…And although there are companies that blatantly violate the standards, security is a constantly changing condition, not a static one. Every time a company installs new programs, changes servers or alters its architecture, new vulnerabilities can be introduced. A company that is certified compliant one month can quickly become non-compliant the next month if administrators install and configure a new firewall incorrectly or if systems that were once carefully segregated become connected because an employee didn’t adhere to access restrictions. Companies that conduct audits also have to rely on their clients to be honest about disclosing what they have on their network — such as stored data.
To answer the question posed by the title of the Wired.com post – No. Therein lies the problem. [footnote] The nature of audits, in most professions, is that their usefulness is a function of the competency of those conducting them [/footnote]
Wired link: Will Target’s Lawsuit Finally Expose the Failings of Security Audits?