What passes an audit but fails in practice for you?
My coworkers and I have been using this nice slow time at work to dive in to the compliance side of the house. One of the things we talked about where controls that pass an audit that are actually useless for us in practice. 😂
For example, we have audit logs going to a SIEM but most of our application and database logs do not and the client, server, network logs that do go are so large that they are never reviewed. Sure, we have setup alerts but it seems pointless with the amount of logs being stored and we have found that some of the alerts being generated people ignore anyway 😬
So I’m curious what other people see… what’s a control that passes in your org but secretly fails in practice?