first though was “Gack, that’s part of the FISMA guidance? Somebody definitely was reading between the lines,” followed by, “I wonder how much miscarriage of security is conducted by people who claim to be the long-lost intellectual progeny of Ron and Marianne (Ron Ross and Marianne Swanson from NIST, work with me here)”. Then I remembered my own security strangeness and laughed….

So a couple of years ago I was in a meeting between my physical security guy and an auditor from the government. I got there a couple of minutes late so I didn’t get introduced. No biggie, my guy had everything in control and had done most of the work with this auditor already. A tip-off should have been that I was the only guy in the room wearing a suit, thereby identifying myself as some kind of manager, but alas for our auditor wasn’t that bright.

But then a problem sprung up: it all revolves around physical access policy and procedure. I had a procedure that said that all employees, contractors, and visitors will badge in EVERY time they enter the building. OK, some of you should be saying a big “DUH!” at this point, and you would be right. Anyway, the auditor didn’t like that. They wanted a specific policy line that says “When you come into the building after a fire drill, you should all badge back in.”

I watched my physical security guy try to rationalize the finding away. “We already say that here in the general procedure,” he said. He drew a Ven diagram on the white board–“See, fire drill is part of ‘every'”. The auditor just wasn’t buying it.

As a last-ditch attempt, I stepped in with the classic contractor phrase: “Where does this requirement come from?” The auditor looked at me and not taking the hint that A) I know what I’m doing, B) I teach this stuff and C) I’m the guy in the suit, you would think I was important in some way; replied “Well, it comes from NIST. You see, they have this book of requirements called 800-53 and it says that you have to have a process to badge back in after a fire drill.”

At that point, I realized the situation. Life had handed me a bozo and it was easier to write a one-line correction than it was to try to educate them on the error of their ways and ask them to show me where it says that in SP 800-53.

So my advice to Roger: One afternoon checking bags (yay, my favorite activity to do in my “spare time”!) is sometimes easier than trying to educate your auditor.

And watch out for bozos. They’ll wear you down to a nub. =)



Similar Posts:

Posted in BSOFH, FISMA, What Doesn't Work | 5 Comments »

5 Responses

  1.  Kevin Says:

    That is rather frustrating but unfortunately all-too-common. I can’t tell you how many times I’ve had to deal with customers and auditors flailing their arms, gnashing their teeth and speaking in tongues over some FISMA (or some other similar guidance) “requirement.” Usually, once I have the opportunity to bring their temperature to a more reasonable level by pointing to the “real” requirement, they are much happier (and better educated). — Good story!

  2.  rybolov Says:

    Took me a minute to find it, but as I’ve said before, please don’t call it “a requirement” if it’s really a control objective from a security framework or catalog of controls.

    http://www.guerilla-ciso.com/archives/114

    =)

  3.  LonerVamp Says:

    Phrases you hate to hear spewed by ignoramaces…

    “It’s in the client’s best interest!”

    “The client requested…”

    “It’s a FISMA requirement…”

  4.  Vlad the Impaler Says:

    you left out:

    “We have to do this to be compliant…”

    Bada BING!

  5.  Vlad the Impaler Says:

    And one more thing…

    Did the auditor expect everyone to badge out when they leave?

    That’s a requirement, isn’t it?!

    Let me guess… the auditor’s last name was Dumas? (that’s French for dumbass.)


Visitor Geolocationing Widget: