Compliance Audit IS NOT Substantive Audit

The other day I attended a meeting where I got hit by a new concept .It is the unfortunate brainchild of the new age of risk management and compliance obsession.

So it goes like this : Compliance = Vulnerability.

Or to put it properly : Lack of compliance will cost the same as mitigating a high risk vulnerability. I’m afraid this really means a waste of resources: tons of time and money invested in full-blown compliance audits and sooner or later reality won’t matter anymore . You’ll get your compliance certificate and that’s it : you’re safe.

Oh, I wonder where are the days when there was a clear cut between the compliance check and the hands-on, real life, substantive audit. Is it really a good direction that we’re heading ?
I really don’t think that a canned compliance audit can deliver the X-factor needed by a company who’s ultimate goal is Information Assurance.

X-Factor : Effectiveness of the security controls in place.
Am I the only one fed up with all this compliance buzz?



Thank you for reading this post. You can now Read Comments (2) or Leave A Trackback. Print This Post Print This Post

2 Responses to “Compliance Audit IS NOT Substantive Audit

  • 1
    Jon Robinson
    February 18th, 2007 06:25

    I totally agree that compliance regulations waste money and cause companies to get a rubber stamp rather than strive for an ideal level of security for their situation. Regulations force companies to do something that they may not do were they free to spend their money and time as they wish to fill their customers needs.

  • 2
    Anurag Agarwal
    February 20th, 2007 03:05

    I think that compliance has a place in the industry. In my experience, had it not been for compliance, many companies have not paid attention towards web application security at all. Unfortunately, many of the product managers or project managers (in big enterprises) still do not understand the issue of web application security (or should i say don’t want to understand) and hence we see a lot of vulnerable applications out there. As for small and medium businesses, the sheer cost of securing web applications in itself makes them not go for the solutions. Compliance in a way is forcing them to do something about it. However, the problem starts from the governing agencies enforcing compliance. Take PCI compliance for example. It all started as a good idea to enforce companies to secure customer information but then they lost focus along the way. It is OK as long as you are making sure if the network and the applications aren’t vulnerable but if you want to enforce a company to have source code audit by an independent third party, that is where it gets ridiculous.
    What about companies who doesnt want to reveal their source code? what if it is proprietary software? Can I trust the company who is doing my source code audit or more importantly can I trust the person who is doing my source code audit? We have seen cases of hackersafe signing websites that they are safe from hackers? we have seen cases of bank’s employees (who are the guardians of the customer information) selling the very customer information to the outside agencies. Who can I trust? Not to say what is the guarantee that the person doing the source code audit has enough knowledge of the language or more importantly where are the secure coding guidelines for us to follow?
    The sheer cost of doing web application security compliance including black box testing, white box testing, source code analysis, web application firewall, etc, etc will run into hundreds of thousands of dollars and not to mention the amount you have to pay for the auditors.

    The other ugly side of compliance is auditing companies. For PCI compliance, there have been too many companies providing PCI compliance for price ranging from $1000 to $13000. This confused me and I started to ask questions about what is the value addition for that extra money and after doing a lot of research, I found out it’s not about the value additions for the extra money, it’s about saving your neck. When you can buy a compliance certificate for $1000 then why do you want to pay $13000. Now, if you really are concerned about your security and what to do things the right way, then the price definitely will not be $1000.

    I am sorry to say but compliance has become just another way for auditing companies to make money and the real message has gotten lost.


Subscribe without commenting


Leave a Reply

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner.

CommentLuv badge