Want to Stay Compliant, Work WITH Internal Audit

Internal Audit.

It’s right up there with Traffic Wardens, Used Car Salesman, and Lawyers, isn’t it? You get a phone call from Internal Audit (IA) and it feels like you’ve just been sent to the Head Master’s office!

But why? If you have been doing everything right, following appropriate policies and procedures, have ACTUALLY read the Acceptable Use / Code of Conduct, why would this be any different? I mean, even SECURITY winces at IA, and we’re total pariahs ourselves!

This is unfortunate, because like it or not, every department needs someone to provide checks and balances. Someone who can look at everything with a fresh and objective pair of eyes, someone not answerable to YOUR boss so can tell them how it is without repercussions, someone who can suggest changes that you know should happen, but fear / politics prevents you from saying anything.

Take your pick, regardless of how you view IA, they, like InfoSec, are an necessary evil in a world where both the threat and regulatory landscapes are spinning out of control.

Best practice frameworks like ISO 27001 call for Internal Audit by name, and an ever increasing number of regulators are requiring  evidence FROM IA processes so that organizations demonstrate that they are actually complying with their own policies. This should not be a hardship, if your corporate security culture was adequate, this would not be an issue. Look to the senior leadership, it they don’t care, no-one else will.

I have stated over and over again that if you were doing security properly, EVERY compliance regulation on the planet would fall out the back-end (plus or minus some customised reporting). Not one has ever, and likely WILL never go above industry accepted best practices, as no-one is looking for perfection, just risk-reduction enough.

It makes perfect sense to me therefore that you would put a watcher on the watchers. Security have their fingers in almost every business pie, just to make sure that proper security controls are built in from the beginning. Like Legal, security is there to save the business from itself, and done properly, it should NEVER get in the way.

This can lead to a certain complaisance, or blinkered view of the world, IA can provide the necessary perspective to continually test processes that that could potentially stagnate if not seen through an objective lens. And who knows, because IA generally have direct (if dotted line) access senior leadership, there is a very good chance your requests for budget/resources will be looked on favorably if supported by an entity mostly immune from repercussions.

In this context therefore, Internal Audit is the conscience of Security; Are the controls enough?; Are they too much?; Are they easily measured?; are they flexible enough to adapt to business goals?; etc…

From the very first policy draft, to the almost ubiquitous Plan, Do, Check, Act of ISO 2700X, security professionals need to look to IA for support and guidance, but the opposite is equally true. IA can tend to rely on their unassailable positions to hide behind lack of expertise in security subject matter, they need to work just as closely with security to make sure they are up to the task.

How to Achieve Compliance on the Road to Real Security

There’s a cheesy quote by Norman Vincent Peale which goes; “Shoot for the moon. Even if you miss, you’ll land among the stars.”

This does not apply if PCI compliance is your end goal.

Set PCI compliance as your goal and miss, and you haven’t even made it out of the barrel. However, if you shoot for REAL security, there is a very good chance you’ll achieve compliance with almost any standard or regulation along the way.

PCI has always been, and will always be a minimum set of security controls and nothing more. The SSC has said as much themselves, as have the card brands, as has anyone else who actually knows what they are doing. This is not meant as a criticism of the standard, they don’t have a lot of choice, and any organisation treating PCI as an annual project, and/or is bitching about how difficult it is, deserves what they get.

As I’ve said more times than I care to admit; “Take the phrase ‘cardholder data’ out of the DSS and replace it with the phrase ‘personal information about your family’. Now name ONE requirement you don’t want in place? Seriously, name one. So if you agree that these are nothing more than the most basic security controls, why have you not put them in place already?

In every section of the DSS there is a LOT of room for better practices, for example:

DSS Section 1 – Do you to have device-to-device-only rules configured, or just a business justification for the ones you have?

DSS Section 2 – Do the testing procedures for a system require a configuration standard for every device type, or every individual device?

DSS Section 3 – Can you really perform manual key management well?

DSS Section 6 – Should you include ONLY the OWASP Top 10 in your app security testing?

DS Section 10 – Do you have to log centrally, and can you really perform manual reviews of your log files on a daily basis?

…and so on and so on. And let’s not forget this is still just about credit card data, validated just once a year, and [potentially] only on a small sub-set of your environment.

If you were to perform a business wide risk assessment, then a security controls gap analysis, you would come up with many deficiencies in your security programme. Then, IF you were to actually take this seriously and not just seeing security as an expense, you would come up with a remediation plan that I can [almost] guarantee would achieve PCI compliance on the way to your goals.

Chances are better than even that you have not even performed the risk assessment, so you have no idea what you goals ARE, and look at PCI compliance as something to get out of the way as soon as possible. You will achieve PCI compliance as a tick-in-the-box exercise, throw good money after bad, and start all over again next year.

This is unfortunate, as your appropriate security goals would most likely have kept you compliant throughout the year, saving you a significant amount of time, effort and cost on re-certification. Oh, you would also be a lot more secure.

I bet Target, Neiman Marcus and Michaels wish they had done security properly.

Every time you go above an beyond what PCI requires, you are building a database of compensating controls. The more compensating controls you have, they less constrictive PCI becomes, and the closer you get to applying the expense of PCI to your actual business goals. Eventually there will be no waste.

This marks the beginning of a 12 part series where I will explain the intent of the 12 main sections of the PCI DSS, as well as provide guidance and options on how to go above and beyond PCI so that you can you can focus on the meaning of PCI and not just the words. More importantly, you can focus on your business.

[If you liked this article, please share! Want more like it, subscribe!]