We Don't Need No Stinking Compliance

The Securities and Exchange Commission recent statement expressing approval of the Public Company Accounting Oversight Board's (PCAOB) vote proposing a new auditing standard for section 404 of Sarbanes-Oxley that would make audits more risk-based, more targeted, and less exhaustive.  The hope is that it would make the process less onerous.  Such is the problem with many information security compliance efforts.  The hope is that they will ultimately result in lower risk to the organization.  However, many auditors, coming largely from the financial side, wouldn't know a security risk if it hit them in the face.  Instead, they resort to audit standards that are exhaustive, unwieldy, and petty.  The failure to post a system use notification may results in the same finding as a gaping hole that you could drive a truck through.  In an auditor mindset, every finding needs to be addressed somehow by management.  And there lies the rub.  Financial audits have been around for a long time.  We've already determined, for the most part, what issues to worry about and what don't require action.  But with information security, auditors are often flying blind.  They rely on checklists that they didn't write and were often written as suggested practices that may or may not work depending upon one's environment, which is, of course, the other problem.  It's just not feasible to implement all these controls in certain environments, nor should all environments start out with the same checklists.  In fairness, though, it's often the organizations themselves that fail to define the right controls.  If auditors were handed a set of controls that the organization feels they should be bound to, they'd be in a better position to argue that the auditor's additional proposed controls are inappropriate.  What would you prefer:  the ability to write your own rules or have some outside entity write them for you?