Continuous Compliance Learning Center
Welcome to the Continuous Compliance Learning Center. Click here to get started.
Have questions about how Hyperproof can help? Let’s chat.
Whether an organization is just starting to build out a risk and compliance function or already has a dedicated team of risk and compliance specialists in place, at the end of the day all organizations share the same goals: to ensure that their compliance efforts are effectively reducing risks to an acceptable level, and that those that need assurances (customers, auditors, and regulators) are satisfied.
Today, organizations are operating in a much riskier business environment compared to five years ago. And the COVID-19 healthcare crisis and remote work arrangements have made certain risks even more pronounced.
Since the risk environment is so fraught at this time, organizations need to make sure that their risk mitigation approach is keeping pace. That’s where continuous compliance becomes relevant.
Continuous compliance is an approach that helps you manage risks more effectively. With continuous compliance, risks are re-assessed on a regular basis, control processes are consistently performed, and evidence from control processes are evaluated and actioned accordingly. By evaluating control processes on a continuous basis, organizations have an opportunity to refine their risk management strategies in real-time.
02 Why does Continuous Compliance Matter Now More Than Ever?
According to a 2020 study by the Enterprise Risk Management Initiative at North Carolina State University, 42 percent of 563 companies surveyed have hired a chief risk officer, up from 32 percent five years ago. The survey is based on data collected in the fall of 2019.
Among the NC State study’s key findings are that “most respondents perceive a much riskier business environment now compared to five years ago. COVID-19 has probably increased that perception exponentially for most business leaders.”
At this time, organizations are dealing with a greater level of risk and a greater regulatory burden. Here are a few salient features of the 2020 risk landscape:
- Organizations are more likely to become victims of data breaches through third-party vulnerabilities. Due to increasing connectivity between organizations and reliance on third-party vendors, third-party data breaches accounted for more than half of all data breaches in the first half of 2019.
- Greater number of data privacy regulations to comply with. New data privacy laws such as the GDPR and CCPA mandate new privacy policies, updated operating procedures for data collecting and processing, new security controls, and more stringent contracts with vendors. Meanwhile, regulators are cracking down on companies that violate these laws by levying steep fines and penalties. Some data privacy laws like the CCPA and GDPR also give individuals the right to file lawsuits against businesses when their data is compromised in security incidents.
- New attack vectors due to fully remote workforces. The spread of the novel coronavirus hasn’t only upended our professional and personal lives, it has also brought forth a set of risks and novel compliance challenges. For instance, employees working outside of secure corporate firewalls become vulnerable to all kinds of intrusions. We’ve already seen popular remote tools like Zoom become targets for cyber intruders (see this article on “zoom bombing”). Social engineering attacks have also risen since the emergence of COVID-19.
- Employers are grappling with how to properly collect personal information (body temperature, geo-location data) and protect that information during efforts to prevent the spread of COVID-19 and protect their workforces and communities. Much of the new data employers are collecting falls into the category of “personal data”, which is subject to restrictions within a number of data protection laws (e.g., GDPR, CCPA, ADA, HIPAA).
- Customers at this time are nervous; compliance mistakes get magnified and are more likely to result in a loss of business. While you should always treat your customers with care, retaining existing customers becomes vital during an economic recession as it’s harder to acquire new customers. How you treat customers during this point in time will be remembered for years to come. You need to maintain a strong compliance posture to instill customer confidence in your organization.
- We can expect more regulations to be introduced in the near future as regulators internalize learnings from the COVID-19 crisis. Anytime there’s a black swan event (e.g. 2008 financial crisis, 9/11, rise of the Internet), new regulations follow.
Risk and compliance teams are being called to do more than ever before during this time of crisis. Responding quickly and appropriately to emerging risks such as ones listed here are critical. It is the wrong strategic move for organizations to cut resources in risk and compliance at this moment.
"In fact, compliance lapses at this time may become magnified in ways that can stunt the growth trajectory of an organization for years to come."
Why continuous compliance is crucial to sustained growth
Through Zoom’s latest regulatory and publicity woes, we’ll showcase why organizations must not delay making investments into security, data privacy, and compliance until they’ve gained serious traction, and should instead invest in it starting in the early days of product development.
