Reduce the headache of managing compliance by taking a programmatic approach
Posted on Sep 2019 by John McDonald
Can you remember the last time you supported an audit or assessment? If you’re like many employees who support compliance, you may still have occasional nightmares about the process. It may have been a regulatory audit for something like HIPAA, PCI, NERC/FERC, or DFS 23 NYCRR 500, or a framework audit for something like NIST CSF, HITRUST or ISO 27001/2.
Regardless of the driver, you probably spent a lot of time and effort tracking down the right people and documentation for the assessment. As a consulting company, we frequently see this scenario. We’re always surprised by the complexity of the process, especially because it’s almost never the first time that the organization has gone through that audit or assessment. If there were only some way to simplify the process and make it less painful (and costly). Well, there is a way. If you treat compliance like a structured program, you can dramatically reduce the cost, time and headaches typically associated with assessments.
The first and most critical component of such a compliance program is to identify a specific job function or team that is responsible to drive and track the organization’s compliance, as opposed to assigning it to a named individual. All too often the one person who held responsibility for compliance leaves the group, and that person’s knowledge is lost, necessitating a start from square one for the next audit.
It is also critical that the role or team assigned responsibility for compliance also has the appropriate authority to drive the processes and other components necessary to implement and maintain the program. These roles, responsibilities and authorities should be clearly defined, documented and supported by executive management.
Components for your Cybersecurity Compliance Program
- Identify your team and their roles
- Collect accurate docs that are up to date
- On any new process: Include a review for compliance of related documents
- Identify scope of project, including where data is stored and compliance requirements
With the above components in place, the remaining activities typically are to map specific controls to specific requirements.
Second Component: Documentation Management
The second component to compliance is documentation management. All audits and assessments are primarily exercises to review documentation, so having comprehensive, accurate and up-to-date documentation is critical to implement and manage a compliance program. Often an audit or assessment becomes a frustrating exercise in tracking down the correct documents and frequently discovering that the version you have isn’t the latest, or that a required document was never created. Having an automated system-of-record tool for required documentation, mapped to specific regulatory or framework requirements, can result in an audit process that only takes only a few mouse clicks to gather all of the required documents.
Third Component: Process Integration
The third critical component to compliance is process integration. Having the best document management system in the world won’t be useful if most of the documents are out of date because of inevitable changes in an organization or infrastructure.
Any process for any group that could impact compliance needs to include a “review compliance impact” and, if required, a step to “update the system-of-record documentation.” This review for compliance includes processes for Human Resources, IT, IT Security, Operations, and other business units.
Whenever something changes in an organization that could affect compliance, part of the change process must be to assess and understand that impact and update any applicable documentation. A common trait among auditors is that if any inaccuracies are found in provided documentation, the accuracy of the rest of the documents becomes suspect, significantly increasing the scrutiny and level of effort for the audit.
Fourth Component: Identify Scope of Project, Including Where Data is Stored and Compliance Requirements
After the building blocks for a compliance program are in place, the first thing to assess is the scope of applicability for the regulations and frameworks that the program needs to support. For example, if the organization is subject to HIPAA requirements, the program team needs to understand where all of the PHI data resides in the environment and how it’s originated, stored and moved inside and outside of the organization. This information will be critical at audit time, as virtually every major regulation and framework starts with a requirement to understand your scope.
Where is your data? All too often in consulting engagements we’re surprised that an organization can’t definitively answer the question: where is your data? For an auditor to sign off on your understanding of the applicable scope, you should be able to produce items such as the following:
- Current business process and data flow diagrams
- System and application requirements and design documents for components that “touch” relevant data
- Results (using data discovery tools) to show that relevant data hasn’t mysteriously shown up on an unsecured SharePoint site
Take your Components and Start Mapping Compliance
With the above components in place — clearly defined roles, responsibilities and authorities, structured documentation management, process integration and a clearly defined scope — the remaining activities typically come down to mapping specific controls to specific requirements.
Before your Next Audit: Plan Ahead
Headaches and stress of audits can diminish greatly if you follow a programmatic approach to cybersecurity compliance. Before your next audit, use the above components to plan ahead. While a structured approach requires some time and resources to implement, this approach is almost always less expensive in the long term and can speed your way to compliance.