Now that so many organizations have lived through costly data breaches—many of which are caused by vulnerabilities within third-party software applications they use—merely claiming that your system is secure won’t be good enough for your customers. Instead, your customers and prospects expect you to provide ample evidence that your security controls are functioning properly on a continuous basis to protect their valuable data.
According to NIST SP 800-53 (Security and Privacy Controls for Information Systems and Organizations), security assurance is “the measure of confidence that the security functionality is implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system”. Assurance comes from the demonstrated ability to meet security objectives, evidenced by successful assessments or audits.
In Hyperproof’s 2022 IT Compliance Benchmark survey, we sought to understand how tech companies are managing their security assurance and IT compliance efforts at a tactical level. We conducted this survey in December 2020 and gathered responses from over 1,000 senior IT security and compliance professionals within the technology industry. In this article, we’ll share with you the key results from the survey.
Which Information Security and Data Privacy Compliance Frameworks Do Tech Companies Adhere To?
In this survey, we asked respondents to tell us which information security and data privacy compliance frameworks they’re adhering to or plan to implement in the next 12 to 24 months. Here’s what we found:
Common Control Framework: A Common Way To Control the Chaos
Many information security and compliance and data privacy frameworks have the same underlying principles, with minor differences in how you produce evidence and how your auditor evaluates your environment. A common controls framework (CCF) is a comprehensive set of control requirements, aggregated, correlated, and rationalized from a large array of industry information security and privacy standards.
Utilizing a CCF enables an organization to meet the requirements of multiple security, privacy, and other compliance programs while minimizing the risk of becoming “over-controlled”. Focusing on security first and mapping your security-focused controls to compliance frameworks will help you see your current state more accurately and allow you to easily adapt and expand into different security certifications and requirements.
We asked respondents whether their organization is using a common controls framework to ensure multiple standards’ requirements are being met simultaneously.
- Nearly two-thirds (65%) said they are using a common controls framework already.
- Twenty-seven percent of all respondents said they don’t use a common controls framework yet but plan to create one in the next 12 months.
- Only a small portion—8%—have no plans to create one.
Approaches to Monitoring Vary Significantly
Monitoring is an important part of security assurance: a properly designed monitoring program should trigger early warning indicators that something is happening in the business that could cause a security incident and/or a compliance failure. Organizations may deploy one or multiple approaches to monitoring controls meant to mitigate IT risks, including formal external audits, internal audits, and software applications.
While most surveyed organizations did have some type of process in place to monitor for compliance failures, there were significant variations in the modes used to monitor from one company to the next.
- The biggest proportion of respondents (37%) only used one method—external audits—-to ascertain compliance. In other words, these organizations’ primary focus is on proving compliance rather than ensuring a continuously secure environment.
- 27% of respondents use external and internal audits to monitor controls on a cadence
- 29% said they use a combination of monitoring methods—including internal audits, external audits, and software
- 7% do not have any process in place to monitor the efficacy of internal controls designed to mitigate IT risks
Evidence Collection and Evidence Management is Burdensome For Most, Including Those With GRC Tools
Documenting all compliance efforts diligently and having a way to access that information quickly has become more important than ever before, for several reasons:
- Being able to demonstrate compliance can save a business a significant amount of money (and help the organization keep its reputation intact) if regulators discover misconduct in an organization.
- Those that want to achieve information security certifications (e.g. SOC 2, ISO 27001) have to provide evidence of their security policies and technical controls to external auditors for review. Defining cadences for reviewing controls and collecting evidence (as opposed to trying to collect all evidence right before an audit) will lower stress levels for all parties involved in an audit.
- Evidence is essential for conducting effective internal audits. If you can’t easily collect the information you need to test controls, you can’t effectively test the controls.
In this survey, we found that organizations approach evidence collection in three different ways:
- No process: 11% of all respondents said they’re not in the habit of collecting evidence.
- A logical process with ad-hoc tools: 59% of all respondents have a logical process for storing evidence but the evidence is spread across folders in cloud-based file-storage systems and email.
- A logical process with a dedicated tool: The remaining group (30%) are storing most/all of their evidence in a dedicated compliance/audit management software.
Further, when it comes to collecting the evidence needed for IT audits, an extraordinary amount of time is spent on completing routine, administrative tasks. Ninety-three percent of survey respondents spend at least one day every workweek on administrative/repetitive tasks, and one out of every two respondents spend 50% or more of their total time at work on administrative tasks.
Want more benchmarks on how organizations are managing their security assurance and compliance efforts in 2021?