Tag Archives: onsite audit

Audits of the future must enrich and enforce your IT Strategy

Yesterday I presented with Prat Moghe, the founder of Tizor, on the challenges faced by businesses.  A broad topic, but we were primarily focused on the database administrators and those charged with the controls in place.  While we go into great detail on the difficulties of manually evaluating controls in a checkbox manner, and I highlighted specific concerns on twitter (#nzdc) a more basic harm and cause emerged – most organizations have been approaching audits and controls in the wrong manner.

  • First off – consider what is the point of an/the audit?  This answer may result in one of two prime responses:
  • The point is the Federal government and our industry cohorts don’t trust how we’ll do business, so we have to demonstrate particular safeguards and operating integrity base points to keep our operating license.
  • The second maybe, management is overseeing a massively complex organism, and only through third party verification and evaluation shall we know what in the world is right / wrong / or a complete waste.

Now both responses are right and there is nothing wrong with being more polar on any of these points, but there is a severe cost.  Taking an audit as a checkbox approach means that the INTENT is not being satisfied (The classic Compliance does not equal Security is a prime example), and one should not be passing such audits – but that is not the focus of this post.  Furthermore, conducting an audit in a manner where one simply responds and ties loosely together the controls for the sake of “the audit” every year translates to a complete loss in the possible savings that can be achieved from such events.
There is not doubt, audits are time consuming and resource intensive, and it is similar to a High-Stakes test.  The difference is when you take a high stakes test and then take it again, you reuse the same information and have learned from the prior experience.  Too often organizations do not have those lessons carried forward, because they are treated as one-time events and not integrated.

To be sure – auditors vary in skill, standards stretch the spectrum from prescriptive to principal based, and management / company culture severely impact how these evaluations are viewed and addressed.  It is also true that without taking these lessons beyond the hour the audit occurs errors, expense, time, and resources, will forever and continually be lost.

Best Practice Advice:

Consider your audit plan for the year and how they can fit with your IT strategy and IT governance function as a part of the company governance program.  Draft a charter that reflects how these audits work toward the companies goals, and how each audit enforces and ENRICHES the business operations.

Thoughts and contributions?

James DeLuccia IV
CIA, CISA, CISM, CISSP, CPISA, CPISM

Check out the webinar I mentioned above here, it shall be archived and viewable at your leisure.

How to choose a PCI DSS QSA Auditor!!

Don’t choose the lowest bidder when you are seeking the best QSA to do your onsite PCI DSS audit.  This is not an article to inflate the costs of validating your compliance program, but instead intended to LOWER the cost of the PCI onsite audit.

While giving training this week on PCI DSS a great conversation developed where we outlined what should be strongly considered when hiring a QSA for the business.  Below captures the conversation that will surely continue:

  • Selecting a QSA auditor should be done in partnership with the Internal Audit team, the Technology leadership, and the Relationship manager (or person charged with ‘owning’ the payment transactions within the business).

There is not a lacking of audit firms that are willing to do the work so a witling process is necessary:

  • Consider geographic location – you want one that is local or has resources local so you can have plenty of face time without incurring burdensome travel expenses
  • Consider the firms experience in YOUR line of business – request a specific client reference that you can speak with before signing an agreement
  • Request that the firm explicitly list the auditor by name / certifications on the contract to ensure you can compare equivalent contract proposals
  • Require a process flow on how INTERPRETATIONS will be approached, and their process for handling disagreements with these interpretations.  Remember the QSA is charged with the subjective portion of determing the controls to be valid, so you need to be sure there is a process with reasonable qualifications on both sides of the table to ensure you have a workable process
  • Require a breakdown of how they will handle prior QSA work.  Will they use it; will they accept it; what will cause prior work to be considered non-compliant?

Please consider these practices along with your existing mature vendor vetting process.  Today is Day 2 of the PCI DSS training here in Atlanta, so I will add any additional insights as they come up.

Best,

James DeLuccia IV