Compliance risk, the risk management trump card

Organizations that perform risk management are generally aware of the laws, regulations, and standards they are required to follow. For instance, U.S. based banks, brokerages, and insurance companies are required to comply with GLBA (the Gramm Leach Bliley Act), and organizations that store, process, or transmit credit card numbers are required to comply with PCI-DSS (Payment Card Industry Data Security Standard).

GLBA, PCI-DSS, and other regulations often state in specific terms what controls are required in an organization’s IT systems. This brings to light the matter of compliance risk. Sometimes, the risk associated with a specific control (or lack of a control) may be rated as a low risk, either because the probability of a risk event is low, or because the impact of the event is low. However, if a given law, regulation, or standard requires that the control be enacted anyway, then the organization must consider the compliance risk. The risk of non-compliance may result in fines or other sanctions against the organization, which may (or may not) have consequences greater than the actual risk.

The end result of this is that organizations often implement specific security controls because they are required by laws, regulations, or standards – not because their risk analysis would otherwise compel them to.

Excerpt from CISA All-In-One Study Guide, second edition

IT auditing is more about people than technology

I was recently asked the following question in one of my forums:

“Some of the challenges I face pertain with the anxiety system administrator’s face before I come on-site. They are defensive from the time I walk in to the time I leave. They don’t take too well to people telling them a control may not have been properly implemented .”

IT auditing is not *really* about the technology at all, but about the *people* who design, build, and operate the technology. Servers don’t have feelings and egos, but people certainly do.

My advice is to do what I do – have a good “bedside manner” and put the patient at ease. Explain why you are there in a non-confrontational manner as possible. Say things like, “I’m here to help understand how things are done here and how I can help with these compliance needs.” Explain that the standards and audits have gotten a lot harder these days, which requires a lot of changes. Empathize with them, be there as a guide who is also learning.

I also suggest that you take the approach of your being there to learn what they do. Make yourself “less good” than them, in order to not be a threat to them. Say things like, “I’m here to learn about these systems that you built and manage,” not “I’m here to see what you’re doing wrong.”

Have a gentle touch. Be confident and friendly, but non-threatening.

I meet new colleagues all the time. This works, as long as your heart and your mind are in the same place. People can see through a facade and will distrust an auditor who is acting.