I may be speaking out of turn, but I can't imagine even if there were some future major catastrophe that it would come down to this being the difference between avoiding it and it occurring. Is there a financial hit or even an expectation of correction and verification by the auditor? If not and it were me, I'd set the report aside and worry about other things. I have to agree with CrashFF regarding his comment that this may be an auditor who is looking at this through his own particular tint of glasses rather than the regulations.
I have asked the auditor to clarify the deficiency and provide supporting regulations or standards but have not heard anything back yet. If whatever is plugged in is actively attacking things, or encrypting the place where you have your spreadsheet, then I can see how a physical label would be superior. The one thing a physical label will do for you is reduce the time it takes since you won't have to go find the spreadsheet. As long as you know where that patch goes (like in a spreadsheet) you can then find the physical device. Generally, if you're monitoring for unauthorized devices, you have to see it electronically (like by IP or MAC address) then determine what port it's on in a managed switch, and trace the wire to the patch panel.
While I won't argue that labeling things is helpful, I don't understand what audit criteria it addresses.įor example, if it's a security thing, the label itself will not prevent someone from plugging anything in nor will a physical label increase your ability to detect the issue or remedy the situation. What kind of audit was this? We do SOC 2, and the auditors never seemed the least bit interested in labeling on our patch panels, or even if we had records in a spreadsheet as you do.
0 kommentar(er)