Zoom has been around for nine years, but their easy-to-use video conferencing app became a favorite for hundreds of millions of people around the world since the coronavirus has forced the vast majority of individuals into self-isolation. In late February 2020, Zoom decided to make its video communication tools free to schools and individuals in regions affected by COVID-19. Once the free software offer was announced, the company saw its user base balloon from over 10 million to over 300 million. Its growth rate was unprecedented for SaaS companies; it was every company founder’s dream come true.
As Zoom’s popularity surged, the video conferencing app became a prime target for hackers and cyber intruders. In March, users started to report that their video calls were attacked by intruders who kept sharing pornography and hate speech. “Zoom bombing”, a new form of harassment in which intruders hijack video calls and post hate speech and offensive images, has become so alarming that the FBI has issued a warning about using Zoom.
Further, security researchers discovered other additional security issues with Zoom in March, such as the fact that its Windows client was vulnerable to a “UNC path injection” vulnerability that could allow remote hackers to steal victims’ Windows login credentials and even execute arbitrary commands on their systems. (Note: Zoom has already released an update that fixes the UNC vulnerability).
By the end of March 2020, Zoom was enmeshed in a full-on PR nightmare. Security writer Ivan Metha of TNW has characterized Zoom as “a godforsaken mess”, the FBI has warned citizens about its products, school districts have started banning Zoom from classrooms, and the attorneys general of several states have banded together to scrutinize Zoom’s privacy and security practices.
“We are alarmed by the Zoom-bombing incidents and are seeking more information from the company about its privacy and security measures in coordination with other state attorneys general,” Connecticut Attorney General William Tong told POLITICO in a statement.
Additionally, the Electronic Frontier Foundation has raised concerns about the types of data Zoom meeting hosts can see. Highlighting some of the privacy risks associated with using Zoom’s products, the EEF has said hosts of Zoom calls can see if participants have the Zoom video window active or not to track if they are paying attention. Administrators can also see the IP address, location data, and device information of each participant.
When asked what the company is doing to address regulators’ concerns, Zoom CEO Eric Yuan said the company is implementing a feature freeze for the next three months, effective immediately, and spending that time improving privacy and security features. That move is highly likely to damage employee morale and hurt sales.
“We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home," Yuan wrote. "We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.”
The events endured by Zoom highlight the critical importance of dedicating sufficient resources towards managing security and data privacy risks on an ongoing basis. According to public interviews Zoom CEO Eric Yuan had conducted with reporters, Zoom had paid a lot of attention to ensuring its software can scale to handle the massive influx of new users, and it planned to release several new features to make its product more useful. However, we didn’t find public mentions from Zoom of plans to focus company resources on security and privacy issues until after Zoom’s troubles started gaining media attention.
Unfortunately, the lack of foresight carries a hefty price: Not only did the company suffer user backlash and reputational damage from negative press, it also became embroiled in an expensive regulatory investigation. As Zoom stalls and attempts to recover, its competitors have a window of time to catch up.
Regulatory Bodies Are Increasingly Focused on Continuous Monitoring
In the past few years, regulatory bodies have put a sharper focus on continuous monitoring. Intending to move compliance “beyond the checkbox,” regulators view continuous monitoring requirements as an effective means to mitigate new risks emerging from the fluid cyber threat landscape.
Automation in Assessments: Industry Trends.
FedRamp: Recent program changes “tighten the screws” on existing continuous monitoring requirements. Open Security Controls Assessment Language will drive additional automation.
HITRUST: The HITRUST Information Security Continuous Monitoring (ISCM) Working Group is supporting an initiative to extend the duration of HITRUST CSF certification based upon an organization’s formal ISCM program and corresponding high levels of CSF control maturity.
Cloud Security Alliance (CSA): A 2020 update to CSA STAR requires continuous auditing and reporting procedures to demonstrate compliance.
PCI DSS: “Business-as-usual security” is central to the 2020 Version 4.0 of the PCI DSS, which focuses on continuous monitoring and management of security controls.
AICPA: A champion of continuous auditing and assurance concepts for financial statements, recent AICPA working groups’ conversations have started to explore similar concepts for SSAE 18 (SOC 1 and SOC 20 attestations.
