This is an automated archive.
The original was posted on /r/sysadmin by /u/TypaLika on 2023-10-24 14:09:33+00:00.
Currently going through an internal audit for security in preparation for a common certification. We have provided the internal auditor with the CUECs for our SaaS subscriptions, and they are following up for items related to products we don't subscribe to. When I try to explain this, I get lectures about never telling an auditor no followed by long-winded diatribes about how important this process is.
If I have a documented vehicle maintenance schedule and I use a fleet maintenance manual from the manufacturer as guidance, I'm not going to maintain schedules, perform tasks, and have documented procedures for models that are in the manufacturer's manual but not in my fleet. I'm absolutely certain I'm right, and I'm not going to back down and write procedures for SaaS applications we don't subscribe to because if I do I'll pay for that acquiescence multiple times a year in multiple inane and frustrating pointless audits. To be clear, I'm not saying audits are pointless, but audits for maintenance and security of cloud applications we don't have subscriptions for is pointless.
Is there a better analogy than my car analogy? Is there some defense for this inanity? Am I missing something, or do I just need a lobotomy to stay in this field?