Most people fail to realize that audits can and should be a productive experience that not only helps an organization...
learn what it needs to do better, but also provides some perspective on best practices and other techniques that can improve the information security posture of an organization. The auditor sees far more than you do, so this person should be treated as a resource.
I would encourage my auditor to use his or her subjective opinion of my environment to help me improve my security. And given the wide-ranging nature of different technology environments, it's not possible to define regulations tightly enough to remove subjectivity.
If we are talking about PCI DSS specifically, let's take its first requirement -- "Install and maintain a firewall configuration to protect data." How is that anything but subjective? The auditor will ultimately be the one who defines what an acceptable firewall configuration should be. PCI DSS's third requirement -- "Protect stored data," is similarly nebulous. As you dig into the details of each requirement, there are more specifics detailing what each requirement means, but there is wiggle room -- there always is.
So the bottom line is that an audit, even a PCI DSS audit, is going to be partially subjective. Keep that in mind as you gather you data and go through your audit.
For more information:
Related Q&A from Mike Rothman, Contributor
In the world of security certifications, what is the GISP and how alike is it to the CISSP? In this security management expert response, learn about ...continue reading
Depending on your enterprise, it may or may not be necessary to utilize a QSA. In this security management expert response, learn how to determine ...continue reading
When developing software securely, what role does gap analysis play? In this security management expert response, learn how to implement gap analysis...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.