Yes, I know. There are some cobwebs around here. Don’t worry, I’m working on clearing those out. I’ve finally taken a position with a company and have been buried with all kinds of great stuff. More on this soon!

/lalala, by striatic

/lalala, by striatic

But in the meantime, I found an article in the ISACA Journal from Tommie Singleton entitled, “What Every IT Auditor Should Know About Using Inquiry to Gather Evidence.” If you are in the information security business and have to deal with assessing or auditing, do yourself a favor and take ten minutes to read this article. This technique is what separates the pros from the newbs in our industry.

If you have worked with me in the past, you probably remember me pushing for face-to-face conversations and ensuring that work happens on-site for some part of the engagement. You also might remember me talking about the art of the interview; specifically by asking open-ended, NON-LEADING questions to get information about an assessment. It’s the difference between “So, you log your Windows environment in accordance with Req 10, right?” (uhh… SURE!) and “Describe for me how you manage logs in your Windows environment.” Consider for a moment the difference in output generated from a Level 4 merchant filling out SAQ-D, versus an experienced QSA interviewing one and filling out the form on their behalf. For the most part, its the different between an inaccurate pass and an accurate non-comply.

This article goes through a number of techniques as well as the pros and cons associated with passive questionnaires and active interviews. Ultimately, if you want to get an accurate result you have to factor in non-verbal cues into your assessment or audit. Without these, you are probably signing an in-accurate final report. Go check it out, and stay tuned for more on my new gig!

This post originally appeared on

Possibly Related Posts: