As a leader within a growing company, you know that compliance is something you must deal with at some point as you expand your business. You may be tasked with setting up the organization’s compliance program, but you’re not sure where to start and you’re grappling with the following questions:
- Which programs or IT compliance frameworks do companies like ours need to adhere to?
- Do we have enough resources to invest in compliance at this moment?
- What are the things we need to do now versus things we can put off until the business is more established?
In this article, when we talk about a compliance program, we’re talking about a specific set of internal policies and procedures a firm develops to comply with a particular security/privacy standards (e.g. SOC 2, ISO 27001) or regulation (e.g. GDPR). Industry standards often have overlapping requirements, so an organization may develop one policy or a set of policies that satisfies multiple requirements. It’s important to note that an audit is always executed on a specific industry standard, so you will need to get to know the requirements of each program and budget for each audit.
Keep in mind that your organization can be compliant with certain industry standards and regulatory requirements (e.g. HIPAA) without having a formal program. However, you’ll need to start a formal compliance program eventually because your customers, partners, and/or investors need to see more formal or “official” evidence of compliance in order to feel comfortable working with you.
What is a Compliance program?
A compliance program is a set of internal policies and procedures within a company to comply with laws, rules, and regulations or to uphold the business’ reputation. Where requirements of a regulatory authority do not apply, a compliance program within an organization addresses the conduct of employees to abide by internal policies (e.g. spending corporate funds or keeping confidentiality) and, more importantly, to maintain the firm’s reputation among its customers, suppliers, employees, and even the community where the business is located.
Factors That Will Impact Your Timeline
What is the right time to start a formal compliance program and work towards passing an audit? The right answer is, that it depends on your particular circumstances. Here are the key factors to consider:
When will you be in-market?
When are you launching your product? What do your customers care about? Are your customers large enterprises, or are they in highly regulated industries?
You’ll need a compliance program — and pass assessments (e.g. SOC 2, ISO 27001) — when your customers, partners, and/or investors ask for it. If you’re selling software or services to B2B enterprise customers, it is just a matter of time before a customer will demand proof of compliance (e.g. a SOC 2 report) before they’re willing to be in business with you.
Have you built enough software?
If you’re looking to get certified against any security standard (e.g. SOC 2, ISO 27001), you need to have established software development processes before you schedule an audit. Security controls (e.g. who has access to data) should be built into your software development lifecycle. If you haven’t developed the processes to govern how you develop software at your organization, there isn’t going to be enough content for an auditor to audit.
Have you implemented key company-wide processes?
Making sure employees abide by internal policies and your organization’s code of conduct is a critical part of your compliance program. Auditors will want documentation of your key company-wide processes during an audit. Thus, it is important to implement certain company-wide processes before engaging with an auditor.
Documents and policies you’ll need to have include:
- New employee on-boarding policy
- Company handbook (also known as Code of Ethics and Business Conduct)
- Information security policies (a set of documents aimed at the preservation of confidentiality, integrity, and availability of systems and information used by an organization’s members)
Do you have a part-time resource to drive the process?
You need someone who has the time and sufficient expertise to drive the process forward and keep everyone on track. Managing compliance doesn’t need to be someone’s full-time job, but at a minimum, you need someone who can devote a good portion of their time to managing the process. Additionally, the project leader needs a sufficient understanding of your business and your technology stack and to be able to figure out what controls the organization needs to create in order to meet the requirements of the program. Typically, a CTO, VP of Product, VP of Engineering, or someone who has deep security background should be the one to lead this process.
Here at Hyperproof, our CEO (who was the CTO of his previous company) and our VP of product management are leading the charge on our own compliance program. Others such as our VP of engineering and engineers focused on security are involved as well.
Do you have the budget?
You’ll need to invest internal resources in program design and program implementation and budget time to work with your auditors. You may need to invest money in hiring consultants to help you design controls for your environment, and you will definitely need to pay auditors to audit your program. For an early-stage startup, you may find that your compliance spending is one of the largest spending categories for your business.
What’s the industry norm to get through an audit?
There are industry norms for how long it takes to get through certain types of audits.
For example, SOC 2 is a common IT security standard that tech companies need to get in order to sell to enterprise customers. it may take about 4 months to get through a SOC 2 Type 1 audit. Once you pass a SOC 2 Type 1 audit, it takes between 6 and 12 months to get through a SOC 2 Type 2 audit.
The difference between a SOC 2 Type 1 report and SOC 2 Type 2 report is pretty simple: A Type 1 audit looks at the design of a specific security process or procedure and one point in time, while a Type 2 audit assesses how successful that security process is over time.
