03:16 AM
Dark Reading
Dark Reading
Quick Hits
Connect Directly

The Secret World Of Compliance Auditors

Working with an auditor can be a harrowing experience -- or a good one. Here are some tips for making things go well

[Excerpted from "The Secret World Of Compliance Auditors," a new, free report posted this week on Dark Reading's Compliance Tech Center.]

"Compliance" is often treated as a dirty word, evoking images of glum-faced auditors walking around with a clipboard and grimly ticking off items on a long and convoluted checklist. Companies complain that becoming and staying compliant is expensive, time-consuming and difficult to maintain.

But compliance with industry and other regulations is not only non-negotiable, it can keep your company more secure. Achieving and maintaining compliance is not easy, to be sure, so organizations need to leverage any and all resources they can. One of those resources can be your compliance auditor.

If you're due to be audited in the near future, a good pre-emptive step is to bring in your own auditor to see what potential issues might be found in your environment.

Most compliance auditors are careful to maintain their independence. Their job is to act in an advisory capacity, giving organizations the information they need to secure their processes and information. While auditors aren’t going to fix the problems they find, they will offer recommendations and can be a great educational resource. When selecting an auditor, it’s very important to pick one who understands how a particular regulation applies to your industry and type of business.

While many compliance auditors have a technology background, not all of them are information security professionals. They may have experience in IT planning or change procurement, be former systems administrators or have worked in some other IT capacity. There is no specific set of certifications that compliance auditors are required to have, although a handful of credentials are widely recognized and accepted.

Experience in technology and security is essential when looking for an auditor. Regardless of certification, the auditor should know IT security and internal controls, experts say. The team working on the assessment should have a fundamental understanding of the technology being used and the security goals.

Experts recommend working with the audit team ahead of an important audit to ensure that major issues have been addressed before beginning the formal audit. Engage the assessor early and ask for suggestions before the team even shows up to conduct the audit.

It’s perfectly acceptable to ask what areas or specific directives other companies are having trouble with, and then run a self-assessment to see how those issues are being handled internally. There are a handful of issues that a significant number of companies struggle with under FISMA, for example, and knowing what they are gives the organization a head start on verifying its implementation, experts say.

To find out more about the compliance auditing process -- including a detailed list of criteria to look for in an auditor -- download the free report on compliance auditing.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.