Audit and Assurance

Expand all | Collapse all

Auditor access to Panorama

  • 1.  Auditor access to Panorama

    Posted 12 Sep, 2019 12:33
    I wanted to get a view point from the forum members on the best way to provide access to external auditors for review of firewall configuration. Among the options below, is there a particular method that is considered best practice?

    1. Downloading firewall configuration as xml/pdf and sharing through BOX folder
    2. Granting read-only access to firewall configuration via tools such as Panorama for a limited period of time. Would it be possible to restrict access just to specific firewalls under scope.
    3. Conducting video conference or shoulder surfing session with the auditor

    Obviously there needs to be a balance of both security and efficiency/effectiveness of audit. I wanted to check if individuals have experience with this and prefer certain mechanism over the other.


  • 2.  RE: Auditor access to Panorama

    Posted 13 Sep, 2019 14:25
    Edited by Jordan Novak 13 Sep, 2019 14:29

    For both options 1 and 2
    I would NOT provide FW configurations to any auditors. Due to sensitivity concerns, I would definitely make sure you have a HIGH LEVEL of approval to share something like that.

    Ask the auditors if they can instead observe the firewall settings.  I would push back!  It would be far better than to just share this in a meting than have FW ACL rules floating about for years in BOX servers and auditor laptops and servers.  That's a big risk.  You need to have your own assurance over the systems they use if they are taking off with ACL rules!  If you have ACL rules shared out, ask yourself "Does your organization have BOX vetted?  is it their BOX platform or yours?  And the systems where audit evidence goes.. are you or they liable for any breaches?"

    As a former external auditor, this should be an acceptable and very reasonable request for them to accommodate.

    Just avoid the risks and headache and have them observe it with you in a meeting.
    Your best bet is #3​, and I would do it in person.  I wouldn't even want them obtaining screenshots.


    Jordan Novak
    Senior Security Analyst