Today we have a guest editorial as Steve is out of the office.
A while back I took a two year break from being a DBA to lead an effort to enhance security for a large company. When I arrived, they were still working on the task list, from small things like changing service account passwords to bigger items like replacing 80 firewalls, all based on an in-depth review by an external auditor.
After weeks of effort the list stabilized, solutions were decided on and the work was started. The work took months to accomplish and overall, seemed to go as well as it can when you drop a ton of work onto a team that is already fully tasked. Then the second auditor arrived and started his review. Second auditor? Oh yes, we had a second firm come in to make sure nothing was missed. That second go-around resulted in more work with a lot less time to get it done to meet the compliance deadline.
We got it all done, literally finishing on the last day. We scheduled some clean up and enhancements and looked forward to the next audit being a business as usual process.
You can see the train coming, right?
For the second “official” audit, we started about three months from the due date as we expected things to go smoothly. Perhaps it would have, but we now had a third auditor, and while he liked most of what he saw, there were some things he didn’t like that were deal breakers. Fix-these-or-fail kind of things. Some weren’t too bad, but one of them was huge. Not fun. But we were a better team now and we got it all done, just in time.
It was a learning moment, if a painful one. The different auditors were all interpreting the same requirements and our implementation of them, but not all in the same way or to the same degree, and so we kept having new work (and potentially previously unaddressed vulnerabilities) added to the list. We were only as good as our auditor, or perhaps the sum of our recent auditors. It was a frustrating lesson, but in hindsight an obvious one.
It’s not as easy as saying using a different auditor each year. Businesses like to use the same auditor (or at least the same company) year over year because it is faster and less expensive. They’ve learned the environment and have the previous year documentation as a base. It’s a reasonable strategy, because a new auditor every year would soak up a lot of time and an returning auditor will often have time to dig into things they didn’t see or have time to fully vet on the first audit.
My goal isn’t to diminish the value of an audit - passing one is a good thing! Just don’t make the mistake of equating passing the test with having done enough. Keep looking for the gaps and remember that few auditors have deep experience with every bit of tech you use.