To reason with an auditor
Dec 25th, 2007 by Jesper Kråkhede
During my years working in this field I have seen all different kinds of approaches to compliance and more specific the auditor. More or less all ways could be beneficial but one. Never ever try to fool or trick the auditor. The best way to get stuff past the auditor is to be transparant and give as much information that is possible regarding how you have reasoned and the possible risk you have thought of.
Several times I have been asked to not tell the auditor if something has come up that was not beneficial for the assignment, lets say an IDS was not installed and configured as it should be. I could have taken easy road and not tell the auditor about it and the get it past the audit. But what would then happen? In the end of an audit the customer has to sign an agreement that the sample the auditor has seen is representative for the whole company. If no security problems was found, then no security problems shall exist. What happends if you sign such an agreement and are aware of a misconfiguration. Well, noncompliance and most possibly a full investigation if something ever happends. The most important part is: You are not in any way covered by the auditors responsibilities as an auditor. If you are not honest you have everything to loose.
As a CISSP I have to adhere to several ethical standards. Here are some those most important to me:
Capgeminis values
CISSP