Posted by: David Schneier
Audit, GLBA, HIPAA, PCI, Regulatory Compliance, SOX
I once heard a parent say that they wished they had a dollar for every time their teen-aged child rolled their eyes at them. I’m a parent so I get it. But what I really wish for is to have a dollar for every time a client rolls their eyes at me when I tell them they need to have all their policies and procedures documented.
It happened twice last week, two different clients in two different states. And it was a slow week.
A corporate lifetime ago policies and procedures were a nuisance put in place by management as a way to standardize business practices and attempt to use a single set of rules for everything everywhere they did business. And it was a drag. I have clear memories of my formative years on Wall Street with a seemingly endless row of binders on my cubicle shelf that appeared best suited to gather dust rather than provide anyone direction because in the end, well, all they did was gather dust. So the irony isn’t lost on me that here I am a decade or two later standing on my soapbox explaining why having things documented is a good thing.
Twenty years ago there really weren’t enforceable regulatory standards such as SOX or GLBA. Frameworks and assessment guidelines such as CobIT and NIST and ISO 17799 were either in their infancy or not yet developed. And so outside of a very few pockets of industry there wasn’t a whole lot of good reason to have to put down on paper what you did, why you did it and how you got it done. Sure there were the auditors that came around every now and again but things were simpler in those days and much of what they needed could either be found in the occasional dusty binder or grabbed from the data center operations library.
Today we live in a different world. There are a seemingly endless number of regulations in place that are tested monthly, quarterly, semi-annually and annually. There are rules as to how you must configure your network, your applications, your data (electronic and hard-copy), secure your facilities, your desktops, your laptops, your handheld’s. The only thing left is the kitchen sink and technically even that’s covered if the kitchen is located within the secured perimeter of a data center. The amount of work that must be done to be in compliance, to properly configure and secure your infrastructure is maddening. And so on top of all that work you’re now being told that doing the right things isn’t enough, you also need to document what you’re doing as well.
And so I get that rolled eye look which is often accompanied by the question “why do I have to document everything I do even if I can prove I’m doing the right things?”
I’ll tell you why; examiners and auditors are human. Some are smart and savvy humans, some are sensible and knowledgeable humans and some are just humans. Or rather, not everyone does their work the same way. The only way to ensure that you can get credit for doing the right things is by documenting what you’re doing so that anyone coming in and trying to gain an understanding of how things run within your four walls has it laid out for them. See here’s the problem, if you let an examiner/auditor wander logically and physically through your infrastructure they’re going to look for what they’d expect to find thus leaving you and your organization opened up to greater scrutiny. They pull out lists that include everything they could ever hope, expect or dream to find and start asking for items on that list. If you give them your road map explaining at the policy level what your organization is committed to doing and follow that with supporting procedures breaking out into detail exactly how those policies are supported you’re paving the path to be followed. You get to steer the examiner in the direction that you want them to go, the direction that your organization follows.
Last week I had one client operating under two regulatory frameworks, another operating under three frameworks plus PCI; that’s a whole lot of audit activity to have to deal with. Do you really want to have to repeatedly answer the same questions, conduct the same walk-throughs and explain yourself over and over and over again? Wouldn’t it simplify your life if you set aside the time to document everything so that anyone can walk in, be handed the (gulp) binders and figure out for themselves how things work within your world?
I’ll admit, this concept is a bit self-serving though sincere. If everyone had their documentation in order my job would be that much easier when I’m conducting the fieldwork. But if you knew what I looked for and often found you’d also see where you’d benefit; I’m a former technologist who used to break every rule in the book and figure out how to circumvent every control that was thrown at me and so I’m the last person you’d want left up to his own devices while conducting an audit.
Oh and one more reason why you should do it; GLBA and SOX both require you to do so, so there!