I introduced the concept of “Continual Compliance” in the first article in this series and discussed how organizations can better manage their governance, risk and compliance landscape. In the follow up we took a look at how organizations can improve communication among compliance and security teams to achieve a forward footing with security and compliance. Let's wrap up with a story of what a successful continuous compliance implementation looks like. I'll offer some best practices and key learnings gathered from customers who are gaining ground on security and compliance, and managing it as a lifecycle process.
The following list will get you to a proactive security and compliance mindset. If you’re already doing some or all of these things, it might be time for a review or update to the process to ensure you’re evaluating often and making the adjustments needed to act in a timely manner. Let’s look at the tasks that can have the biggest impacts. You may find that you have to adjust to fit your own IT policies and culture. While not exhaustive, you should focus on the following to ensure you are practicing continual compliance:
Understand and Clearly Communicate Requirements
You (or someone in your organization) need an understanding of the regulations and policies you must comply with, as well as their individual requirements. That’s great. But if few others understand these items, you can’t be sure that changes will be acted upon in a timely manner, or that you’re aware of everything these requirements cover.
Security and compliance teams are responsible for making the whole organization aware of how to maintain compliance, and what steps everyone needs to continue taking to remain compliant. This doesn’t mean the standard, once-a-year refresher training. While that’s still required, what helps you get ahead is communicating which resources need to be covered, as well as including security and compliance in procurement and usage of new resources (think cloud based AAAS -- Anything as a Service) where the potential to process or store data is available.
If your organization -- employees, contractors, temporary workers, etc. -- don’t know you need to track access to data in all the places it COULD go, you may be missing key data that could cause audit failures or data leakage (or both).
Frequent Reviews of Regulations. Notification of New Resources and Services
This is closely related to the item above, but is focused more on your security and compliance teams. Regulations and policies are not static, they are living requirements under constant review and revision, to handle the speed at which IT and associated resources change.
The boards who maintain these standards (whether internal or external) issue updates from time to time. Sometimes these updates are wide-reaching, sometimes they’re subtle. Ideally, you’re keeping up with suggested changes and updates, but, at the very least, when new regulations – or indeed, internal policies and procedures – are updated, you are looking at your entire process to ensure you have the coverage you need on all requirements.
If you’ve put the first item above in place, then you should also have an automated way of finding out about new resources and services. You also need a service level agreement within IT to review them for applicability of security and compliance requirements.
Internal Audits with Remediation, Real Time Reporting, Alerting
Think like an auditor and act accordingly. Put your IT operation under the microscope, and run audits as if you were responsible for finding any and all discrepancies. The first time you do this, it will take some time -- but you’ll get a sense of what you need to do to plug any holes you find and automate the measurement. You will need to be specific and organized in testing and validating each step of each requirement, as well as in cataloging and reporting your results.
These finished reports can help you justify expenditures (either those you’ve already made, or those you need to make) to support your compliance efforts. Understand the ramifications of failures and communicate those: Will it cost the company millions of dollars if they can’t process credit card data? Will executives be under civil/judicial review and face jail time? Will your company be put on restriction from delivering goods and services until requirements are met, and proof has been presented to a governing authority?
All of these sound draconian -- but all of them have happened. You don’t want to be responsible for not having notified management of potential failures.
The suggestion above can save your job. But to make your life as a security and compliance professional easier make sure that when you find discrepancies, you are notified as soon as possible of potential failures so you can remediate them quickly. Another suggestion? Always make sure alerts are actionable. One easy test I offer up: If you’d get out of bed to do something about it, it’s appropriate to have an alert. If it’s just “good to know,” it’s appropriate for reports.
On reports: Reports come in “flavors.” Those flavors are determined by who’s consuming them. Are they for your technical team? Are they more for a management overview of compliance and items that are at risk? Are they for external auditors and contain only specific data requested by the auditor?
These should be under your control. You should be able to create both ad-hoc and scheduled reports that provide appropriate data, either at a high level or drill-down. If they are more point-in-time reports for management or external auditors, use a format that is not editable (such as a PDF).
While these suggestions are not by any means exhaustive I see them as the biggest bang for the buck. Here’s hoping this series has offered some information and perspectives you haven’t come across before. I’m interested in hearing your feedback on this post, as well as the entire Continuous Compliance program.