Here is a good example of being “in compliance” but not taking the control implementation seriously.
A recent physical security audit I performed involved two server rooms that both had keypads on the door. After talking with the head sysadmin, I learned that the keypads weren’t even being used–which was obvious after a bit of recon where I could see that every one who entered had used a key. The keypads were there because of a checklist that was being followed when the server rooms were installed. The funny thing is that I don’t think they’ve ever been programmed, but I’ve not confirmed that–yet.
I am not a big fan of compliance based security – Controls should be chosen based upon risk, not compliance – but here we see an example where controls are placed to mislead auditors. Worse!!!
