When it comes to audits and other compliance requirements - think Sarbanes-Oxley, PCI-DSS, internal and external audits, etc. - people tend to get a bit uptight and flustered. Fortunately, by keeping a calm head and a rational perspective, your reaction to these challenges can be cool and calm, allowing you to leverage a methodology you already know - risk mitigation.
Risk mitigation is about identifying a vulnerability, weakness or "hole" in the requirements established by the governing body to which you must comply and then putting resources to work to overcome the identified exposures. For instance, simply put, the PCI-DSS program sets forth a rating of your organization based on the number of credit card transactions processed per year. Based on that determination, you can determine what criteria you must meet and by when.
Henceforth, a project plan must be developed and the needed funding requested. Part of your job as an IT Security Professional is to communicate the requirements, the exposures needing to be mitigated and the estimated costs for completing the project. From there, it becomes the responsibility of the company's senior leadership team to fund the program or to accept responsibility for non-compliance. Next, with the funding secured and a plan, you manage to the plan and funding as you would most other IT projects.
Remember this one important requirement though, you have a hard stop on the project based on the required compliance date, therefore, you will have to keep the project on schedule. However, should you find yourself in a position where you will not meet the required date, be sure to communicate immediately with the governing body outlining your plan and schedule.
Most governing bodies are more amiable to your plans if you contact them proactively. Once they start targeting you for non-compliance on their terms, things may get ugly quickly. Finally, establish a monitoring process to track the status of your compliance points to keep everything on track. This will leave you in a great position for the next round of requirements. It's good to know that a core process - risk mitigation - can be applied to many problems,in this case compliance.
I do hope your next compliance effort goes smoothly.
Original posting - http://itsecurityrookie.blogspot.com/2009/09/mitigating-risk.html