Compliance Operations

What are the Key Compliance Operations Principles?

1. Break down information silos across IT risk management processes

Like any well-run business function, the security assurance/IT compliance function needs to accurately assess how they’re doing today, where improvements are needed, and what work ought to be prioritized to make the greatest impact on the business. Unfortunately, most organizations today are struggling to get a complete understanding of how well their existing risks are being managed, because they use disparate tools for different parts of the IT risk management process and information is spread all over the place. Connecting disparate information silos — so risks, security requirements and the state of the existing internal controls are well understood — is a critical step to take if an organization wants to manage IT risks in an agile, responsive way. This mapping work can be done iteratively rather than all at once.

This mapping process may seem simple, but it can’t be implemented effectively unless you have a platform that houses all of your risk information, controls, and compliance artifacts. While GRC software is intended to help with this mapping process, the ease and speed in which these exercises can be done really matters. For instance, you want a tool that allows you to collect a single set of evidence and link it to multiple controls at once. The ability to easily upload evidence in bulk and label things properly will add up to hundreds of hours saved through the course of a year.

2. Establish Shared Responsibility for Security and Compliance

If an organization wants to be consistent at mitigating risks, their information security compliance teams and business stakeholders need to share responsibility for maintaining security and compliance. This is a departure from what we see today, where many business process owners/stakeholders view compliance as something that happens off to the side.

Business process owners from HR, Finance, Engineering, and IT are operating IT systems and processes that can affect data security, integrity, and privacy. These business stakeholders and operators purchase new technology in order to improve their own productivity and to deliver better customer experiences. When new technology is purchased or when a new business process is created, new risks to information may be introduced. It’s important for the infosec compliance team to understand their business, why these business processes exist, what tools are used in these business processes, and why things are done a certain way — so they can understand the security and compliance implications.

Compliance and business stakeholders (and product engineers) should work together to ensure that IT systems are configured and used in ways that advance business objectives and adhere to internal security and regulatory standards. It’s important that the compliance team knows when business process and technology changes happen. The compliance team should document what the “proper” processes are so that what’s happening can be reviewed against the established standard. They should make this data available to the business process owners. The business process owner is accountable to ensure that the right processes or procedures are followed as they are operating their systems through the course of normal business.

This shared responsibility model can be enforced if a company is able to document all of their controls (i.e., business processes designed to mitigate a risk/ensure compliance with a regulatory requirement) and store evidence of activities around those controls in a single repository. Compliance teams should be able to see when a control process deviates from what’s deemed acceptable and have a conversation with the business stakeholder to address the issue.

3. Break down work into small increments and work iteratively

Compliance work can feel really intimidating if you think about everything that needs to be done all at once. But if you take a pragmatic and incremental approach, the work becomes much more manageable. A pragmatic approach is one that starts with your organization’s business needs in mind. For instance, what are the most critical risks within your business that need to be mitigated? Which risks need better mitigation controls? What’s the next audit that’s coming up? Is there a new security regulation or standard your business has to become compliant with in the coming months?

Knowing your current state and your business priorities, you can start to set realistic, achievable milestones and identify the most important set of tasks that need to be completed in the near term.

If you take a disciplined approach to finding out what is the current state and set incremental goals in service of improving your security and compliance posture over time, it becomes much easier to figure out the workloads and resources required to meet your objectives and allocate tasks to individuals within, and outside of, the security and compliance function.

Rather than reacting to the demands from other stakeholders, you choose to look ahead and figure out who needs to do what, and by when. For instance, what’s the cadence for internal and external audit activities? When do controls need to be implemented, reviewed, and tested? Who’s responsible for critical tasks and how do we monitor that? And finally, how can we quickly see if there’s a potential issue, like a control not being tested on schedule or if we failed to remediate a key finding?

4. Standardize the services and processes

We’ve come to expect well-defined services and processes across all areas of the organization, and in recent years even IT has adopted that mindset, using ITIL and Agile for example. Standing up well-defined services in security assurance and compliance is the logical next step, defining clear processes, roles and responsibilities and enabling a metrics-driven view of these key functions. In the compliance realm, getting work done consistently and on-time is critical.

Start by defining a process for collecting and reviewing evidence.

If you don’t have access to up-to-date evidence, you can’t assess whether controls you’ve implemented are functioning properly or not, which may leave a key IT system exposed. Additionally, in order to pass an independent audit, you’ll need to supply your auditors with the correct compliance artifacts. Lastly, collecting evidence tends to be so tedious and time-consuming that it holds security assurance professionals back from tackling more strategic tasks. Hyperproof’s 2021 IT Compliance Benchmark Survey found that half of the IT security compliance professionals surveyed spend 50% or more of their total time at work on repetitive administrative tasks around preparing for audits.

By having a clearly defined process for collecting and reviewing evidence and a tool that supports a streamlined process, you can save a significant amount of time, money, and frustration and minimize the risk of control failures.

When defining your evidence collection process, it’s important to consider the following:

By keeping all this contextual information alongside each piece of evidence in a system of record, you can easily reference this information for future audits — saving time and money.

5. Automate processes to make them more efficient (and support a more efficient operating environment for the entire organization)

When security compliance teams spend much of their time on manual repetitive tasks, they’re left with little time to focus on other important tasks aimed at improving security and resiliency (e.g., testing controls on high risk areas, talking to business units to understand what’s changing in the business and how those changes may create new risks or amplify existing risks). Manual, repetitive tasks, such as evidence collection, controls testing, controls monitoring, and reporting, should be automated.

Further, at the controls level, it’s easy to become “over-controlled” as compliance professionals try to meet different but somewhat similar framework requirements. This issue has driven the move towards unified controls frameworks. Automation and good processes can help us get there and remain there in light of new or changing requirements.

6. Have a reporting and monitoring system in place to support ongoing improvements

Security assurance/IT compliance work is an iterative process. Controls can quickly become obsolete when a change occurs in an organization, such as when an existing IT system is retired and a new one is implemented. To achieve continuous compliance, every organization needs to have a reporting and monitoring system that provides real-time insights into the status of internal controls, risks, audits, and automatic flagging of issues that need attention. For instance, one report should help you identify which controls need review because evidence isn’t fresh anymore. You should have an easy way to see which security objectives aren’t met yet because controls haven’t been implemented or tested. There should be a way to track issues and tasks so that involved in compliance know what they need to do next.

7. Make Iterative Improvements

Infosec compliance work is never done. As your organization grows, you’ll face new compliance requirements and new risks that need to be mitigated. It’s important to look at your compliance program as a living entity and make incremental improvements on a continuous basis.

Advantages of Taking an Operational Approach to Compliance Activities

The advantages of using this new operational approach compared to a traditional approach (e.g., rushing to check controls, collect evidence, and fix controls right before an audit) are three-fold: