or, Buying Time

For whatever reason, you've got an audit in front of you. It's a 27-page document asking you to spill the lifeblood of the company to the security group of one of your customers. As if you didn't have 87 better things to do with your time, like deliver a better Internet.

You're supposed to have done this a week or two ago, but between putting out fires and racing around like a chicken with its head cut off, you haven't even started. And tomorrow, the account manager will be meeting with the customer to upsell them. And she doesn't want to have the outstanding audit be an issue. And you don't have time to get it done, because you haven't gotten enough sleep in a while and you're not pulling an all-nighter for this.

Go through the document. Find about 5 questionable points, and draft a response to only those 5. Things like, "You ask here for the minimum length of passwords we use. We actually have an algorithm that assesses the amount of entropy in a password, and judge based on that. Would that number be okay here?" and "You stated that you'll need to do a penetration assessment of our system, but we have an independent security agency do one every six months, would that be okay? If not, we can certainly accomodate your request for an added fee." Then close your response with, "Everything else is about all set. Let me know if these points are okay and I'll shoot over a final draft!"

You've bought yourself time. Of course, now you have to go do the work.

Log in or registerto write something here or to contact authors.