Sample SOC 2 Timeline
- Month 0 — plan and prepare
- Month 1 — perform a readiness assessment (an engagement with the auditor where they review your existing policies and procedures and interview staff to determine what you need to do to pass an audit)
- Months 2 and 3 — design your minimal control set
- Month 3 to 6 — implement your controls, test, and document.
- End of month 6 — SOC 2 Type 1 Audit
- Month 7 – 11 — Monitor your controls, improve on certain areas
- Month 12 — SOC 2 Type 2 Audit
Once you have determined when to start. It’s time to figure out which program(s) you want to pursue. To determine which programs to pursue, you’ll want to consider your customer base and your product development strategy. You can check out this article for guidance on the specific compliance programs technology startups may want to focus on first.
The four elements an effective compliance program
An effective compliance program has a critical impact on an organization’s ability to operate with integrity, consistency, and quality and maintain trust and credibility with organizational stakeholders including customers, partners, vendors, employees, and investors. It is also an important component of an effective risk management program.
An effective compliance program should align with a broader risk management strategy. Risk assessments should be performed at least annually, and more frequently for higher risk areas. The ultimate goal of an effective risk management strategy is maintaining a risk environment that is within an acceptable risk tolerance level for the organization. To accomplish this, an organization must identify its risks, define risk tolerances (risk levels that are acceptable) and then design controls in a manner that effectively addresses the risks.
Below, are some questions to consider in evaluating the quality of your compliance program:
- Does your risk strategy include a comprehensive view that considers both existing and emerging risks?
- How are risk tolerance levels defined?
- Are key stakeholders involved in setting risk tolerance levels?
- How effectively does the design of the control mitigate the risk?
- Is there a control redundancy strategy, in case a critical control fails there is another control in place to address the risk?
- Are your controls independently validated to confirm their effectiveness?
By using innovative compliance operations software like Hyperproof, it is easy to ensure your control environment effectively aligns with your overall risk management strategy. As new risks are identified, Hyperproof provides visibility to see if existing controls are already in place to address the risks, or if new controls are needed.
Hyperproof also enables you to see the gaps between your existing control set, and what would be needed to adopt leading cybersecurity frameworks like NIST SP 800 series or the ISO 27000 series.
The design of the control impacts how effective the control is. Additionally, consistency in performing the control process is an important factor in having an effective compliance program. In this context, consistency means that your controls are operating at the specific time interval, and in the same manner, as they were designed to. To ensure that your controls are operating consistently, you’ll need to have sufficient oversight and visibility into the performance of control processes.
For instance, deploying patches is an important component of vulnerability management. If patches are not consistently deployed, at the time that they become available, your systems may be left exposed to vulnerabilities. As such, it is important to have visibility into control processes that were not performed timely so that you can quickly resolve issues. This is particularly important for high-risk areas like vulnerability management.
Continuous compliance helps you manage risk more effectively. With continuous compliance, control processes are consistently performed, and evidence from the control processes is evaluated and actioned accordingly. If you are evaluating control processes on a continuous basis, you have an opportunity to refine your risk management strategies in real-time.
For example, if you are using a SIEM solution that does not have both logging and monitoring alerts turned on, it could potentially prevent notifications of attack indicators. The lack of notifications and alerts reduces the ability to make timely adjustments to network controls. This scenario could have been prevented with continuous compliance. Specifically, continuous compliance would have discovered, in a timely manner, that logging and monitoring alerts were not turned on.
Many organizations delay collecting and evaluating evidence, until right before they need to submit that evidence to their auditor or security assessor. By delaying evidence collection and evaluation, organizations miss the opportunity to adjust and adapt to their risk environment. If evidence is only collected and evaluated before an audit or assessment, the control process becomes a lagging indicator with little room for adjustment.
Technology can make a big impact when adopting continuous compliance. For instance, you can use a compliance operations solution like Hyperproof to keep all your evidence organized (e.g. linked to the right control/requirement) and use automated reminders to alert control operators to review controls on a regular basis and submit evidence on time.
Additionally, Hyperproof has a feature called ‘Freshness’. You can set a ‘Freshness’ policy to remind yourself and your team to review controls on a cadence and ensure that all controls are appropriately evaluated throughout the year. This helps ensure that no one will forget any of their compliance tasks, which ultimately makes your entire organization more secure and resilient.
Compliance operations software like Hyperproof can also eliminate duplicative work (e.g., having to collect the same piece of evidence five times to meet five different compliance frameworks) by helping users identify common controls and common evidence across compliance frameworks.
3. Governance and oversight
Governance and oversight are key components of an effective compliance program. At the highest level, senior risk leaders need the right information to effectively monitor the effectiveness of the compliance program and make adjustments as needed. Adjustments may include areas such as incorporating new controls to address emerging risks, redesigning weak control processes to make them stronger, or developing new training to improve security awareness among employees.