ISO 27001: Draft standards for “digital service providers” in working groups with the ENISA include continuous monitoring concepts previously unseen in ISO 27000 series requirements.
See How Hyperproof Can Help Your Org Achieve Continuous Compliance
Achieving continuous compliance requires an organization to have oversight into whether its people are performing control processes correctly and on-time, and to have mechanisms to notify the right people about the issues so they can be resolved or escalated in a timely manner.
Operating in a mode of continuous compliance requires an organization to pay attention to Quality, Consistency, Governance, and Efficiency. However, it can be difficult to achieve these characteristics for a variety of reasons.
Quality
Quality refers to the quality of your risk assessment and the design of your controls. All compliance measures --whether it’s a written policy, an oral presentation, or a procedure enforced by a piece of technology -- should be aligned to your broader risk management strategy.
The ultimate goal of an effective risk management strategy is to maintain a risk environment that is within an acceptable risk tolerance level for the organization. To accomplish this, an organization must identify their risks, define risk tolerances (risk levels that are acceptable), and then design controls in a manner that effectively addresses the risks.
Based on our experience, organizations often get tripped up in this phase for three reasons: First, they haven’t considered emerging risks when there’s a sudden change in their environment. Second, they haven’t implemented all necessary controls to meet their objectives because they don’t know how well their existing set of controls stacks up against best practices and established standards. Last but not least, compliance frameworks themselves can change quickly as technology evolves -- making it difficult for organizations to stay on top of best practices.
Learn more about risk assessments and control design:
Consistency
"Continuous compliance requires you not only to gather evidence that controls exist, but also verify that controls are working on a day-to-day basis"
The design of the control impacts how effective the control is. Additionally, consistency in performing the control process is an important factor in having an effective compliance program. In this context, consistency means that your controls are operating at the specific time interval, and in the same manner, as they were designed to.
To ensure that your controls are operating consistently, you’ll need to have sufficient oversight and visibility into the performance of control processes. For instance, deploying patches is an important component of vulnerability management. If patches are not consistently deployed at the time that they become available, your systems may be left exposed to vulnerabilities.
If you’re evaluating control processes on a continuous basis, you have an opportunity to catch vulnerabilities (control processes that were not performed on time) so you can quickly resolve issues. This is particularly important for high risk areas like vulnerability management.
For example, if you’re using a SIEM solution that does not have both logging and monitoring alerts turned on, it could potentially prevent notifications of attack indicators. The lack of notifications and alerts reduces the ability to make timely adjustments to network controls. However, with continuous compliance, you would have discovered right away that logging and monitoring alerts were not turned on.
We’ve found that many organizations delay collecting and evaluating evidence until right before they need to submit that evidence to their auditor or security assessor. If evidence is only collected and evaluated immediately before an audit or assessment, the control process becomes a lagging indicator with little room for adjustment.
Yet, collecting the right evidence on a timely basis is often a challenge because of document sprawl, which happens when compliance information resides in disparate places across an organization. Without a central platform where all compliance information can be stored and managed, it is difficult and time-consuming for compliance managers to review evidence of control processes. And without fresh evidence it’s impossible to gauge the efficacy of controls.
Governance and Oversight
Continuous compliance is only possible when an organization’s risk and compliance leaders have the right information they need to make timely adjustments. At the highest level, senior risk leaders need the right information to effectively monitor existing control processes so they can make changes as needed. Adjustments may include areas such as incorporating new controls to address emerging risks, redesigning weak control processes to make them stronger, or developing new training to improve security awareness among employees.
Additionally, compliance managers need information to be able to quickly see which controls they need to act on and ensure that control processes are performed correctly and on time. They should also have visibility into the issues that need immediate attention or escalation.
However, getting effective oversight of a compliance program is often an obstacle because compliance teams aren’t keeping close track of control ownership responsibilities, issues, or tasks. When compliance managers are unable to identify who needs to do what, by when, or when they’re too busy to remind control operators to complete their tasks, control processes are liable to be dropped whenever an employee changes roles, leaves the organization, or gets busy or sick.
Efficient operations
Efficiency has to do with how well an organization is managing its resources, including time, employees, and budget. Being efficient means that your team is able to achieve quality, consistency and effective oversight with an optimal amount of resources.
