There is no specific, prescriptive path to guarantee your business will be covered for every eventuality and incident it may encounter. But by following three steps, you can get you — and your organization — in a proactive compliance and security mindset.
I introduced the concept of “Continual Compliance” in the first article in this series and discussed how organizations can better manage their governance, risk and compliance landscape. In the follow up we took a look at how organizations can improve communication among compliance and security teams to achieve a forward footing with security and compliance. Let's wrap up with a story of what a successful continuous compliance implementation looks like. I'll offer some best practices and key learnings gathered from customers who are gaining ground on security and compliance, and managing it as a lifecycle process.
The following list will get you to a proactive security and compliance mindset. If you’re already doing some or all of these things, it might be time for a review or update to the process to ensure you’re evaluating often and making the adjustments needed to act in a timely manner. Let’s look at the tasks that can have the biggest impacts. You may find that you have to adjust to fit your own IT policies and culture. While not exhaustive, you should focus on the following to ensure you are practicing continual compliance:
Understand and Clearly Communicate Requirements
You (or someone in your organization) need an understanding of the regulations and policies you must comply with, as well as their individual requirements. That’s great. But if few others understand these items, you can’t be sure that changes will be acted upon in a timely manner, or that you’re aware of everything these requirements cover.
Security and compliance teams are responsible for making the whole organization aware of how to maintain compliance, and what steps everyone needs to continue taking to remain compliant. This doesn’t mean the standard, once-a-year refresher training. While that’s still required, what helps you get ahead is communicating which resources need to be covered, as well as including security and compliance in procurement and usage of new resources (think cloud based AAAS — Anything as a Service) where the potential to process or store data is available.
If your organization — employees, contractors, temporary workers, etc. — don’t know you need to track access to data in all the places it COULD go, you may be missing key data that could cause audit failures or data leakage (or both).
Frequent Reviews of Regulations. Notification of New Resources and Services
This is closely related to the item above, but is focused more on your security and compliance teams. Regulations and policies are not static, they are living requirements under constant review and revision, to handle the speed at which IT and associated resources change.
The boards who maintain these standards (whether internal or external) issue updates from time to time. Sometimes these updates are wide-reaching, sometimes they’re subtle. Ideally, you’re keeping up with suggested changes and updates, but, at the very least, when new regulations – or indeed, internal policies and procedures – are updated, you are looking at your entire process to ensure you have the coverage you need on all requirements.
If you’ve put the first item above in place, then you should also have an automated way of finding out about new resources and services. You also need a service level agreement within IT to review them for applicability of security and compliance requirements.
Internal Audits with Remediation, Real Time Reporting, Alerting
Think like an auditor and act accordingly. Put your IT operation under the microscope, and run audits as if you were responsible for finding any and all discrepancies. The first time you do this, it will take some time — but you’ll get a sense of what you need to do to plug any holes you find and automate the measurement. You will need to be specific and organized in testing and validating each step of each requirement, as well as in cataloging and reporting your results.
These finished reports can help you justify expenditures (either those you’ve already made, or those you need to make) to support your compliance efforts. Understand the ramifications of failures and communicate those: Will it cost the company millions of dollars if they can’t process credit card data? Will executives be under civil/judicial review and face jail time? Will your company be put on restriction from delivering goods and services until requirements are met, and proof has been presented to a governing authority?
- Why Agile As We Know It Will Disappear
- SWAM: When LinkedIn Locks Down Social Networking
- The Metamorphosis of the Social Enterprise
- Just How Badly Does Microsoft Want Your OneDrive Biz?
- ROI Is the Wrong Tool to Justify Social Investments
- Pivotal Revs Its Big Data Play, But There's a Better Story
- Oops! Is Rackspace Rethinking its 99.99% Uptime Boast?