Hacker News new | ask | show | jobs
by click170 3476 days ago
This.

This bit stood out to me (emphasis mine):

> Uber says employees don't receive across-the-board access to customer data and there are several controls in place to ensure that employees only access that data for work purposes.

The choice of the word "control" in this context I think gives away a little bit here, it's auditor-speak.

This word does not always mean to an auditor what it means to you or I. Having a written policy that says "Don't access X unless it's required for your job" and keeping access logs can satisfy a "control" from an auditor's perspective, depending on the certification.

That's better than nothing, but back to your point, you're right that it doesn't prevent insider access. Which isn't something I worry about normally...

Edit: Typo
1 comments
Khaine 3476 days ago
keeping an audit log should never satisfy an auditor. The keeping of a log is not a control, reviewing the log to detect inappropriate activity and acting upon it, thats the control.
link
ProAm 3475 days ago
Most auditors just want to check a box on a sheet, I've never been apart of an audit that was worth anything.
link
thenewwazoo 3475 days ago
Careful with that brush, Eugene. As someone who has done (extensive) audit, I respectfully submit that the problem is not the audit process but the auditors you hire.

The usual process for such a control should be:

* Is there a requirement for a log?

* Does that log exist?

* Can the system(s) that write to the log be prevented from doing so/tampered with? (branch here to system security review)

* How are the contents of that log secured against tampering? (branch here to security review of logs)

* Who is responsible for reviewing it?

* Where is the evidence that such reviews occurred?

* What violations of policy were found during those reviews? (branch here to a review of the follow-up process)

* Can I, the auditor, find violations that were not found during the reviews? (if yes, branch here to figuring out why not)

This is not an especially complex script to follow, and winning at that last step is the kind of thing that gets you nice fat bonuses and happy bosses, because suddenly the auditee needs remediation consulting services. Especially as the cost of "taking a complete sample" (i.e. reviewing every entry in the log) goes down to nearly zero, this kind of review gets easier and easier (and is often automated by the company being audited, which just shifts the focus slightly... with no change to the last step).

link
Khaine 3475 days ago
Thats broadly correct, although auditing is usually risk based. The first question should be is there a risk that requires a detective control of audit logging to be in place, if the answer is no (because the system is of low risk or value) then you would be unlikely to continue down the checklist.
link