The new audit defense?

I’ve seen a trend recently although it’s probably been around for ages but I’ve only just noticed.

In many cases where an organisation’s security has been compromised, either the organisation itself or the investigative body sent in to look into the situation have responded to direct questions with vague, non-committal answers.

This approach first caught my eye with the TJX situation where both the company and investigators have repeatedly said “we’re not sure” when asked questions starting with the words “How”, “Who”, “When” and “What”.

The latest I’ve seen relates to “U.S. Visit”, the IT system intended to keep track of foreigners entering and leaving the United States. Congresswoman Zoe Lofgren asked a simple question:-

“Was the US Visit database hacked?”

And the answer from A Mr. Keith A Rhodes, Director of the Center for Technology and Engineering at the US Government Accountability Office?

"I did not see controls in place that would prevent it and did not see defensive perimeter and detection systems in place to tell whether it had or had not been hacked.”

So basically, the answer is, “don’t know and have no way of knowing”.

I do hope that this does not become the new way of “defending” yourself against the auditors. As in, put fairly useless tracking systems in place so that if something bad does happen, no one can find out how bad it was, for how long it occurred and what was actually affected.

I guess it’s up to the standards themselves to remove this as a defence. Perhaps things like PCI DSS need predefined approaches to the “we don’t know” style of defence. Maybe, a standard fine structure for dealing with a lack of information is required.

I’m not sure but I have a horrible feeling that this could develop into a well used method if instances like this are not stamped on in short order.