Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/30/2012
03:16 AM
Dark Reading
Dark Reading
Quick Hits
50%
50%

The Secret World Of Compliance Auditors

Working with an auditor can be a harrowing experience -- or a good one. Here are some tips for making things go well

[Excerpted from "The Secret World Of Compliance Auditors," a new, free report posted this week on Dark Reading's Compliance Tech Center.]

"Compliance" is often treated as a dirty word, evoking images of glum-faced auditors walking around with a clipboard and grimly ticking off items on a long and convoluted checklist. Companies complain that becoming and staying compliant is expensive, time-consuming and difficult to maintain.

But compliance with industry and other regulations is not only non-negotiable, it can keep your company more secure. Achieving and maintaining compliance is not easy, to be sure, so organizations need to leverage any and all resources they can. One of those resources can be your compliance auditor.

If you're due to be audited in the near future, a good pre-emptive step is to bring in your own auditor to see what potential issues might be found in your environment.

Most compliance auditors are careful to maintain their independence. Their job is to act in an advisory capacity, giving organizations the information they need to secure their processes and information. While auditors aren’t going to fix the problems they find, they will offer recommendations and can be a great educational resource. When selecting an auditor, it’s very important to pick one who understands how a particular regulation applies to your industry and type of business.

While many compliance auditors have a technology background, not all of them are information security professionals. They may have experience in IT planning or change procurement, be former systems administrators or have worked in some other IT capacity. There is no specific set of certifications that compliance auditors are required to have, although a handful of credentials are widely recognized and accepted.

Experience in technology and security is essential when looking for an auditor. Regardless of certification, the auditor should know IT security and internal controls, experts say. The team working on the assessment should have a fundamental understanding of the technology being used and the security goals.

Experts recommend working with the audit team ahead of an important audit to ensure that major issues have been addressed before beginning the formal audit. Engage the assessor early and ask for suggestions before the team even shows up to conduct the audit.

It’s perfectly acceptable to ask what areas or specific directives other companies are having trouble with, and then run a self-assessment to see how those issues are being handled internally. There are a handful of issues that a significant number of companies struggle with under FISMA, for example, and knowing what they are gives the organization a head start on verifying its implementation, experts say.

To find out more about the compliance auditing process -- including a detailed list of criteria to look for in an auditor -- download the free report on compliance auditing.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.