While responding to requirements identified during an IT audit, both internal and external, I have observed many cases where the identified requirement was to demonstrate that an implementation plan was in place to mitigate a number of risks. Instinctively one would think that undertaking the implementation was implied in the requirement, but this is often far from the truth.
Upon presenting the plan in detail along with expected results at each stage of the implementation, we were reminded that the audit action was specifically to demonstrate that a plan existed to solve the problems, and that we had successfully fulfilled the requirement. As the auditor’s report did not state that the plan needed to be implemented, no further action was sanctioned and our consulting activity was concluded.
From the auditor’s point of view, defining an action in the form of ‘tell me how you are going to fix this problem’, is logical as a next step. However, far too often it results in a focus on closing audit actions rather than resolving the underlying issue that caused the audit action to be defined. As security professionals, we have a duty to decision makers to challenge clearly the requirements under these conditions, by illustrating the potential consequences of inaction.