In our experience, we’ve heard many compliance teams share their frustrations around how inefficient and difficult it can be to work with stakeholders who are essential to compliance project success. Given the cross-functional nature of compliance work, compliance leaders often run into issues where someone outside of their team is not cooperating with them.
For instance, let’s say you’re a compliance manager and you need to collect evidence to prove that your organization has an effective means of communicating company policies to employees. You have a control that says “All regional HR managers are responsible for collecting employees signatures from employees within their region. Each signature is to acknowledge an employee has read the company’s Code of Conduct.”
You need HR managers to send you the files of signed employee agreements. However, HR managers may not remember to submit all of these signed employee agreements to the compliance team until you’ve left them several voicemails and email messages.
It is not uncommon for a compliance manager to collect evidence from 30 or more individuals to prepare for a single audit. When an organization has hundred or thousands of control processes and dozens or hundreds of control operators, reminding people to participate in compliance-related work becomes a massive burden.
When an organization is operating at scale, there are simply too many things to get done and too many people involved, making it too difficult to remind everyone of what they need to do at all times.
To learn about the four characteristics of an effective compliance program, check out the article The Four Signs of an Effective Compliance Program: Quality, Consistency, Oversight and Efficiency
To see how DigiCert saves time in compliance with Hyperproof, check out this case study.
How to Achieve Continuous Compliance: Key Actions
To achieve continuous compliance, we must overcome the common barriers outlined in the previous section. This requires five key steps:
- Update your risk model when circumstances shift
- Align your control environment with your updated risk management strategy
- Ensure consistency in performing control processes (make compliance user-friendly)
- Ensure governance and oversight on control processes
- Automate key processes to make compliance tasks as user friendly as possible
Up next, we’ll discuss how to align your people, processes, and technology stack to achieve each of the five steps.
To maintain a risk environment that is within an acceptable risk tolerance level for the organization, your organization needs to stay on top of risks and changes in regulations. Without an up-to-date view of your risks, it’s extremely difficult to ensure that your controls are sufficient or effective in protecting your organization.
To make sure that your control environment aligns effectively with your overall risk management strategy, here are the key considerations from a people, process, and technology perspective.
People: When conducting risk assessments, incorporate diverse perspectives by inviting a variety of stakeholders to the table. This will help you ensure that all types of risks are discussed and weighed in an appropriate manner. This group should include employees who are or will become control operators (e.g., administrators of key systems) and internal experts with subject matter expertise in domains including legal, risk, compliance, information technology, data privacy, communications, and human resources.
Process: Risk assessments are critical to doing compliance (and security) well. Anytime a major event occurs -- whether it’s new regulation that affects your industry, the outbreak of an infectious disease, or one of your competitors being sanctioned by regulators, it should serve as a reminder to review your risk model and update your view of how risks impact your assets.
There are many different risk assessment models that can guide your process. A few popular risk models to consider are the FAIR Model; NIST Risk Management Framework, and the World Economic Forum Cyber Risk Framework and Maturity Model.
At their core levels, all methodologies require identification of the asset and the threats to those assets, and the analysis of likelihood and impact. These factors collectively help make a business decision on how much and how well to mitigate the risk. It is strongly recommended that risk assessments be conducted at least once a year.
When conducting risk assessments, it’s important to consider a broad set of risks (operational, financial, safety and health, legal, etc.), not just risks to information assets. Think about the different types and forms of threats beyond the obvious ones (e.g., hackers, accidental human interference, natural disasters, pandemics). Additionally, use a variety of methods to identify all vulnerabilities in your defenses, including audits, penetration tests, security analyses, and automated vulnerability scanning tools. And don’t forget physical vulnerabilities, such as sensitive paper documents.
To get a good view of vulnerabilities and threats, check out the NIST vulnerability database, ISO 27005 Annex C Examples of Typical Threats, and NIST 800-30 Appendix E Threat Events.
Technology: There’s a number of tools you can use to stay on top of regulatory updates and other risk events. Newsletters and Google alerts and visits to regulators’ websites may work to an extent. If your organization operates in many jurisdictions, you may consider using regulatory monitoring software to identify regulatory changes that matter to you.
