Due Diligence Part 3: Redlines & Compensating Controls
Nothing is set in stone
A key aspect to remember is that no audit is set in stone. Think of the audit as a negotiation, the initial requests are likely going to create an ideal situation for the auditor (often by presenting unreasonable or unachievable requirements) and will set a very high bar. You can push back with two techniques, redlining and compensating controls.
Redlining
In cyber insurance, a client will sometimes ask for $5mm coverage, which is a very hard coverage to qualify for because of the requirements. This is an excellent example of a scenario you could use redlining. By showing how robust your IT security program is, you would be able to easily justify why your $2mm policy is sufficient and have them change the requirements.
Compensating controls
Compensating controls are alternative controls that negate the need for a specific control. A good example of a common control you might be familiar with is those short password expiration windows that pop up at specific intervals (60, 90, 120 days) and prompt end users to change their passwords. A compensating control would be a robust multifactor authentication (MFA) deployment, where even with someone’s password, an attacker could not get in without access to the user’s phone and MFA app.
Compensating controls are very common, but unfortunately, approval is dependent on both the attitude of the auditor and their technical ability. You will sometimes see auditors who want to stick to the letter of the law, and leave little room except for meeting the exact requirements. More often than not when compensating controls are denied, it is because the auditor does not have the required technical understanding. Make sure when designing compensating controls (such as MFA) that you provide thorough documentation and justification, so that there is full understanding when evaluating them.