Yambu <hyambu@xxxxxxxxx> writes: > Hello > > If auditing on our postgres instance is to be done , what are the things we > should make sure that we fix or correct to make sure we pass the audit? First thing to note is that most decent audits are not a binary pass/fail type situation. Auditors will almost always find someting which could be improved. Auditing is a risk management process and will typically report risks on some scale, such as high, medium or low. These values are typically determined by a combination of likelihood, impact and controls (mitigation). Doing things to 'pass' the audit is the wrong approach. An audit is a good opportunity for an external review of your policies, procedures and systems. If changes need to be made to 'pass' the audit, they are likely changes which should be done to protect the business. The sort of information an auditor will require depends a lot on the type of audit and the type of business being audited. For example, the priorities and risks in a medical clinic are very different to those in a credit processing centre. Without more details about the type of business and type of audit, it is difficult to provide any precise information. Generally, the auditor will provide some details on what they will be wanting to see prior to the audit. One thing auditors typically want to see are your policies and procedures. Auditors hate 'ad hoc' processes - processes which are not documented and where it assumed all those executing the process just 'know' what to do. They also want to see that policies and processes are reviewed and updated regularly. You might think that as a DBA or a developer, you don't need to worry about policies and procedures. This is probably incorrect. Typically, there will be policies and procedures covering things like change management (who, what when), access controls, disaster recovery and business continuity plans (backup, restore, what to do in a disaster and what to do to keep the business running while the disaster recovery process executes - noting that 'disaster' is not just flood, fire, etc. A disaster is anything which would prevent the business from operating for an extended period of time and can also include things like cyber attack, data breaches etc), monitoring and application of security patches etc. The first audit, which this sounds like it might be, should really be seen as an information gather process that will identify areas of policy and procedures which can be improved. The more important audit is the second and later audits, which will show how much progress has been made towards achieving those improvements. Note also that it is common for the auditor to get things incorrect initially. In good audits, there will be a review stage where you are given the opportunity to clarify, correct and provide additional context for the initial findings. The biggest challenge with an audit is providing the information with sufficient detail to assist the auditory to understand matters, but not with so much information they become overwhelmed or draw misleading conclusions. Often, volunteering information can be a bad idea. Provide everything asked for and provide it as clearly and concisely as possible, but don't try to guess at what they want and add additional information which has not been requested. Of course, some auditors are better than others. An audit can be a stressful experience. With luck, you will get an experienced and well trained professional. Hopefully, your management isn't trying to save money by going cheap! -- Tim Cross
