Was chatting with Grace and inadvertently it went straight to talking about work. I don’t mind really as at this point, talking about it is a form of relaxation for me.
Topic of the discussion circled about how my job has been and after a few rounds I actually summed up the following equation:
My Job Satisfaction = managers don’t call you up at night = job well done, no mess to clean up.
Yup, just that. There’s no better feeling in not getting any reply. No news is good news.
I have a feeling that being in this field for the last 4 months has changed me in some subtle way. For example I use the word ‘dodgy’ just like my seniors do, like their managers do, like their directors and partners do. I need to find out who started this word and I promise myself I’ll break the chain. I also feel I am starting to talk like an auditor now, dang all those ‘as at <date>’, ‘recommend’, ‘effective but’ and other legally neutral but strongly and correctly worded statements. I wonder how lawyers cope with it.
Some friends have been asking me on what the heck do I do for a living? Well I used to say I give clients bad news. Telling them what’s broken and what’s not effective but working nonetheless. That’s the short version la~ the long version needs a little explanation.
So imagine company A wants to submit the an annual report. It will ask their internal finance people to check through it. But the public don’t trust them cause they are ‘insiders’. So the external auditors come in and check it again. But the external auditors don’t trust the system that generates the data they are holding in their hands. So we come in to check the system. Thus, IT Auditors.
Not sure about other firms but when we check we go into ‘evil’ mode and check everything that our twisted minds can think up of.
For starters, we see if there is anyone in the company that can change how the the financial system works without someone else knowing about it, approving it, testing it, implementing it, and paying for it. :) To do that we grab all sorts of paperwork and run through it, taking samples, asking questions, bugging the living daylights out of everyone. Then we up the ante and go bug the people that actually work behind big desks looking for contract agreements etc..
The next day, after feeling extra mean due to insufficient sleep, we go bug the admin people to see who can actually use the systems. This means who creates the ID to the system etc. Same thing, check if there are people who approves it and reviews it. Reasoning is whoever given privilege to create ID are like Gods. If they are allowed too much freedom, might as well give everyone superpower to change everything. And no, God-like powers in this case is bad.
So at this stage, if all goes well, no one should be able to change anything without a 3 hour meeting with everyone, no ID’s can be created without cutting a few more trees to make forms to fill. Cool. So what about hacking?
That’s where we go in and check all network ports, scan all wifi AP’s, grab more reports on door access tags, hacking their servers from inside, outside, in between lunch breaks. If we’re extra mean then we go and tipu the receptionist in give us the DNS and IP address of their workstation as well. You’d be surprised what a tie and a company tag can do. Kevin Mitnick would be proud.
Satisfied that no hackers can hack in, we start to doubt the people we just talk to anyway. We start to check on the settings on the system itself to see if it complies to our fanatical standards (which so far none has fully 100% complied) and grab screenshots for our managers who likewise don’t trust us if we say we ’saw’ it.
Passwords such as H7j*k6J is not secure cause it’s not at least 8 characters long and it mustn’t be used in the last 3 times and it needs to be changed every 45 days. Try that on windows.
So, program ok. Settings ok. Hacking not possible. ID’s are secure. Next would be to check on the data itself. Yea, we don’t trust anything be it concrete or abstract, moving or inmobile, warm or cold (you’d get the idea).
Imagine if system A talks with system B. We want to know if they understand each other correctly. Meaning if I say RM1, you don’t read $1. Simple, to test it we grab the output from A, take the output from B to see if they match.
So far so good. By now we’re most likely be sleepy and cranky for not sleeping well for the last few days going over raw data. And thus we will go extra mean and demand to see their servers as well. (See the part about not trusting anything). We will see if the servers are protected and secure, that fire and other threats don’t do damage to anything, that backups are being done and so on. Basically meaning nothing should be lost in a disaster. Even if Godzilla attacks it MUST be business as usual.
To give you an example, we see if there is fire extinguishers inside the server room. Most use gas. So if I hit the fire alarm, gas goes off. Does the server room unlock? Maybe Tom Cruise could just hit a switch and walk in when everyone is walking out. It’s so simple it’s not even MI:4 material.
Or another example. If the room next to the server is on fire. The server room is heating up. What can you do to protect the server? Air conditioners will not work for long, especially if power is cut. UPS and Gen Sets be damned, firemen is not going to be electrocuted just cause you wanted the Gen Sets to be running. Water sprinklers will kill the server faster than the fire. Gas doesn’t work on cooling down the room. Heat alarm will only warn you and in turn laugh at your face since you can’t do anything anyway.
So in this case, what do you do??
Someone did say pump in liquid O2 so that Tom Cruise can set a fire on the adjacent storage room and walk in and grab the hard disks. MI:4!
So once we’re pissed that the server room is more secured than our laptops, we go bug the data backup guy for the sake of keeping to our image of bugging everyone in the office. In turn, we ask the guy if backup is done, that they can restore just fine, that backup logs shows everything is ok & cool etc. Then we ask this: Do you keep the backup on the server rack? Is it locked in a safe? Is it stored in another branch? How long can the backup be returned? Is the backup content encrypted? Are backup operators in the know about how to restore the files? Who needs to signoff on data restore? What is the response time for data restore? Is there a test on data prior to restore? Is the test done on test server or production server? Is backup data purged after restore? What about transport, are the transportation outsourced? How long do they keep backup data? What are the data retention policy……………………
Now multiply that to the entire process and you’d get why ppl hate us so much.
