|
|
|
|
|
|
by zdc1
358 days ago
|
|
|
Similarly, I've had many instances where an auditor would ask for X and instead of trying to show them X I would instead ask them what control / Common Criteria item they were trying to get assurance on. So much of the process is about educating the auditors about how your systems operate and how you manage risks, rather than just trying to provide or build anything and everything they ask for. *X = password expiry configuration, server antivirus, approval emails, etc. |
|
|