Here’s the sequence of events:

Wednesday morning I received an email alert from a company I use that my automatic monthly payment was declined.  Knowing full well it wasn’t a balance issue I assumed correctly that my bank had cancelled the card.  As I travel extensively and rely on the card exclusively I made my way to a local branch later that morning.  Along the way I called into the service center and confirmed my suspicions, that Visa informed the bank that my card was part of a range of numbers that was possibly exposed via a breach.  I asked if it was possible to learn the name of the offending vendor and was told (same as last time) that Visa doesn’t share that information.  As I am now a two-time victim it’s easy to spot the trend and hard to ignore the possibility that it might have involved the same vendor both times.  It wound up taking three visits to a branch to straighten me out and actually get a functioning card in my wallet.  The inconvenience is more than benign as I use the card in several places and will now need to make manual, one-off payments with the temporary card while awaiting the permanent card so that I can update the affected accounts.  By the time this is all said and done it will have resulted in my exhausting more than a half day of billable time trying to fix a problem I didn’t create.

A few things need to change.

• First, as part of the breach notification the card issuer needs to share with the cardholder the source of said breach.  I’ve been hit twice in six months, there’s a better than even chance that it involved the same vendor and/or processor and I deserve to know if that’s true.
• Second, affected cardholders should receive status updates providing details about the breach including the suspected source, the techniques potentially used and a description of any follow-up actions including investigative and (hopefully) criminal prosecution.
• Third, issuers need to have a better system in place to address breaches.  The fact that I have to overtly take action in order to replace the card is a joke.  I’m a billable resource and taking time out to wait to talk to a customer service representative results in loss of income; I’m being punished twice as a result.  I should have been offered the option to have a card overnighted to me or have been able to receive a card at any teller window and have it activated right there and then (I had to first activate at an ATM before I could use the temporary plastic).  The card replacement process needs to be streamlined.

We collectively as an industry and a society need to accept that both identity and card theft is a mainstream occurrence and adjust accordingly.  Legislation is needed to further insulate the victims (like me) from any extended damage or inconvenience and ensure as smooth a process as possible to allow us to continue living our lives.  Because right now I don’t just feel like a victim, I feel like I’m being punished for being one and treated like I simply don’t matter.

Hey Washington, make the industry tell us what’s going on and to treat the consumers better!

Oh, and PCI Security Standards Council, how’s that framework working out for you?  I’m thinking the only one benefiting from your content are the practitioners making money by supporting it.

Seriously, something needs to change.

One of the key considerations in sorting through the irony that’s my place in this world is that I’m nothing like the auditors I used to deal with in my application development days on Wall Street. What I audit, how I examine related controls and activities and review supporting evidence is heavily biased by my first-hand knowledge of the IT infrastructure. I understand technology and how it’s used, and so when I’m conducting fieldwork, I’m able to see things from a blended perspective. Most of the auditors I dealt with understood audit way better than they understood technology and so they’d ask question after question, not really knowing if the answers made sense, only if they matched expected results. For me, if the answer doesn’t make sense or is the wrong one, I immediately switch gears and seek out compensating controls because they’re often there if you know where to look.

Audit is heavy on my mind this week because I’m in the process of wrapping up a report for a client about the exit meeting. It’s interesting how the names and faces change from engagement to engagement but the script rarely varies. You’d think it would get old or boring but curiously it never does. The client never likes to see anything negative in print and it usually sets off a flurry of activity from report issuance to the first review meeting. There are almost always a series of requests to move things around, change the way things are worded and occasionally to reevaluate ratings. And I can’t recall a single audit where additional evidence wasn’t submitted for review after the initial draft was distributed to offset findings – artifacts that often have that “new car” sort of smell. But that’s actually a good thing and I’ll explain why.

An auditor’s job is to find control gaps and weaknesses. I’ve often compared what we do to fishing: You cast your line, see what you can catch, and keep at it until you either fill up your basket or have exhausted all available time and resources. Sometimes the bounty is rich and sometimes not so much. But there are always things to catch (I’ve never been shut out yet) even in the very best managed IT shops. The payout for the auditor is to identify legitimate issues that resonate with client. You want for those who own the controls to understand what the issues are and take swift action to remediate. I know some auditors take offense to after-the-fact evidence being provided because they perceive it as if though it’s implied that they missed something. Not me. When the client comes back quickly with viable solutions to make the findings go away, I consider that a bonus even if they didn’t exist a week earlier. That means that real risk is being further mitigated and managed and that’s the only reason to ever conduct an audit, in my opinion.

The client I’m working with, as it turns out, has fast become a favorite of mine. They’ve made great strides over the past year or so in enhancing their security posture and have gone a very long way towards putting in place effective controls to protect themselves, which ultimately results in their better protecting their customers. They take this sort of thing very seriously and as such, they have earned my respect. So when they come back to me with newly available information to offset findings in the draft report I’m happy to factor that into my findings. I did my job, they did theirs and in the end, the world is a little more secure.

So I guess I’m a minority on a couple of fronts: I’m more than satisfied with my job and I’m an IT auditor who genuinely understands the technology infrastructure. So much for there being strength in numbers.

]]> http://itknowledgeexchange.techtarget.com/regulatory-compliance/the-best-part-of-audit-yes-i-said-audit/feed/ 0