Remember, Auditors Are There to Help You
When dealing with on-site auditors or approved scanning vendors, most people fit into one of three groups. Some people are intimated by auditors.They see them as someone with a lot of power, and they hope they will say and do the right things to get by.A second group seems to look at auditors as their enemy.They believe they must wrestle with the auditor and hopefully win in the end.The last set of people treat the auditor like a consultant they’ve brought in to help bring their company into compliance.They respect the auditor’s opinions and keep the auditor in the loop as they work out solutions.This last group will get the most out of their auditor and will have the best overall experience and be able to bring their company into compliance with the least amount of hassle.
As hard as it might be to believe, auditors are there to help you. It’s important to know how to work well with auditors so that your audit will go smoothly and efficiently, and ensure that you get your money’s worth. A good auditor will go over your company’s systems, practices, and policies with a fine-toothed comb, and tell you what you can do to improve your security. Hopefully, your primary goal in becoming Sarbanes Oxley compliant is to have your company become more secure. When you realize that auditors provide you with a valuable service and that you’re both on the same team working towards a common goal, you will have the right attitude. Remember that auditors have moral and professional obligations to follow the guidelines and procedures they’ve been given for the audit. It is not appropriate to ask them to compromise those obligations. Auditors are trained and likely have per formed many audits, and they can give you great advice on what you can do to bring yourself into compliance.
When you have the right attitude you will find ways to use your auditor to improve the security of your company. Seasoned auditors have a wealth of knowledge and can be a huge benefit to you to leverage it when bridging gaps in compliance. They have seen many technologies, policies, and practices others have put into place to mitigate risks, and should be able to give you choices to help you meet requirements that work best for your situation. For example, if cost is your main concern, an auditor may know of a low cost or open source tool that you can use to help you comply with certain requirements. On the other hand if time is more important, the auditor may know of a solution that is quick to set up that will bring you into compliance. As you work on your remediation, it’s important to keep your auditor in the loop.This way he can give opinions on what you’ve chosen to do and can give further advice. It will also likely make your next audit much easier for both parties involved.
In some cases, failing an audit ends up being a huge win for the security of the company. In many organizations, the IT staff would like to put certain needed security measures in place but upper management says no because of cost. Remember, upper management’s job is to help the company make money, not spend money. Even after you have done a careful cost-benefit analysis and have determined that the benefits outweigh the costs, upper management may still say no.A failed audit may be the perfect time to finally get them to say yes. If the auditor is requiring that you add something to come into compliance, you can use it as leverage with upper management to get that put in place.Again, submit a cost-benefit analysis, adding the cost of noncompliance to the total cost. Let them know that the auditor says you will not be compliant without that measure. [PCI Compliance, Tony Bradley 2007]
Popularity: 69% [?]
