Auditors and Company Policy

It’s always nice when your own auditors follow company policy. We have an external auditor in for the next 6 week in order to obtain FISMA certification. At the kickoff meeting, we told the auditors that they were not allowed to put their computers on our internal network, but they were more than welcome to use our guest wireless. This information was also on the account request form that they signed.

I had a feeling that they weren’t going to follow our policy. We don’t currently have a technical mechanism in place to enforce such a policy. I opened our DHCP management console and sure enough 5 computers had a DHCP lease with a computername and domain giving away that their owner was this auditing firm.

So I was able to bust them on that, and prove to them that we do review the logs and record anomalies in servicedesk.


  1. What I am interested in: these auditors willingly and knowingly violated your company’s policy. Was any action taken against the auditors? At the very least, I would think there has to be some form of compensation.

  2. Thanks for commenting.
    That is currently not determined. I’ll probably keep that detail under wraps.
    Just speculating, I doubt there is anything in the contract about that. All we can do is complain to their company and ask for compensation.

  3. Pingback: » Auditors and Company Policy, Part 2 - Roger's Information Security Blog

Comments are closed.