Policy and compliance

This morning, "PS" asked the ISO27k Forum for advice about reviewing access rights.
"I just got a minor NonConformity for not showing compliance with review of user access rights control. At present, a report containing leavers is reviewed by servicedesk to ensure removal of access. This process supplements the leaver process owned by department managers. But an auditor has insisted that we should retrieve all access reports and review them. So question is how do demonstrate compliance with this control in your organisation? Appreciate your guidance ..."
Some respondents duly mentioned typical controls in this area, while some of us spotted an issue with the issue as described. Why did the auditor raise a minor non-conformity? On what basis did the auditor insist that they should ‘retrieve and review all access reports’ - if in fact he/she did?

With a little creative/lateral thinking, it turns out there are several intriguing possibilities in the situation described by PS aside from the obvious:

  • The organization had instituted and mandated a formal policy stating that ‘All access reports will be reviewed’ – a bad move unless they truly expected precisely that to happen. They are committed to doing whatever their policy says. If they don’t do so, it is a valid nonconformity finding;

  • The organization had [perhaps unwisely or inadvertently] instituted a formal policy stating something vaguely similar to ‘all access reports will be reviewed’, which the auditor interpreted to mean just that, whether correctly or incorrectly. This is always a possibility if policies are poorly/vaguely worded, or if the supporting procedures, guidelines, help text, advisories, course notes, management instructions etc. are similarly worded or simply missing (leaving it to workers to interpret things as they see fit … which may not be the same as the auditors, or management, or lawyers and judges if incidents escalate);

  • The organization had a procedure or guideline stating [something similar to] ‘all access reports will be reviewed’, in support of a formal policy on information access or whatever, and again the auditor was right to raise an issue;

  • The organization had a policy or whatever outside the information security arena (e.g. tucked away in an IT or HR policy, procedure, work instruction etc.) stating that ‘All access reports will be reviewed’ ... which in turn begs a bunch of questions about the scope of the Information Security Management System and the audit, plus the organization's policy management practices;

  • An old, deprecated, withdrawn, draft or proposed policy had the words ‘all access reports will be reviewed’, and somehow the auditor got hold of it and (due to flaws in the organization’s policy controls) believed it might be, or could not exclude the possibility that it was, current, valid and applicable in this situation - another valid finding;

  • A stakeholder such as a manager verbally informed the auditor that it was his/her belief or wish that ‘All access reports must be reviewed’, inventing policy on the spot. This kind of thing is more likely to happen if the actual policy is unclear or unwritten, or if individual workers don't know about and understand it. It could also have been a simple error by the manager, or a misunderstanding by the auditor ... which possibility emphasizes the value of audit evidence and the process of systematically reviewing and confirming anything that ends up in the audit report (plus potentially reportable issues that are not, in fact, reported for various reasons);

  • The organization had formally stated that some or all of the controls summarized in section A.9 of ISO/IEC 27001:2013 were applicable without clarifying the details, which the auditor further [mis?]interpreted to mean that they were committed to ‘retrieve and review all access reports’;

  • For some reason, the auditor asserted that the organization ought to be ‘retrieving and reviewing all access reports’ without any formal basis in fact: he/she [perhaps unintentionally] imagined or misinterpreted a compliance obligation and hence inaccurately identified non-compliance when none exists;

  • The auditor may have sniffed out a genuine information risk, using the minor non-conformity as a mechanism to raise it with management in the hope of getting it addressed, whether by achieving compliance or by amending the control;

  • The auditor may have made the whole thing up, perhaps confusing matters that he/she didn't understand, or under pressure to generate findings in order to justify his/her existence and charges;

  • The auditor simply had a bad day and made a mistake (yes, even auditors are human beings!);

  • PS had a bad day e.g. the minor non-compliance was not actually reported as stated in his question to the forum, but was [mis]interpreted as such. Perhaps someone spuriously injected the word “all” into the finding (Chinese whispers?);

  • PS wasn't actually posing a genuine question, but invented the scenario to fish for more information on the way forum members tackle this issue, or was hoping for answers to a homework assignment;

  • The auditor was trying it on: was this a competent, experienced, qualified, independent, accredited compliance auditor, in fact? Was it someone pretending/claiming to be such - someone in a suit with an assertive manner maybe? Was it just someone with “auditor” scribbled on their business card? Was it a social engineer or fraudster at play?!;

  • etc. ...
... Compiling and discussing lists like this makes an excellent exercise in awareness sessions or courses – including auditor training by the way. In this particular case, the sheer variety of possibilities is a warning for information security and other professionals re policies, compliance, auditing etc. In practice, “policy” is a more nebulous, tricky, important and far-reaching concept than implied by the typical dictionary definition of the word. Just consider the myriad implications of "government policy" or speak to a tame lawyer for a glimpse into the complexities.