I am seeing a disturbing trend in the industry and I am going to complain. Over the past few months, I have seen requests for clarity for SOX compliance auditing from IT managers through their contacts at Microsoft. Questions are being posed by these contacts asking for clarification of a particular finding from a SOX security audit. Each of these is creating a disturbing trend and are all following the same pattern. Each request is where an “independent security auditor” that was contracted for a SOX compliance audit and has used a tool as a part of their audit effort that had returned what it perceived to be a problem with the customer’s security environment in the form of a registry setting incorrectly being set or some other esoteric security configuration setting problem. This was exposed as part of their SOX compliance audit being done by this independent security auditor.
This is just wrong on so many levels. While security is a part of your SOX compliance picture, it has nothing to do with your ability to comply with this regulation. Your ability to prove your compliance has nothing to do with a pen test. If your CIO has decided that this is a part of a SOX audit, it is your duty to help them understand that it is not. Just because their business card says Independent Security Auditor followed by SOX, GLBA, HIPAA, and any other regulation does not mean that they are certified for this work. As a matter of fact, my guess is that they do not know what certification is for these. A CPA is required for SOX, certification from FDIC is required for GLBA, accreditation by HFCA is needed to ensure HIPAA, and VISA/MasterCard is needed for CISP/PCI. While a CISA or a CISSP is a good thing to have for a security audit, it is not certification to determine compliance with any of these regulations.
My concern is that there are consultants that are doing compliance work for these regulations without a clue of what they mean or what real regulatory compliance means. If you are an IT Manager that finds themselves in a situation where the compliance auditor is doing a pen test of your environment, this is a Red Flag that you will not find yourself able to prove regulatory compliance when you are audited by that regulatory body. The right things are to inspect your common control framework and to see proof that you are doing the things that make you compliant.
This is not to say that a security audit is not helpful in determining whether your current security practices are meeting the demands of your own control objectives. Just be sure you know what you are paying for. That security audit is not going to get you far with your CPA when it comes time to prove that you are SOX compliant.