One time for an audit
Before our annual audit we where instructed to remove occurrences of ‘any’ in the policy.
There are occasions where you might want an any, I.e you may want all clients to the proxy or to ad, dns, av, ntp etc.
Auditors typically don’t understand the technology and back then just looked for keywords like any.
So I put in an inverse rule, effectively permit any source other than a made up range to dst on specific ports.
The auditor was happy with that despite it effectively being an any.
That’s when I realised management and expensive auditors cared more about ticking boxes than actual intent behind the requirement.
Been the same ever since.
Biting the hand that feeds IT
