Feature
Today’s governance, risk and compliance landscape is complicated and difficult to understand, let alone implement and maintain. Those under pressure to maintain environments held to standards set by external regulatory control (and usually internal policies and best practices) have a difficult task.
In this series, we will discuss more of the “maintain” aspects of regulatory control, and some of the challenges we’re facing to remain in compliance with all the controls imposed on us to do business on a day-to-day basis. To that end, let me introduce you to what I call “Continuous Compliance.”
The substance of Continuous Compliance comes from the reality that technically, you can be audited at any time -- day or night -- at any point in the year. The controls required by regulatory agencies are not a one-time implementation intended to be “checked off the list.” They are meant as a minimum set of standards (usually security-based) that must be maintained at all times. More than maintenance, the challenge here is to improve upon initial implementations.
Continuous Compliance can be illustrated best in terms of the classic three-legged stool paradigm. One leg is the pillar of your infrastructure, the second leg represents the rules and regulations themselves and the third leg is for the security and compliance tools you use to measure and audit your environment. Without any one of these legs, the stool collapses and the system fails.
Infrastructure and Services
This can affect your compliance needs and if you’re not adjusting accordingly, you’re putting yourself at risk of an audit failure, or worse, a data breach. End users often don’t realize they have this negative effect on their organizations’ security and compliance. IT needs to be constantly vigilant, communicating its needs and requirements so users know when they are doing something they shouldn't -- or what they should do about it.
Regulations
Second: regulations, or more to the point, the requirements with which you need to comply are not static. The boards and organizations that maintain these regulations are not sitting idle and neither should you. Additions and changes to requirements have the potential to occur at any time. Usually there is an implementation grace period that allows IT some breathing room, but if you don’t have a process to ensure that the controls you have in place meet all requirements you must comply with, you could open yourself up to audit failures (or worse).
Learning Opportunities
Webinar
May
30
ChatGPT and the Future of Conversational AI
This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.
Webinar
May
31
The Evolution of Employee Listening - 2023 Trends & Best Practices
Learn proven effective methods and solutions to supporting an inspirational future of Employee Voice
Webinar
Jun
1
How organizations can design, build and run Generative AI into the Customer Experience
Discover how to drive enhanced CX through Generative AI
Webinar
Jun
6
The Future of Social Media: Emerging Trends and How to Stay Ahead of the Curve
The impact of emerging technologies like AI on social media
Webinar
Jun
7
The Building Blocks of Personalization
This webinar will explore how personalization can create powerful ecommerce shopping experience.
Webinar
Jun
13
The Future of Contact Centers with AI at the Helm
Learn how to balance human intuition and interaction with the potential uses of AI to create delightful and lasting CX
Webinar
May
30
ChatGPT and the Future of Conversational AI
This discussion explores various aspects of AI implementation, ethical considerations, and challenges for your organization.
Webinar
May
31
The Evolution of Employee Listening - 2023 Trends & Best Practices
Learn proven effective methods and solutions to supporting an inspirational future of Employee Voice
This step requires more human intervention than either of the other two areas. Someone must be actively looking for updates and changes to requirements to ensure you’re doing what you need to do in a timely manner. My suggestion: make it part of your process for someone on the security or compliance team to regularly review regulations to discover changes as soon as possible so your organization can stay compliant and secure.
Software and Policies
Finally -- and this item is one that tends to get the least amount of attention when considering your IT security and compliance stance -- you must maintain any automation and control software that helps you stay in compliance. If you have software that demonstrates control to auditors -- or helps keep your enterprise compliant for any of the controls in any of the regulations you must comply with -- you’ll need to ensure that you’re applying patches, installing newer versions or configuring the software appropriately to keep you in control of your environment.
Luckily many software manufacturers now allow you to automatically check for patches and updates, or, at the very least, allow you to sign up for automated notification when patches or new versions are available. If this is the case, you should fight your first instinct of ignoring the email -- be sure you recognize real product updates and support notifications and take action on them.
Continuous compliance doesn't have to be difficult. You can help put your organization in a more secure and compliant posture with the items discussed above. Together, these three checks should help you maintain a compliance and security orientation that is ready for an audit at any time.In my next article, I’ll talk about how communication silos may be negatively affecting your ability to maintain a secure and compliant position for discovering and potentially preventing problems and breaches.
