Security and audit relationships: Uneasy antagonists or partners in arms?

The most important thing to remember about an IT auditor is that he or she focuses on a few simple questions:

Therefore, there are a few simple things security leaders can do to streamline the interactions between the security team and the auditors:

In my experience, auditors appreciate it when their jobs are made easier. One helpful approach is to fully document the mapping of the security policy and architecture to a standard framework, such as COBIT or the ISO 27000 series. When the auditor walks in and says, "How are you dealing with encryption key management issues?," it will be invaluable to know that the criteria he will use are described in COBIT "Deliver and Support" section 5.8; it will be evident what the auditor is likely to assess.

Talk to the internal audit team during the company's annual security policy and status review and get a feel for where they see deficiencies or unknowns. Be sure to do this outside the audit report and response process. Invite them to review policies and standards, and enlist them to ensure that future controls have strong record-keeping and validation.

The special nature of the QSA

Although security professionals often think of the QSA as an auditor, there are important differences. As defined by the Payment Card Industry Data Security Standard (PCI DSS), a QSA is a specialist who assists a body subject to PCI DSS in being compliant with the standard's requirements, and who can provide an acceptable assessment of whether the organization has been successful in estab

To continue reading for free, register below or login

Requires Membership to View

To gain access to this and all member only content, please provide the following information (all fields required):

First Name:
Last Name:
Country: Select... Afghanistan Aland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory British Virgin Islands Brunei Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo Congo, Democratic Republic of Cook Islands Costa Rica Cote D'Ivoire Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia, The Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard and McDonald Islands Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati Korea, North Korea, South Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Man, Isle of Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestine Panama Panama Canal Zone Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russia Rwanda Saint Helena Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and the Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard Swaziland Sweden Switzerland Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu U.S. Minor Outlying Islands Uganda Ukraine United Arab Emirates United Kingdom United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Vietnam Virgin Islands Wallis and Futuna Islands Western Sahara Yemen Zambia Zimbabwe
Email Address:

I would like to receive a FREE subscription to Information Security magazine online.
YesNo

Do you manage, evaluate, recommend, implement, support or purchase security products, software or services?
YesNo

Please estimate the yearly security budget for your entire organization including all security products and services.
Please select... Over $10 Million $5 Million-$10 Million $1 Million-$4.9 Million $500,000-$999,999 $100,000-$499,999 $50,000-$99,999 $25,000-$49,999 $10,000-$24,999 Less than $10,000 None

What is your role in purchasing IT related products and services? (Check all that apply)
Technical decision maker
Financial decision maker
Recommend/Specify
Evaluate products
Implement Products/Services
Determine Needs
Create Security Strategy
None

By joining SearchSecurity.com you agree to receive email updates from the TechTarget network of sites, including updates on new content, magazine or event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile or unsubscribing via email.

TechTarget cares about your privacy. Read our Privacy Policy

PCI DSS is different from the gray and ambiguous nature of other compliance objectives such as Sarbanes-Oxley; it is a mixture of principles and specifics, which can be frustrating for security professionals. In some areas, it supports strong measures for protecting cardholder data; in others, it seems surprisingly lax. For example, PCI recommends against Wired Equivalent Privacy (WEP), a known flawed protocol, but still allows it to be used until June 2010.

The QSA is also likely to be a security specialist by trade, rather than an auditor. No auditor feels right about acting as a consultant and advisor, and then turning around and judging what they just recommended, yet QSAs are allowed to do so, and many do. QSAs may be associated with a firm that sells or implements products for PCI DSS compliance, and may be under pressure to promote their firms' products or services. Recognizing these issues will better prepare security leaders to deal with QSAs effectively and professionally.

Any firm large enough to have a dedicated security staff is likely to be what PCI defines as a Level 1, 2 or 3 merchant or service provider. The scale is loosely based on the company's number of annual credit card transactions, or the nature of the business. Regardless of the particular firm's classification, it's possible to make a great start on QSA relations in the same way as with any other auditor: by knowing what questions he or she will ask before they're asked.

Fortunately, by downloading the Security Audit Procedures from the PCI Security Standards Council website, you can review the framework that QSAs use to conduct onsite reviews and validate PCI compliance. Level 2, 3 and 4 merchants are required to perform self-assessments using the documents published on that website, whereas Level 1 merchants must have an assessment performed by a qualified third-party QSA. The full effect of this document is reserved for Level 1 merchants, but anybody that handles credit card information will benefit from basing their PCI compliance on a documented target such as this.

Finally, remember that PCI DSS compliance reaches far beyond encryption, storage or protecting transactions. If the information security team is tasked with all PCI compliance activities, it's important to be much more involved with business processes and record-keeping. Build a strong relationship with the CFO, controllers and operational managers, and you can present a single voice to the QSA -- everyone involved will be better for it.

About the author:
Tony Higgins, CISSP-ISSMP, CISA, CIPP, is a consultant specializing in information security, privacy, and compliance, who has recently worked in the resort, gaming, and financial sectors.