Once you have an updated view of risks, it’s time to update your controls to ensure they are sufficient in mitigating the risks that matter. It’s hard to give advice on control design, as controls need to be tailored to address specific risks and the protection of specific assets.
People: On the people side of things, you’ll want to make sure you’re bringing together the right stakeholders to design the controls. This group should include employees who are or will become control operators (e.g., administrators of key systems) and internal experts with subject matter expertise in domains including legal, risk, compliance, information technology, data privacy, communications, and human resources.
If your organization is missing in-house expertise in some of these domains, it’s important to consult with external risk assessment and compliance program design experts.
Process: Once controls have been designed, it’s important to determine what type of evidence is needed to verify their effectiveness and how often that evidence should be reviewed (e.g. monthly, quarterly, once a year). To determine the types of evidence you want to collect and how frequently to review evidence, you may consult with your auditor or another professional services firm.
Once you’ve determined the types of evidence you need to collect and the right cadence for each type of evidence, you’ll design a clear process for collecting the evidence and communicate that process to stakeholders that will participate in the process. Further, you’ll need to establish a plan to test the evidence.
Technology: Technology can help by providing a visual line of sight between risks and controls. For instance, continuous compliance software like Hyperproof makes it easier for an organization to see where there are gaps in control processes, so an organization can evolve its set of controls to cover new risks.
As new risks are identified, Hyperproof provides visibility to see if existing controls are already in place to address the risk, or if new controls are needed. Hyperproof also enables you to see the gaps between your existing control set and what would be needed to adopt leading cybersecurity frameworks like NIST SP 8-- series or the ISO 27000 series with a feature called CrossWalks. For more details about CrossWalks, check out this article.
Last but not least, Hyperproof gives compliance managers tools to easily collect evidence and review it on a cadence. We’ll talk about this in greater depth in the next section.
In addition to using tools that tell you the delta between your existing control set vs. what’s recommended within leading cybersecurity and data protection frameworks, you will likely need a number of other tools to enforce certain standards, detect certain types of threats or vulnerabilities, triage them and then take remedial actions.
It is beyond the scope of this article to cover all the categories of tools that can support your compliance and security objectives. However, at this point, we’ll leave you with one reminder: it’s important to review the findings from your most recent risk assessment before selecting new tools. The tools you select should be ones that effectively mitigate the risks specific to your assets as identified through the risk assessment.
To make sure that all controls are performed correctly and on time, you’ll need to help control operators feel a sense of “buy-in” or ownership over the control process they’re responsible for. Additionally, it’s important to make sure that policies and procedures are easy to follow and compliance tasks are as user-friendly as possible. Here are the key considerations from a people, process, and technology standpoint:
People: The best way to make sure that control operators take responsibility for performing controls is to proactively involve them in the design of the controls. Risk and compliance leaders should meet with operations teams to inform them about the control objectives and how they impact business objectives. Additionally, it’s important to have conversations with control operators to understand their day-to-day workflows so you can understand how controls can be designed to be seamlessly integrated into existing operations.
Collaborating with control operators in the design of controls fosters a sense of ownership over compliance processes. You can also incentivize control operators by recognizing people for their contributions towards compliance objectives, or even make compliance results a factor in your variable pay/bonus compensation scheme.
Process: As we mentioned earlier, control processes can fail for one of three reasons:
- People change roles, leave your organization, or simply get too busy.
- Your business process or technology changed, but you have not updated the design of your controls.
- A compliance requirement was missed all together.
To prevent controls from failing, you’ll need to get visibility into control processes that were not performed timely so that the appropriate personnel can resolve issues quickly. You’ll also want to evaluate evidence from established control processes on a regular basis, as opposed to waiting until right before an audit to.
Examples of documentation that proves continuous compliance are:
- Security policies, procedures, and protocols
- System logs
- System config
- System architecture maps
- Code of conduct/employee handbook
- Vendor reviews and questionnaires
- User access and identity management reviews
- Business continuity procedures
- Cyber incident response plans
To learn more about how to avoid control deficiencies, check out this article.
