Managing controls can be incredibly complicated for fast-growing, global and/or highly matrixed organizations. As an organization grows, the scope of items that fall under your compliance regime increases as well. Trying to manage controls without duplicating work and getting visibility into the statuses of controls and risks can become major headaches for organizations dealing with the scenarios below:
- Your company is selling multiple products to different segments or markets. How can a central compliance team responsible for getting three, five or ten product lines compliant with an infosec standard (e.g. ISO27001) ensure that certain controls have been implemented for each product line?
- Different departments within your company are acquiring new systems that need to be secured and monitored each year. How does a central compliance team ensure that key security controls such as MFA, encryption and least-privilege are implemented and operating effectively across all technology systems across your organization?
- Your company has multiple sites of operations or geographies that fall in-scope for a standard/certification. Some controls apply to all sites while other controls only apply to particular sites.
- Your company has grown through acquisitions and the corporate security/compliance team wants to make sure that the subsidiary entity has a minimum level of security. How could both the corporate compliance team and control owners at the subsidiary entity stay on the same page about the status of controls and where the actual risks are?
In these scenarios, a compliance team will need to onboard additional product lines, systems, divisions, entities and/or owners onto existing controls. The current solution – creating an individual control for each new product line and/or owner within a program to allow controls to be self-managed – neither scalable nor efficient.
Hyperproof’s unique multi-scope controls management feature is designed to address the sticky, scale problem that arises when an organization’s reach and its respective compliance burden grows.
How Multi-Scope Controls in Hyperproof Work
Compliance managers are familiar with the idea that they must carefully consider what’s included in the scope of compliance. The scope of compliance (and control requirements) are typically footed to one of the following structures:
- A set of technology systems that process sensitive data
- A set of geographical sites of operations that are impactful from a security, compliance and business continuity perspective
- Product lines that need to clear a certain bar in terms of safety, privacy and/or security.
- Business units using certain technologies that need to follow compliance standards
- Subsidiaries under a parent company that need to follow certain standards
Hyperproof’s Multi-Scope Controls Management feature lets your central compliance team implement controls and communicate control requirements across multiple entities or units within your organization that fall in-scope, while allowing people within each entity to manage their own controls. The beauty of this feature is that your organization has flexibility in how you scope or structure the relevant entities that need to adhere to controls requirements.
With this feature, you do not need to create a separate control for each entity. Instead, a central compliance team can manage and share common information and overall health at the parent control level that is shared with child controls as read-only.
This allows for quick onboarding of new products, systems, business units, divisions and/or control owners through child control creation. Product teams, control owners within a business unit, system owners can manage/interact with their own (child) control without impacting the information of other (child) controls.
Additionally, each product team, division, system owner and/or control owner can configure custom fields to track relevant information they need on their controls without impacting the information of other (child) controls. This set-up helps everyone eliminate duplicative work and errors. Compliance professionals and control owners are able to communicate seamlessly with one another directly on the controls.
When a child control becomes “unhealthy”, the parent control’s status automatically updates to “unhealthy” as well. This allows a compliance manager to quickly spot an issue and follow up with the appropriate control owner to fix it.
Further, if a control is linked to a risk in your Hyperproof risk register – and a child control has become “unhealthy” – then that risk is affected appropriately.
The Benefits of Using Multi-Scope Controls
With Multi-Scope Controls Management, an organization can achieve significant efficiency gains when managing controls at scale. This feature allows an organization to address several scaling use cases in a streamlined manner:
- Ensuring that a set of controls have been implemented and are operating effectively for multiple product lines
- Ensuring that key security controls such as MFA, encryption and least-privilege are implemented and operating effectively across all technology systems across your organization
- Knowing exactly what controls apply to all sites of operations vs. which ones apply to particular sites
- For companies that have multiple subsidiaries, ensure that both the corporate compliance team and control owners at the subsidiary entity stay on the same page about the status of controls and where the actual risks are
Further, compliance managers are able to get the depth of information they need on controls’ health so they can drive accountability for managing controls at the lower level (within a product team, division, system, etc).
Are you currently using this feature? If so, we’d love to get your feedback so we can continue to simplify your compliance workflows.
To start optimizing your compliance operations, book a demo with our team today.