An IT guy said that in his company, the Windows updates (small security updates that are downloaded automatically by the Windows autoupdate) are checked by the auditor. ie: the auditor checks if every system in the company has these updates installed. I couldn't believe that auditors actually check these details. Do they?
Asked
Active
Viewed 746 times
3 Answers
6
As I understand it (I am not a lawyer and I am not a compliance officer so take what I say with a grain of salt), there are interpretations of SOX compliance that require that a company have mechanisms in place to ensure that all machines are up-to-date with patches. So it wouldn't surprise me in the least if they are audited.
Larry Osterman
- 1,226
- 10
- 8
6
There are definitely some regulations that require this to be checked.
For example, PCI-DSS requires (requir-ed? Havent reviewed v2 yet..) all security patches to be installed within a certain amount of time. And yes, QSAs need to verify this too.
AviD
- 72,138
- 22
- 136
- 218
-
That's really why network access control/protection software checks whether systems are patched. "Vulnerability management" is a hard sell, compared with "big-ass compliance fines". – Dec 15 '10 at 12:48
-
4@Graham, that of course brings up the canonical [*AviD's Law of Compliance*](http://security.stackexchange.com/q/622/33#631): `"PCI compliance reduces the risk of the penalties of non-compliance"` – AviD Dec 15 '10 at 13:00
3
From a range of organisations I used to look after from an IT audit perspective, the term 'audit' here usually meant 'check the list of updates installed against the list published' not go into any depth as to what each one contained. ie if it was a 'critical' from the vendor, audit would get concerned if it hadn't been implemented in timely fashion - or failing that, have a good exception reason.
Rory Alsop
- 61,367
- 12
- 115
- 320