With the rise of new technologies like cloud, IoT (Internet of Things), blockchains, and many others, businesses have become more complex and constantly connected, giving rise to new business risks. With the ever changing risk landscape, companies are inundated with a myriad of regulatory and compliance requirements. These requirements are time consuming, occupying key resources several times a year. Companies struggle to function smoothly and at the same time remain compliant. Integrated compliance frameworks offer a mechanism to implement a single enterprise wide compliance framework wherein the goal is to “Control once, comply multiple times”. While the concept looks very appealing and simple, companies fail to implement it correctly. Below are the key points to keep in mind while implementing an integrated compliance framework to avoid common pitfalls.
Correctly identify and adopt the size and magnitude of the scope
When companies get started with integrated compliance efforts, they are tempted to include every single asset and every single regulatory requirement (e.g., SOX, PCI, HIPAA) in the scope. While this should be the ultimate goal, the magnitude of the scope is so large that it becomes difficult to achieve all the compliance requirements in a tight timeline. Therefore, prioritizing is key. First, prioritize the key compliance and regulatory requirements on your calendar, next prioritize the key assets and then draw a boundary around the scope to freeze it. It is important to think small and think broadly by starting with a pilot with the scope that is manageable. For example, if PCI and HIPAA take precedence over other requirements, ensure the assets containing credit card data and health information are identified and scoped for the pilot.
Develop a risk assessment
Companies face regulatory requirements spanning different data types, such as financial data, health data, and payment card data. These requirements are ever changing and, as a result, the risk landscape keeps changing as well. The biggest commonality in these compliance requirements are driven from a comprehensive risk assessment. Therefore, risk assessments become a lynchpin to a successful integrated compliance program. An ideal scenario would be to develop an enterprise wide risk assessment process wherein the risk assessment activities are coordinated and shared across the business reducing duplication of effort.
Identify the stakeholders and establish a steering committee
Often times identifying the stakeholders and control owners within different functions, such as Security, IT, Internal Audit, Ethics, and Human Resources becomes a time consuming exercise in a large and complex effort of implementing integrated compliance. It is not only critical to ensure the stakeholders have been identified but the end goals of the effort should be communicated to them early on. This sets the vision and the mission of the project. It is essential to establish a core steering committee that oversees the overall progress and establishes interim milestones. The steering committee should also develop reporting goals and key metrics that will measure the success of the implementation.
Select the controls and requirements by keeping in mind the context of the environment
The controls and requirements that are being considered as part of the program should be thoroughly evaluated contextually keeping in mind the size of the organization and the bandwidth available to its resources. Understanding and capturing the scope of each applicable requirement is crucial to demonstrating that the appropriate level of control has been applied to the environment while not over controlling. While attempting to comply with multiple standards one shouldn’t overdo it. It is important to remember that an integrated compliance framework will help you address the common controls across the different frameworks but that doesn’t mean all the controls should be applicable to the entire organization. Often times, we forget that common controls apply to only a subset of a common environment and not to the entire organization. These distinctions and boundaries are critical in managing board level expectations and achieving the desired results in a limited time span.
In conclusion, implementation of an integrated compliance program is a complex effort and cannot be done overnight. It needs careful planning and consideration. Keeping in mind the above points can help simplify your compliance journey.
Zeal is an experienced cyber-security and assurance professional based out of Washington DC metro area. She is a hands-on security professional who has advised several clients on control architecture meeting industry standards. She has an in-depth knowledge of compliance requirements like PCI DSS, SOC, HIPAA and standards like NIST, HITRUST, ISO 27001/27002 etc.
In her current role with ControlCase LLC, she leads the ISO 27001 compliance practice within the North America region. She also leads several PCI engagements and execute full PCI-DSS program lifecycle to assess compliance and help architect missing controls for her clients. She frequently engages with business and technical stakeholders to help identify information technology and security solutions required to meet organizational, regulatory, and strategic compliance requirements and objectives. Her key clients include banks, financial organizations, non-profits, and healthcare firms.
Before joining ControlCase she was part of PwC’s Cyber Security and Privacy practice based out of McLean VA.
Her professional qualifications include CISSP, CISA, PCI QSA, ISO 27001 Lead Auditor.