At a tactical level, a compliance manager needs another set of information to understand how prepared they are for upcoming audits or assessments, quickly see which controls they need to act on, and ensure that control processes are performed correctly and on time. They should also have visibility into the issues that need immediate attention or escalation.
Getting sufficient visibility into the effectiveness of a compliance program can be a difficult challenge for many organizations. This is especially an issue for organizations that manage their compliance efforts in a variety of different tools such as elaborate spreadsheets, email inboxes, and file storage systems like Box, Dropbox, or OneDrive.
However, when organizations start to manage all of their compliance projects in one single place, it becomes a lot easier to gather the right set of metrics for decision-making.
For instance, Hyperproof gives organizations a central location where all of their compliance requirements, controls, and proof can be stored and managed so that compliance managers and external auditors can see everything in one streamlined system. It allows compliance managers to quickly answer questions such as, “Where are we with our evidence collection?”, “What controls need to be updated or redesigned?”, and “What do the examiners need to see?”.
Hyperproof also helps senior risk leaders understand how well their current compliance program stacks up against several best-in-class cybersecurity and data privacy frameworks.
Efficiency has to do with how well an organization is managing its resources, including time, employees, and budget. Being efficient means that your team is able to achieve quality, consistency and effective oversight with an optimal amount of resources. With limited resources, it is particularly important to focus your compliance efforts on the more critical areas.
Making compliance activities more efficient is key to reducing the cost of compliance, which always seems to be going up due to factors such as the rise of data privacy regulations, the growing awareness of third-party risks, and a rise in vendor-to-vendor audits, and the shortage of cybersecurity talent.
In terms of operational efficiency, technology will be incredibly important. In fact, Hyperproof was built to help organizations become far more efficient in compliance management. Not only does Hyperproof serve as a single source of truth for all of your compliance activities, but it can also reduce the administrative work around collecting evidence and managing tasks (e.g., updating controls) by half.
Hyperproof comes with a set of features that enable greater efficiency, including:
- Crosswalk: Helps users identify the overlapping requirements and controls between various compliance frameworks
- Integrations with file storage systems where evidence is stored and productivity tools
- Collaboration capabilities between compliance managers, control operators, senior leaders, and external auditors
- Automated reminders to review controls and evidence
- Smart folders and labels to efficiently link a batch of evidence to controls
Related content: The Complete Guide to Continuous Compliance
Building A Compliance Program Checklist
A compliance program is only effective when it impacts the way leaders and employees make decisions large and small. The ultimate goal of doing all this work is to foster a culture of compliance within your organization. Here’s what a culture of compliance means:
- Each individual understands their role in the company’s compliance program and fulfills their individual responsibilities.
- Software and IT systems that handle data are designed to be compliant with the laws and industry standards that govern data privacy, security, availability, and confidentiality. In other words, compliance is baked into your products and business processes.
Here are 10 things you and your leadership team can do to make sure your compliance program is one that truly influences behaviors and is effective in protecting your business.
1. Have a governance structure for your compliance program
When you create a compliance program, the first set of questions you’ll want to answer are about governance. You want to have clear roles and responsibilities and regular and helpful communication between the key stakeholders with responsibilities for compliance. Determine the following:
- Who will be accountable for the compliance program?
- What are the responsibilities of senior management?
- Who are the specific individuals responsible for compliance day-to-day?
- How will information about compliance be escalated?
- What resources will be dedicated to compliance?
To build a culture of compliance, you need a dedicated leader for your program. Because compliance issues have a material impact on a business, the compliance officer needs to have a seat at the table, a direct line to the CEO and a company’s board, and adequate resources to do their job properly.
2. Conduct risk assessments periodically
Compliance programs must be customized to the needs and challenges facing each company and be comprehensive enough to deal with all of the risks the company has identified. An effective risk assessment should begin with a detailed picture of the compliance landscape your company operates in. The two questions to answer are 1) where are you doing business, and 2) what regulations cover businesses like yours?
An effective risk assessment must also include a clear picture of how your organization operates. In other words, you need to know the “who, what, where, when, and how” of the day-to-day operations happening on the ground in your company.
It’s important to note that a risk assessment shouldn’t be a one-off event. Events such as the acquisition of new companies, movement into new geographical or sector markets, corporate reorganization, and engagement with new customers and regulators will raise different types of compliance risks. Similarly, changes in regulations and how enforcement authorities interpret these risks can create new compliance risks. It is important to implement a deliberate, recurring process to periodically update your risk assessment.
3. A code of conduct
A code of conduct reflects an organization’s daily operations, vision, mission, core values, and overall company culture. This document should be readily available to employees and placed on the homepage of the company’s intranet or wherever it will be easily accessible for every employee. Make sure people always know where to find the code of conduct and understand its importance.
