Are the Bandolier Security Audit Files Making the Grade?
Based on the reviews from early adopters, the Bandolier security audit files exceeded many expectations in 2008, including my own. We have received some very encouraging feedback from vendors, asset owners, consultants, and even our own assessment teams. With each new Bandolier release, though, we have a challenge. How do we appropriately communicate the effectiveness of each security audit file? We’ve been very careful not to oversell the project as a whole (e.g. not presenting Bandolier as a control system security panacea, being very careful to qualify that the audit files are only for servers and workstations, that they audit the best possible security config for a server given the realities of the server’s security features/architecture and not comparing to best practice, etc…). But if you spend some time with the audit files, you’ll quickly learn that some are simply better than others. So much so that we are considering a mechanism for grading the files. There are still some det
