There is no specific, prescriptive path to guarantee your business will be covered for every eventuality and incident it may encounter. But by following three steps, you can get you -- and your organization -- in a proactive compliance and security mindset.
I introduced the concept of “Continual Compliance” in the first article in this series and discussed how organizations can better manage their governance, risk and compliance landscape. In the follow up we took a look at how organizations can improve communication among compliance and security teams to achieve a forward footing with security and compliance. Let's wrap up with a story of what a successful continuous compliance implementation looks like. I'll offer some best practices and key learnings gathered from customers who are gaining ground on security and compliance, and managing it as a lifecycle process.
The following list will get you to a proactive security and compliance mindset. If you’re already doing some or all of these things, it might be time for a review or update to the process to ensure you’re evaluating often and making the adjustments needed to act in a timely manner. Let’s look at the tasks that can have the biggest impacts. You may find that you have to adjust to fit your own IT policies and culture. While not exhaustive, you should focus on the following to ensure you are practicing continual compliance:
Understand and Clearly Communicate Requirements
You (or someone in your organization) need an understanding of the regulations and policies you must comply with, as well as their individual requirements. That’s great. But if few others understand these items, you can’t be sure that changes will be acted upon in a timely manner, or that you’re aware of everything these requirements cover.
Security and compliance teams are responsible for making the whole organization aware of how to maintain compliance, and what steps everyone needs to continue taking to remain compliant. This doesn’t mean the standard, once-a-year refresher training. While that’s still required, what helps you get ahead is communicating which resources need to be covered, as well as including security and compliance in procurement and usage of new resources (think cloud based AAAS -- Anything as a Service) where the potential to process or store data is available.
If your organization -- employees, contractors, temporary workers, etc. -- don’t know you need to track access to data in all the places it COULD go, you may be missing key data that could cause audit failures or data leakage (or both).
Frequent Reviews of Regulations. Notification of New Resources and Services
This is closely related to the item above, but is focused more on your security and compliance teams. Regulations and policies are not static, they are living requirements under constant review and revision, to handle the speed at which IT and associated resources change.