If you need some help writing a code of conduct for your company or want some examples of what great code of conduct documents look like, check out these 18 examples.
4. Carefully designed incentive program
When properly used, incentives motivate workers to achieve organizational goals. However, when improperly used, incentives can encourage bad behaviors (e.g. cheating to meet a sales quota) and pose a compliance risk. When doling out rewards to employees, it is important to consider not only the results they achieved but also how they achieved that result. Before you roll out an incentive program, be sure to review it from a compliance perspective, consider potential risks, and develop mitigation measures.
5. Communication between teams
Many different groups within the company are responsible for various aspects of compliance. For example, HR is responsible for sexual harassment claims, IT security handles data privacy and security, and marketing must understand the stay compliant with laws governing user data collection, email communication, and advertising. The compliance team acts as the quarterback of the company’s compliance efforts.
One important thing for compliance to understand is whether all areas of company risk are sufficiently covered, and if not, how to address the risks in the compliance program and determine which group is responsible.
The compliance function also needs to ensure coordination and collaboration between the groups and make sure they address issues and share best practices. A compliance officer needs to create the right policy to ensure different compliance issues are routed to the right group and there’s no duplication of effort or groups operating at cross-purposes.
6. Regular employee training
One hallmark of a well-designed compliance program is appropriately tailored training and communication. Everyone at the company, including executives, needs to know what is in your code of conduct. In addition to knowing the rules they’re expected to follow, employees also need to know who they can turn to for guidance if they have questions about compliance and how they can report violations and concerns.
7. A simple process for reporting misconduct
To foster a culture of compliance, all employees need to understand when they need to report something and how to do so. The code of conduct should detail all the ways employees can raise issues, such as through a toll-free hotline, a monitored email alias, their manager, the general counsel, the head of HR, or however you want issues reported in your company. It is much better for your company to empower employees to raise issues early while there’s time to prevent bigger problems from materializing.
If you want people to report questionable behavior or misconduct, you must put in place and enforce a no-retaliation policy. Employees must believe they won’t face punishment for bringing forth an issue in good faith. There should also be a general policy to ensure confidentiality for both the person bringing the complaint and any employees implicated by the complaint.
8. An established incident management and response process
Being prepared to handle incidents of non-compliance is as important as putting in place controls to mitigate compliance risks. Poor incident management can dramatically increase the costs a brand must pay for non-compliance, and it is often what gets brands into public headlines. Whether you are dealing with someone who has violated a standard or a system issue that represents a compliance violation, having the steps laid out and understood in advance is key.
9. On-going monitoring and evidence collection
To inculcate a culture of compliance, you need to continuously document your compliance program and collect evidence to ensure your controls are working as intended. Along with potentially protecting your company from being fined in the event of an incident such as a data breach, having evidence of your compliance processes on hand can give you an opportunity to find your compliance blind spots. If your compliance evidence doesn’t exist, you’re likely not meeting standards.
Further, if you establish a habit of collecting evidence on a regular basis, it makes external audits smoother and less stressful, because you won’t need to scramble to find the evidence you need just days before the auditor shows up at your office.
Going forward, we can expect to see regulations in areas such as user privacy, security, and others increase at the local, state, federal, and international levels. To reduce compliance risks, you’ll want to dedicate resources to help your organization stay up-to-date with new laws that may impact your business so that you can update your internal control environment to sufficiently mitigate risks.
10. Technology that simplifies compliance management
You can manage your compliance program through spreadsheets, emails, file storage systems like Dropbox, G-Drive or Box, but if your compliance data is all over the place, it will be hard to get a holistic picture of your compliance program. If you can’t easily see what policies, controls, and evidence already exist and what’s missing, you won’t be able to get a true handle on your risks.
Using the right technology makes it that much easier to stand up and manage your compliance program. When you use a compliance operations system like Hyperproof, you can quickly map your controls to a new compliance framework, streamline the management of evidence, automate tasks and easily collaborate with various stakeholders in your ecosystem (e.g. employees, vendors, and external auditors) to get work done and maintain an acceptable risk level.
With compliance, it’s important to understand what it actually takes to become compliant and maintain that position. Organizations should focus on four key elements: quality, consistency, effective oversight, and efficiency. Deliberate attention to each area will ultimately lead to a well-functioning compliance program.
Additionally, effective risk management is about being proactive instead of reactive. That includes quickly responding to the alerts indicating weaknesses of critical systems and consistently evaluating/updating the control processes established for prevention/mitigation of potential security incidents.
When compliance costs are rising quickly for organizations of all industries, sizes, and types, prioritizing the right areas — with a solution that is agile, intuitive, and cost-effective – becomes essential.