Shooting the breeze with an old colleague recently who we’re about to start some serious work with. He’s just not sure of the timing as yet because he needs to “clear” one of those IT “audits” that are performed as part of the yearly financial audit by some Big guys. You know the ones.
He can’t start on serious security review and testing until he’s fixed up some major issues identified by them like his IT Security Policy not being aligned to the latest revision of 27001, 7799 whatever, etc etc, plus a few other major issues such as password lengths on some non-critical systems that few people use. It doesn’t matter whether the policies themselves are actually being complied with so he’s going to be able to clear that point by creating a bit of policy documentation, that in reality has no relevance to the environment but, at least that will please the auditor and he’ll then be one step closer to “passing” the audit. Management will be happy and the organisation deemed secure. He’s in a good position though in that his management also realises that it’s all BS and they have set aside money to undertake some real assessment of their security position. Few companies though see it this way sadly.
I spent a number of years myself going through these “audits” in a past life. They pretty much went like this:
1. Meeting with serious looking and well spoken young auditor(s) who outline their plan and talk to us like we don’t know much.
2. Auditors lock themselves in a room for 2-3 weeks – appearing every few days to ask some weird and inane questions. They return to their room – we laugh and shake our heads.
3. Auditors leave – not sure when but we eventually see the room they used is empty.
4. A month or two later, a report arrives with bugger all findings. Regardless of severity of findings (which mostly we would rate as “minor”), we’re still bound to enter this into the Audit Tracking System and work to resolve the issues while having to put on hold the higher priority issues which we have been working on. (Note: Auditors would rarely find anything of substance unless we “fed” it to them – ie; something we really needed to get done but business management was not supporting 
)
Things haven’t changed much. We still see organisations being bogged down with audits of questionable value while serious issues are being neglected – wasting time, money, resources and more importantly leaving the organisations potentially exposed to more serious business threats.
Another recent example (too many to document all here) highlighted the frustrations of IT in such scenarios. Big Auditor presented report with about 20 findings – none really deemed critical, but regardless, many taking potentially a good deal of time and cost to rectify. In parallel, a review undertaken by Information Security specialists for them (driven by a less urgent compliance requirement) highlighted major business threatening issues such as; ownable Internet environment, access into internal networks, major vulns on critical systems, access to client information etc etc, was not able to get attention and resources to rectify these major problems. It was more important to show Big Auditor (by management) that they fixed the issues they identified than it was to actually work on the serious issues that had potential dire results for the business. Many months down the track, little has been done to fix the real problems.
Many companies do themselves no favours by being unable to identify, distinguish and prioritise security issues. Sadly many put their faith in highly paid consultants and auditors (of questionable expertise and experience) to provide them with a real and accurate assessment of their risk exposure. (To be fair though most don’t know any better).
Did I mention recently, a client being quoted 1.4M for an ISMS / 27001 scoping exercise by a Big consultant? No actual work, just $1.4M to identify what may need to be done. Good work if you can get it!
Some related posts:
Risk Management – Great in meetings, not so much in practice
The 7 Reasons why businesses are insecure
Why Data Breach Notification may fail