What are the brakes on a car designed to do? I have asked this question many times when speaking to customers or organizations who were dipping their toes into the audit space. Invariably, their answer was, “To stop the car.” At this point, I would then ask, “Then how do you get where you want to go?”

What Is the Purpose of Controls and a Compliance Program?

When people think about controls, especially in the information technology space, they think that controls mandated by auditors are there to get in the way. They have a feeling that all of the requirements behind PCI, SOX, HIPAA, NIST, NERC, etc. are there to prevent them from doing business the way that they want.

Organizations that I have come across have the perception that if security or the auditors would get out of the way, they would be able to sell more widgets or make more gadgets. “We trust our people to do the right thing….” Underlying that is the unspoken phrase: “We hope they will do the right thing….”

There is a well-worn cliché that stems from such a belief: Hope is not a strategy, and trust is not a control. As my old friend Gene Kim used to say, “Behind every FAA regulation is a plane crash.”

The same can be said of every IT control that you find your auditors asking about:

“Have you disabled TELNET, TFTP or other insecure services and protocols?”

“Do you have a minimum of 13-character passwords configured?”

“How often do users have to change them?”

“Can they re-use passwords?”

There are hundreds if not thousands of things that an auditor is looking for, and if your organization does not have (Read more...)