Today’s tangled web of compliance obligations impacts each and every corner of an organization’s day-to-day operations. Yet, despite this, countless organizations still take a siloed, reactive approach to their compliance obligations, often leaving themselves to unpick overlapping requirements while they play a constant game of catch-up. Not only are these businesses likely to miss things, their approach to compliance is often so poorly optimized that they’re spending far more than they need to, investing in repetitive manual processes to deal with overlapping compliance requirements.
So, with everything from GDPR to CCPA, NIST to ISO, what should organizations be focusing on to ensure that they maintain compliance, effectively address overlapping requirements, and generally take a more proactive approach?
How did things get so complicated?
In today’s interconnected world of rapid data exchange, online documentation and evolving supply chains, it’s easy to see how regulatory compliance could become unwieldy for even the smallest of organizations. Business goals and objectives can change from month to month and new ones can be added into the mix. New contracts and partnerships can materialize quickly, which come with additional regulations and standards to adhere to. New people can join the business, bringing with them new ideas and processes which can also add additional complexity and standards for the business to manage. Then of course, there are the regulations and underlying citations themselves, which are prone to changes and frequently updated.
With all of this – and more – going on, organizations can end up dealing with countless regulations, frameworks and standards. This is and of itself isn’t a problem – remember, regulations are in place to protect customers, businesses and the industries they operate in. What is often a problem, however, is the way in which this web of compliance is often handled by separate teams and departments, often in completely different geographical locations. This can lead to stakeholder complaints, audit fatigue, duplicated effort asking for the same thing to satisfy multiple overlapping requirements.
The pain of overlapping requirements
Overlapping requirements can work to an organization’s benefit, but only if it’s equipped to deal with them in the right way. A few examples of regulations and standards with overlapping requirements might be as follows:
- ISO: 5.1.1 Policies for information security
A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.
- NIST: Governance (ID.GV)
ID.GV-1: Organizational cybersecurity policy is established and communicated.
- PCI DSS: Requirement 12: Maintain a policy that addresses information security for all personnel.
12.1 Establish, publish, maintain, and disseminate a security policy.
Each of these requirements shares common ground, but too many organizations work to comply with them separately as they are added into the mix. If a business already complies with NIST ID.GV-1, for instance, and then it makes a business decision which means it has to demonstrate compliance with PCI DSS Requirement 12.1, it will find itself duplicating a lot of work in terms of collecting data multiple times and auditing essentially the same requirement.
How should overlapping requirements be addressed?
Instead of dealing with these regulatory requirements separately and adding them onto the pile, businesses need to rationalize them. This can be achieved using or developing a set of baseline controls – a set of controls baselined to the internal and external requirements you as an organization want to meet. So instead of having dozens of similar controls in place to meet overlapping requirements, you have one control. This helps to simplify compliance and security operations by reducing the number of controls an organization has to deal with, therefore reducing its workload to test and audit the controls. Consistent organization-wide formats and language can be employed across a control base to aid with reporting and evidence collecting, making audits less of a burden.
One of the great things about working with SureCloud is that we are framework agnostic. That means we can support out-of-the-box control sets like SCF and UCF and direct framework access to the likes of CSA, CIS, NIST and more. There’s no reason to reinvent the wheel when it comes to compliance, but using a combination of pre-mapped IT compliance frameworks a set of baseline controls can be enough to turn compliance around within your organization.
About Matthew
Matthew Davies is a Senior Director of Product Management at SureCloud and works with Information Security, Risk and Compliance professionals to help them establish consistent and repeatable Governance, Risk and Compliance processes and tooling.
Matthew has been working in GRC technology and IT Risk assurance for the last seven years. In that time, he worked at PwC and Deloitte before joining SureCloud, working with RSA Archer, ServiceNow GRC, Auris GRC, IBM OpenPages and Bwise. Matthew supported organizations with building their GRC framework to automate and optimize their manual GRC processes.