"Compliance" is often treated as a dirty word, evoking images of glum-faced auditors walking around with a clipboard and grimly ticking off items on a long and convoluted checklist. Companies complain that becoming and staying compliant is expensive, time-consuming and difficult to maintain.
But compliance with industry and other regulations is not only non-negotiable, it can keep your company more secure. Achieving and maintaining compliance is not easy, to be sure, so organizations need to leverage any and all resources they can. One of those resources can be your compliance auditor.
If you're due to be audited in the near future, a good pre-emptive step is to bring in your own auditor to see what potential issues might be found in your environment.
Most compliance auditors are careful to maintain their independence. Their job is to act in an advisory capacity, giving organizations the information they need to secure their processes and information. While auditors aren’t going to fix the problems they find, they will offer recommendations and can be a great educational resource. When selecting an auditor, it’s very important to pick one who understands how a particular regulation applies to your industry and type of business.
While many compliance auditors have a technology background, not all of them are information security professionals. They may have experience in IT planning or change procurement, be former systems administrators or have worked in some other IT capacity. There is no specific set of certifications that compliance auditors are required to have, although a handful of credentials are widely recognized and accepted.
Experience in technology and security is essential when looking for an auditor. Regardless of certification, the auditor should know IT security and internal controls, experts say. The team working on the assessment should have a fundamental understanding of the technology being used and the security goals.
Experts recommend working with the audit team ahead of an important audit to ensure that major issues have been addressed before beginning the formal audit. Engage the assessor early and ask for suggestions before the team even shows up to conduct the audit.
It’s perfectly acceptable to ask what areas or specific directives other companies are having trouble with, and then run a self-assessment to see how those issues are being handled internally. There are a handful of issues that a significant number of companies struggle with under FISMA, for example, and knowing what they are gives the organization a head start on verifying its implementation, experts say.
To find out more about the compliance auditing process -- including a detailed list of criteria to look for in an auditor -- download the free report on compliance auditing.
Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.