Re: We hit half-million: The Cidr Report

["Sholes, Joshua" <Joshua_Sholes () cable comcast com>]

> Anybody got recommendations on how to make sure the company you engage
> for the audit ends up sending you critters that actually have a clue? (Not
> necessarily PCI, but in general)

In my previous jobs when I was doing FIPS/NIST/whatever compliance, it
ended up being the case that having a highlighted copy of the spec
document worked wonders most of the time.  Barring that, the one place
where I had a problem with this also had a COO who was formerly a
shark-in-an-$8000-suit type of lawyer, and he was often able to explain to
a clue-free auditor's boss exactly what would happen if they failed us
despite the fact we met the spec as written (starting with reporting them
to the PCI guys in charge of maintaining the list of qualified auditors).

It's been my general experience that one must vet auditors in the same way
one vets other vendors of intangible products--carefully and thoroughly,
lest they screw you.  Spend the same amount of energy you'd spend choosing
the appropriate corporate lawyers or outsourced HR.

--
Josh