SPOT: Security Audit Rules of Engagement (ROE)

Take Control before you are taken control of….

• The lead auditor will establish evaluation criteria for the assessment of the controls.

• There are no “partial” control credit; it’s either “compliant,” “non-compliant,” or “NA”.

• All controls are subject to inspection; auditors will not be restricted from accessing portions of the facility or system sub-components directly related to the audit

• The auditor may go beyond documentation review and require demonstration when the control is not clearly answered.

• The company/business is responsible for addressing controls.

• The company/business must demonstrate the controls’ implementation to include inherited (in the case where the government provides a means to address the control)

• Controls that are not assessed due to company/business not addressing, will be marked as non-compliant.

• Controls that are assessed as non- compliant, and not scored prior to auditor’s departure will be categorized as non-compliant.

• Inspected POAMs must include an expected completion date and mitigations (until a permanent solution is employed).

• All document references will include document name, version number and date, page number, and section number that addresses the control.

• If a document reference does not address the control, then the auditor will categorize that control as non-compliant.

admin