Most larger and all publicly held companies will have some sort of compliance team – often a few varieties, ranging from internal audit to privacy to an IT specific compliance team. All charged with making sure that policies exist and are adhered to, that the audit standards are met, and last but not least, determining if new solutions are compliant.
If you’ve never worked with compliance before it can be frustrating, especially when you’re doing something new. They typically won’t tell you what to do, only if what you’re doing is compliant (or not).
The trick here is to realize that makes perfect sense. You don’t want someone who isn’t a domain expert telling you how to solve a problem, that will soon be big case of the tail wagging the dog. Instead, you try to understand what you think will meet the requirements and explain it to them. Think of it as a mini-audit. If you can explain to them how your solution meets the needs, most times it will be accepted. I often call them (to their dismay) the thumbs up or down guys.
If it sounds like a chicken and egg problem, you’re right. You have to understand to some degree what they (or the auditor) wants and that is often vague, something like “log administrative events”. What is an administrative event? Largely you get to decide!
It may also help to understand that they feel the burden of that decision. If they say something is ok and it turns out later it wasn’t,the results may range from a failed or delayed audit to a full scale breach of security without the appropriate forensics to unravel it after the fact. That makes them cautious. Sometimes too much,but if you look at it from their view you can see why that might happen.
Understanding what they do and why goes a long way to reducing frustration on both sides.
