Today’s governance, risk and compliance landscape is complicated and difficult to understand, let alone implement and maintain. Those under pressure to maintain environments held to standards set by external regulatory control (and usually internal policies and best practices) have a difficult task.
In this series, we will discuss more of the “maintain” aspects of regulatory control, and some of the challenges we’re facing to remain in compliance with all the controls imposed on us to do business on a day-to-day basis. To that end, let me introduce you to what I call “Continuous Compliance.”
The substance of Continuous Compliance comes from the reality that technically, you can be audited at any time -- day or night -- at any point in the year. The controls required by regulatory agencies are not a one-time implementation intended to be “checked off the list.” They are meant as a minimum set of standards (usually security-based) that must be maintained at all times. More than maintenance, the challenge here is to improve upon initial implementations.
Continuous Compliance can be illustrated best in terms of the classic three-legged stool paradigm. One leg is the pillar of your infrastructure, the second leg represents the rules and regulations themselves and the third leg is for the security and compliance tools you use to measure and audit your environment. Without any one of these legs, the stool collapses and the system fails.
Infrastructure and Services
First, your infrastructure, the software that runs on it and how it’s configured are more dynamic than ever. People are taking advantage of cloud services, web-based software, and new and improved on-premises applications and services -- often without following a traditional software purchasing workflow that involves a review from the security and compliance teams.
This can affect your compliance needs and if you’re not adjusting accordingly, you’re putting yourself at risk of an audit failure, or worse, a data breach. End users often don’t realize they have this negative effect on their organizations’ security and compliance. IT needs to be constantly vigilant, communicating its needs and requirements so users know when they are doing something they shouldn't -- or what they should do about it.
Second: regulations, or more to the point, the requirements with which you need to comply are not static. The boards and organizations that maintain these regulations are not sitting idle and neither should you. Additions and changes to requirements have the potential to occur at any time. Usually there is an implementation grace period that allows IT some breathing room, but if you don’t have a process to ensure that the controls you have in place meet all requirements you must comply with, you could open yourself up to audit failures (or worse).
This step requires more human intervention than either of the other two areas. Someone must be actively looking for updates and changes to requirements to ensure you’re doing what you need to do in a timely manner. My suggestion: make it part of your process for someone on the security or compliance team to regularly review regulations to discover changes as soon as possible so your organization can stay compliant and secure.
Software and Policies
Finally -- and this item is one that tends to get the least amount of attention when considering your IT security and compliance stance -- you must maintain any automation and control software that helps you stay in compliance. If you have software that demonstrates control to auditors -- or helps keep your enterprise compliant for any of the controls in any of the regulations you must comply with -- you’ll need to ensure that you’re applying patches, installing newer versions or configuring the software appropriately to keep you in control of your environment.
Luckily many software manufacturers now allow you to automatically check for patches and updates, or, at the very least, allow you to sign up for automated notification when patches or new versions are available. If this is the case, you should fight your first instinct of ignoring the email -- be sure you recognize real product updates and support notifications and take action on them.
Continuous compliance doesn't have to be difficult. You can help put your organization in a more secure and compliant posture with the items discussed above. Together, these three checks should help you maintain a compliance and security orientation that is ready for an audit at any time. In my next article, I’ll talk about how communication silos may be negatively affecting your ability to maintain a secure and compliant position for discovering and potentially preventing problems and breaches.