Yesterday was an interesting day I had a teleconference with two gentlemen who gave me a rather interesting insight in the inner workings of a big ISP who is hosting the website of one of our customers that I'll be auditing in the near future.
These two man wanted to talk to me about what my colleague and I will be testing for our customer. Since my colleague is on holiday I answered what I'll be doing on the servers and for the network part I answered that I was not the person to speak to.
They have apparently an issue with the fact that we would login as administrator on to the network appliances to check the configuration. Since it is not my call to make we agreed that they would send us some print outs and it is up to my colleague to decide if it is possible to do audit work on this. I personally think it is not acceptable since we are an independent party and have to obtain the information by our selves.
There is a second problem with this. The ISP is prepared to send me, a stranger they have never met, information about their firewalls and such by e-mail. Yes, this is something that will be in the end report to our customer, it is my due dilligence.
Just to see how far they go in the management of our customers environment I asked if they kept logs for each time they tested the clustered loadbalancers. Apparently they only tested their cluster once before it was put into production. They monitor it and have a spare ready in case one goes down. I asked them if they didn't test it on regular basis to see if it functions correctly but this was not necessary according to them since it is monitored in case it goes down.
It is for me the same problem as the guy who makes his back ups but never does a test on regular basis to see if they are any good.