Today’s governance, risk and compliance landscape is complicated and difficult to understand, let alone implement and maintain. Those under pressure to maintain environments held to standards set by external regulatory control (and usually internal policies and best practices) have a difficult task.
In this series, we will discuss more of the “maintain” aspects of regulatory control, and some of the challenges we’re facing to remain in compliance with all the controls imposed on us to do business on a day-to-day basis. To that end, let me introduce you to what I call “Continuous Compliance.”
The substance of Continuous Compliance comes from the reality that technically, you can be audited at any time -- day or night -- at any point in the year. The controls required by regulatory agencies are not a one-time implementation intended to be “checked off the list.” They are meant as a minimum set of standards (usually security-based) that must be maintained at all times. More than maintenance, the challenge here is to improve upon initial implementations.
Continuous Compliance can be illustrated best in terms of the classic three-legged stool paradigm. One leg is the pillar of your infrastructure, the second leg represents the rules and regulations themselves and the third leg is for the security and compliance tools you use to measure and audit your environment. Without any one of these legs, the stool collapses and the system fails.
Infrastructure and Services
First, your infrastructure, the software that runs on it and how it’s configured are more dynamic than ever. People are taking advantage of cloud services, web-based software, and new and improved on-premises applications and services -- often without following a traditional software purchasing workflow that involves a review from the security and compliance teams.
This can affect your compliance needs and if you’re not adjusting accordingly, you’re putting yourself at risk of an audit failure, or worse, a data breach. End users often don’t realize they have this negative effect on their organizations’ security and compliance. IT needs to be constantly vigilant, communicating its needs and requirements so users know when they are doing something they shouldn't -- or what they should do about it.
Second: regulations, or more to the point, the requirements with which you need to comply are not static. The boards and organizations that maintain these regulations are not sitting idle and neither should you. Additions and changes to requirements have the potential to occur at any time. Usually there is an implementation grace period that allows IT some breathing room, but if you don’t have a process to ensure that the controls you have in place meet all requirements you must comply with, you could open yourself up to audit failures (or worse).