Security's Everyman

Security's Everyman

Sunday, November 18, 2007

Compliance and Audits

I just finished reading a post by Rebecca Herold on something that most of us don't think about or even realize can be an issue. It's a compliance related issue that I wasn't aware of and I spent 3 1/2 years working for a company where 95% of the employees had to fill out I-9's. Not only that but 99% or our customers were also not citizens of the USA. Still this was something that I never thought about and the company never brought up as something that I needed to be aware of. That makes me wonder what else am I not aware of? What other regulations are there out there that I, as the Information Security Officer, need to be aware of? I thought I was doing a pretty good job of keeping up with the various regulations but this one slipped under the radar. I hope that there aren't others, at least not too many others.

Keeping up with these things can be a full time job and if you don't have a legal department or an HR department that is on the ball then you had better be. I remember back in 2002 or 2003 when I first really became interested in compliance related issues. It was when HIPAA was approaching a big deadline for providers. I was tasked with becoming the HIPAA expert for the consulting firm that I worked for. At that time I decided that I would try to keep up with all appropriate regulations that affected the company that I worked for and any that may prove helpful (the knowledge of not the regulations themselves since we know that most are not helpful in the least bit) in the future.

I recommend reading Rebecca's post (and her blog). It is full of good and useful information.

Another good post I ran across today was from the Security Monkey (he looks really familiar). In it he gives some really good information on how to handle yourself during an audit. If you have never been through an audit, or been an active participant in on, then you may not realize how important an audit is. Not only that but how important it is that you conduct yourself in a proper manner. I have been lucky (OK, so I'm not being totally honest) to have been through several audits. At first they scared me to death. I was afraid of saying the wrong thing and so was my boss. I was lucky in that I received some good advice on how to handle myself early on and it paid off. That doesn't mean that I lied or hid the truth, I just learned to answer the questions that were asked and not the ones that I thought were asked. I recommend reading this post if you are required to participate in audits. It may well safe your tushie. :)


elijah said...


Sounds like your company still is missing the ball regarding I-9s. The law is clear that EVERYONE who is hired has to fill one out. So it should not be 95%. They are really cracking down on company's so be careful. Email me if you need more details:

Elijah Zuniga

Andy, ITGuy said...

Elijah, When I said that 95% had to fill out I-9's what I was referring to was that 95% were not US Citizens. I was making the assumption that the I-9 was for immigrant workers and non-citizens of the USA. If it is required for ALL employees then I'm sure I've filled out many of them but don't remember doing so.

Thanks for reading and commenting.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.