Asking the right questions

My dad is an attorney. Maybe that helps me more than I thought as far as figuring things out.

A great example is from today at work. BuCorps is being audited. From my standpoint, that means applications and servers I host are getting scanned for security vulnerabilities. I fully support this effort and want to ensure that our servers are as robust as they need to be to thwart attacks. Today were several meetings with the group doing the audit. I've never been involved in an audit of this nature before, so I was pretty interested in how it would progress. I prepared for all the questions I envisioned would be asked so I didn't come across as unqualified.
The first meeting was about backup and recovery. Notebook in hand full of information about our backup, disaster recovery, and continuity of operations plans I was prepared. Imagine my disappointment when all I was asked was for a screen shot that demonstrated that the databases were scheduled to be backed up nightly. I was in shock. I wasn't asked about the percentage of the time the backups were successful. I wasn't asked if the backups were moved to another location. I wasn't asked about restoring from backup. I wasn't asked about what happens if the building is blown up and we lose servers. All the auditors wanted to see was that the backups were scheduled. Had they asked the right questions, they possibly could have gotten some pretty juicy information for their audit. But, alas, all they wanted to know about were the scheduled jobs.
My second meeting was about security patches. The auditors wanted to see what operating system security patches had been installed in the last 6 months. I asked them what I needed to show them to satisfy their requirements. They didn't know. I asked them what servers they were interested in. Again, they had no specifics. They ended up getting screen shots of the add/remove program wizard. I hope it works.
My third meeting was about security scanning. The first thing that irked me was when the auditors showed up late. Everyone else made it on time, they were late. But, I'll forgive that. It gave everyone else an opportunity to prepare for their arrival. Having heard stories of past audits crippling hardware because an improper button was selected, I had several topics to discuss. The most hilarious was trying to get the idea across that running security scans on a production server in the middle of the day was not a good idea. They just didn't understand the repercussions. In fact, the importance of the servers seemed to slip their mind. The servers they wanted to scan are used by more than 40,000 employees every day. The servers interact with terabytes of data each day. It just didn't click.
The audits will continue next week so I'm sure the hilarity will continue. I guess today just reinforced the importance of understanding what you're working on. A finance major will have difficulty doing a GOOD audit of a computer infrastructure because they don't know what everything is, the same way a computer expert couldn't do a home inspection. When eliciting information, leading questions certainly have their place, but so do open ended questions. Good open ended questions allow much more knowledge to be gained than a simple leading question. Most importantly, to quote the movie Finding Forrester, "You gotta know the rules if you wanna play the game."