If you are regulated under any of the myriad of government and industry regulations from ITAR, FIPS, CLETS and PCI, to HIPAA and Red flags, the process of responding to security, integrity, and availability verification is not a simple exercise. It is more than answering questions in the positive. Polices, procedures and declarations of compliance are contracts with your company, partners, clients and government regulatory bodies. What do I mean? I mean that if you answer a question in the affirmative, or create a policy or procedure and declare them as the way you will do things, you have just made a legal commitment. If you later have a breach or an audit, and your answers are declared spurious or you fail to meet the commitments, you open your organization up for claims of willful neglect. At best you can be accused of failure to follow your declared best practices. This creates a field day for plaintiff attorneys, and will certainly raise eyebrows of government auditors. If your failure causes damage to associated companies or individuals, the potential for greater losses is substantial.
You must resist the desire to just answer the way you think they want you to answer. It is better to answer in the negative, with an explanation, or implement the commitments than to be caught not being truthful. As business owners, be very cautious about accepting the word of your staff. In many cases, they will not answer the questions accurately. Maybe, on occasion, they do this because they are covering for their own inadequacies, but more often, it's because they think they are doing you a favor. And some, will do it because they just don't really understand the issues. So, when you ask your staff or consultants, whether you are compliant, keep in mind that the veracity of the answers can have undeniable impact on the future of your business. Further, when you answer the question, try to avoid denial or making light of the issues. It may make for an easier day but lead to a really rough week.