1) Is it common for IT design projects to consider documented "monitoring and maintenance" type activities into design projects for once the system/hardware has gone "Live". One thing that worries me if an IT auditor is asked to review "design" documents,
lets say for a new active directory, they can look at the technical spec / design of the supporting architecture to identify any obvious issues, but from past experience from IT audits of AD, they may see that many of the control issues they find and what
they make recommendations on may not have anything to do with the technical design , more to do with poor systems monitoring and maintenance type tasks. For example in AD a maintenance task might be:
Remove locked-out, disabled, or expired accounts.
WOuld that be or not be in a design for a new AD? If so what are these maintenance/monitoring activities typically referred to as in design stages.
2) Also, part 2 of the question, is why is it so important to have such activities documented formally? ie.. if its done its done, who cares if its documented? Whats the risk if it isnt documented?
Remove locked-out, disabled, or expired accounts.
WOuld that be or not be in a design for a new AD? If so what are these maintenance/monitoring activities typically referred to as in design stages.
2) Also, part 2 of the question, is why is it so important to have such activities documented formally? ie.. if its done its done, who cares if its documented? Whats the risk if it isnt documented?