- Are documents and data classified according to their value and sensitivity? Are the sensitivity levels clear and consistently used? Are documents labelled?
- Do you know what kind of information is stored on the systems you manage? Do you know its sensitivity level? Even if the system provides no way for you to label files, documenting the kind of information that is stored on each server will be helpful and will demonstrate that risks related to the systems you manage are realistic.
- Are you aware of who is ultimately responsible for risks associated with the information on your systems and the systems on which it is stored? Is the owner documented in some way? Would everyone on your staff give the same answer if asked?
- Does someone formally authorize the setup of accounts on the servers you manage or do you manage servers that are used by everyone in a particular group? Is this authorization documented on some way? When an account is requested, are tickets opened in a ticketing system or do the requesters simply send you email? Are access rights periodically reviewed? How often? What records are kept? Are you notified when someone leaves the organization so that you know to block those accounts?
- Do you keep tight controls on who has privileged (especially root) access to your systems? Are the passwords for those accounts changed periodically? Do you enforce secure passwords using system settings?
- Can anyone gain access to the servers you manage or are they secured in limited access data center? Are doors left open? Can people "piggyback" (i.e., follow each other into the server room in a way that requires only the lead person to open/unlock the door)? Are staff aware if what they need to do to maintain physical security
- Do you maintain a clear distinction between development, test, and operational systems? Are there barriers between them? Auditors might ask about the separation of these system types.
- What kind of documents might be sitting on your desk and those of your coworkers? Are the documents labelled in accordance with whatever labeling scheme your organization has devised?
- Do you periodically review log files? Do you keep records of these reviews?
How to interact with auditors
Audits are always somewhat intimidating. At least I have always found them so. I don't want to be responsible for my company not getting its certification, but auditors are generally very reasonable and the things that they ask rarely come out of the blue. While they may know nothing at all about Unix, they've likely talked with a lot of systems administrators in their years of auditing.
When speaking with an auditor, be calm, be polite, and don't ramble on about anything. Answer the questions and don't bring up topics of your own even if you believe that doing so would improve your credibility. Don't be afraid to say that you would ask your boss if you didn't know how to handle some situation that the auditors ask about and don't be afraid to refer to notes. If asked if you know where the controls or particular records are located, it's perfectly OK to open a spreadsheet containing URLs that point to all the resources you might need. There's nothing about the standard that says you have to keep all this information in your head.
Once you've survived a few audits, you'll likely get the hang of it and feel fairly comfortable with the process, but a little review ahead of time is always a good investment.