Nov 15, 2018 - 11:14 PM
Nov 15, 2018 - 11:19 PM
Nov 15, 2018 - 11:36 PM
Nov 17, 2018 - 07:09 PM
This is where the six wise-monkeys can help you out:
Who - are we communicating with?
What - are we communicating? and in what language?
Where - does geography/ physical locations impact the delivery of our communications?
When - What frequency are we applying to our messages?
Why - What use-case are we addressing when we send out those messages/ reports? are they for-information, or for-action reports?
How - What method are we using to communicate with?
Think too, of the life-cycles that can influence the answers to the questions above, contractors and project management staff can alter the "Who" question, tactical demands could alter the "what" answer (i.e. we address a contract renewal with a supporting ELP report, or are we producing quality assurance reports to maintain and improve the health of the IT estate?).
I hope this helps.
Nov 18, 2018 - 08:24 PM
It is vital that you don't over-communicate. Form your audit response team which should be small. 1 C-Suite, Legal, Procurement, and a IT technical manager. Define the RACI for the team. And communicate early. On receipt of the audit letter you should be able to calculate a risk size within 2-3 days, and communicate it to the audit response team. It doesn't need to be accurate - just a best case/worst case estimate. This has the benefit of alerting the right level of executive and helps with resources and buy-in. Use your reporting line to do the communication, having briefed them to be discreet. If you're not regularly talking to your CIO, tapping her on the shoulder with bad news isn't helpful - get your reporting line to do it for you.
Never make assumptions and definitely don't try to hide anything. It will be found, auditors are more expert at forensic analysis than you are. Even a single server with unlicensed software deployed can easily end up costing you $m - check everything!
Nov 19, 2018 - 08:43 PM
We recently helped one of the clients to navigate through one of the Tier 1 Software publish audit.
While we advised client to have Practive SAM strategy in place for which client agreed.
Further we advised him to follow beloe probing questins with auditor.
1. First avoid on-site Audit by giving all possible information and ask supporting data from OEM company.
2. If still Audit is un-avoidable then ask in mail clearly what is scope for this audit?
3. How is the data collected? Is it manually or using script?
4. If it is script then take an undertaking declaration from
Auditor saying script will not fetch any data other than Concern OEM software in deployment summary.
5. If their script is not capable of pulling only adobe specific details then script based audit can not be followed. Being client you have full right to deny it.
6. Then only option is manually checking all PC.
7. Also ask time duration required from auditor.
8. It is recommended to take NDA and sign it between tri party that is between OEM Software company, Auditor and customer.
9. Ask in advance Adobe should give communication saying post this audit for minimum of 1 year or 2 year they will not again come for audit.
Hope It helps.
Nov 19, 2018 - 09:21 PM
If you are involving any specialists in any areas make sure they know your brief... I have sat in rooms where the ITD has stated they don't use certain technologies, only to have a chat with "the server guy" who talks at length about his environment and all the products within his domain which includes the thing that has been stated is not used. (Server guys LOVE chatting about their stuff)
This make it look like
1) ITD has NO idea what is going on
and/or 2) ITD is hiding something
Now i am not saying you need to hide things, lie or cheat but it leaves a need in the reviewer to investigate everything even more deeply when there is a disconnect. You will need to get your specialists involved in some areas and they will talk. Just like they talk to the manufacturers in what they are looking to achieve during "normal" times. Just like they talk to support when things go wrong. Just like purchasing talk during renewal times.
As above - you should know your environment before you start, know what your expected position is and the best potential outcomes.
Nov 20, 2018 - 12:38 AM
A general rule with any auditor is "answer only questions you are asked". Nothing more, never. It is golden rule everybody should be aware of. Also, in my opinion, it is better not to allow auditor to speak to wide audience. It is better to have just one person as liaison officer. Than you have absolute control of information flow.
Nov 20, 2018 - 12:49 AM
As a SAM Manager who may not necessarily have a strong relationship with infrastructure/ops teams you also need to be circumspect with those teams. Certainly don't let anyone outside the Audit Response Team (4 or 5 people) know what your ELP is, or your best/worst outcomes.
Having an Ops guy waxing lyrical about how resilient their infrastructure is (because the use vMotion or have hot standby DR) is immediately going to trigger an auditor to go digging a bit further.
Nov 27, 2018 - 07:02 AM
Source: SAM Professional