Technology: Hyperproof was built to give risk and compliance leaders the visibility they need to keep things on track and ensure that no one drops the ball. It also comes with tools to make compliance tasks such as submitting evidence as user-friendly as possible -- so people outside of the compliance team aren’t burdened by requests to provide compliance documentation and compliance managers know whether they’ve got everything they need.
With Hyperproof, compliance managers can use Labels to facilitate evidence collection. If an auditor is going to ask for a piece of proof at audit time, you can label it to make it quicker and easier to locate. Additionally, labels can be applied to a piece of proof that can validate multiple controls. Each label has a freshness feature, so a compliance manager can set a policy to quickly tell each participant whether the evidence is up to date. To learn more about how to use Labels to speed up evidence collection, check out this article.
Hyperproof also makes it easy to see whether someone has dropped the ball on a control and re-assign control ownership as needed. For instance, with Hyperproof you can specify that John, an IT Security Analyst, conducts penetration testing once a quarter. Then, through Hyperproof’s dashboards, you can easily see if evidence has been provided that demonstrates penetration testing has been performed. A compliance manager can also easily re-assign a control to someone else if John -- the original control performer -- has left your organization or is out of the office.
Compliance operations software like Hyperproof can also eliminate duplicative work (e.g., having to collect the same piece of evidence five times to meet five different compliance frameworks) by helping users identify common controls and common evidence across compliance frameworks.
07 How to Achieve Continuous Compliance Part 4: Ensure Governance and Oversight
To make sure that all controls are performed correctly and on time, compliance leaders need to have oversight into tactical work performed on a day-to-day basis. The compliance leader also needs a clear view into who is responsible for each control process, and when each control needs to be re-evaluated, and whether a control operator has performed his task or not.
This is an area where technology can be incredibly helpful.
When an organization starts to manage all of their compliance projects in a single place, it becomes a lot easier to get the right set of data for decision making.
Hyperproof gives organizations a central location where all of their compliance requirements, controls, and proof can be stored and managed. It provides dashboards allowing compliance managers to quickly answer questions such as, “Where are we with our evidence collection?”, “What controls need to be updated or redesigned?”, and “What do the examiners need to see?” With data at their fingertips, compliance managers and control operators always know what they need to do next.
When it comes to gaining operational efficiency, technology is essential.
In fact, Hyperproof was built to eliminate the inefficiencies stemming from the cross-functional nature of compliance projects. Specifically, it comes with a set of tools to remove friction points from collaborative processes. With Hyperproof, compliance managers no longer need to send people email reminders and calendar invites to nag them to get things done. Collaborators such as HR managers, software engineers, and product managers can work with the compliance team in familiar tools (e.g. Google Drive, Outlook), and no one has to learn new compliance jargon in order to complete compliance tasks.
Here’s an illustrative use case that demonstrates how Hyperproof works to automate compliance processes and reduces work for both parties.
Get your HR manager to submit signed employee agreements on time
Let’s say you’re a compliance manager and you need to collect copies of signed employee agreements, where employees acknowledge they’ve reviewed corporate policies in the Employee Handbook, on a semi-regular basis. These digital signatures are proof you need to submit to an upcoming audit in three weeks, plus four other audits later in the year.
With Hyperproof’s integrations to cloud storage and productivity tools and features like Labels, you can automate workflows around the collection of evidence, meaning you don’t have to repeatedly request the signed employee agreements from your HR manager.
Making this work requires just a few simple steps:
- Your HR manager tells you where she stores these employee agreements. For instance, they are in a company-owned Google Drive.
- In Hyperproof, you create a “Label” called “Signed Employee Agreements”.
- You link this “Signed Employee Agreements” to the controls that call for employee agreements as proof.
- You assign this Label to your HR manager; this way, she knows she’s responsible for keeping the label up-to-date. She can log into Hyperproof to manage this Label.
- You set a “refresh” cadence on this label every 30 days. This is a reminder to your HR manager to check on the employee agreements every 30 days and keep the proof up to date.
- To upload evidence automatically to this new “Signed Employee Agreements'' label, simply give permission to Hyperproof to connect to the appropriate Google Drive and authenticate the connection.
- Each day, Hyperproof will automatically ping the Google Drive folder, check to see if there are updated files in the folder, and pull the new files into Hyperproof. No need to email or call your HR manager to collect this type of proof anymore.
