0 Results Found
            Back To Results

              Ever wonder what auditors are thinking?

              Over at the PCI DSS Compliance Demystified blog, Michael Dahn has a post that should be interesting to anyone subject to compliance audits (which is just about everyone). Titled "How deep do your PCI auditors need to go?" the post lays out some of the factors that auditors use to determine, as the title suggests, how deep into your security program they need to go in order to reasonably prove or disprove compliance.

              From the blog:
              "Here are some factors they may examine:
              • Can they sample similar systems?
              • Will they rely on third-party reports?
              • Do they need to inspect the security of every application?
              • Will you need to give them copies of sensitive data for their work papers?
              • Who will send the final report to the acquirer or card brand?"

              As you would expect from a blog dedicated to PCI DSS, the information Michael discusses is in the context of a PCI compliance audit. But many of the factors and considerations are used by information security auditors across the board regardless of their 'faith'. If you're expecting an audit soon, it's a great quick read that provides some insight into the process.

              Related Content