The role of control depth in assessment quality

A client yesterday shared an interesting observation with me. We're doing a security assessment for them, and were asking some pretty in-depth questions about physical security surrounding their data center. This client had recently gone through an external SOX audit, and was surprised that many of the questions we asked about physical security didn't come up during that audit. His exact comment was something like "that audit only checked for the presence or absence of a particular control... there was no insight into the underlying quality of the control and whether it had actual value".

If you want to check boxes, surface audits are fine. But if you want to understand your true security exposure, you have to dig deeper. It's not enough to ask whether regular backups are taken and stored offsite. You have to ask how often. You have to ask where the tapes are stored before being transported offsite (hint: "under the receptionist's desk" isn't going to cut it). You have to ask whether backup tapes are encrypted. You have to ask whether backups are periodically test-restored to confirm their integrity.

You have to dig deeper than the surface and get to where the substance lives if you want to get a real sense of things. After all, if you have to endure a security audit, it'd be nice to actually get some value out of it.