Analytics
6/30/2012
03:16 AM
Quick Hits
Quick Hits
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%
Repost This

The Secret World Of Compliance Auditors

Working with an auditor can be a harrowing experience -- or a good one. Here are some tips for making things go well

[Excerpted from "The Secret World Of Compliance Auditors," a new, free report posted this week on Dark Reading's Compliance Tech Center.]

"Compliance" is often treated as a dirty word, evoking images of glum-faced auditors walking around with a clipboard and grimly ticking off items on a long and convoluted checklist. Companies complain that becoming and staying compliant is expensive, time-consuming and difficult to maintain.

But compliance with industry and other regulations is not only non-negotiable, it can keep your company more secure. Achieving and maintaining compliance is not easy, to be sure, so organizations need to leverage any and all resources they can. One of those resources can be your compliance auditor.

If you're due to be audited in the near future, a good pre-emptive step is to bring in your own auditor to see what potential issues might be found in your environment.

Most compliance auditors are careful to maintain their independence. Their job is to act in an advisory capacity, giving organizations the information they need to secure their processes and information. While auditors aren’t going to fix the problems they find, they will offer recommendations and can be a great educational resource. When selecting an auditor, it’s very important to pick one who understands how a particular regulation applies to your industry and type of business.

While many compliance auditors have a technology background, not all of them are information security professionals. They may have experience in IT planning or change procurement, be former systems administrators or have worked in some other IT capacity. There is no specific set of certifications that compliance auditors are required to have, although a handful of credentials are widely recognized and accepted.

Experience in technology and security is essential when looking for an auditor. Regardless of certification, the auditor should know IT security and internal controls, experts say. The team working on the assessment should have a fundamental understanding of the technology being used and the security goals.

Experts recommend working with the audit team ahead of an important audit to ensure that major issues have been addressed before beginning the formal audit. Engage the assessor early and ask for suggestions before the team even shows up to conduct the audit.

It’s perfectly acceptable to ask what areas or specific directives other companies are having trouble with, and then run a self-assessment to see how those issues are being handled internally. There are a handful of issues that a significant number of companies struggle with under FISMA, for example, and knowing what they are gives the organization a head start on verifying its implementation, experts say.

To find out more about the compliance auditing process -- including a detailed list of criteria to look for in an auditor -- download the free report on compliance auditing.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web