Vector
Vector

Choose your topics

Blogs
What is Risk Management in Cybersecurity?

Let’s explore the essentials of risk management in the context of cybersecurity to help you understand how to identify, assess and mitigate cyber threats effectively.

Cyber Risk Management Enterprise Risk Management
Blogs
3 Best Practices for Data Privacy

With more technology comes more data, and with that a greater need for data privacy enforcement. What best practices should you be following?

Data Privacy
Blogs
How to Prioritize Your Third-Party Risks

How can you prioritize effectively and enhance your organization’s security posture? Here are our top tips for setting up realistic, sustainable processes.

Third-Party Risk Management GRC
Blogs
Top Tips to Save Time When Assessing Third-Party Risks

Is assessing third-party risks taking up too much of your time? How can you make the process more effective and efficient? Find out in the latest post from SureCloud.

Third-Party Risk Management GRC
Blogs
The GRC Trends to Look Out for in 2024

Our GRC experts at SureCloud share their 2024 predictions for the world of governance, risk and compliance.

GRC
Blogs
The Top 5 Challenges of Third-Party Risk Management

With the supply chain now seen as a legitimate attack path, what can your organization do? Let’s explore 5 challenges of TPRM and how to overcome them.

Third-Party Risk Management GRC
Blogs
What is Third-Party Risk Management?

What is third-party risk management and how should you approach it? Find out in this post.

Third-Party Risk Management GRC
Blogs
Questions You Should Ask when Preparing For Your First Pen Test

Understand the processes that you and your chosen pentest provider will travel through for your first pen test, from the initial point to the day the test starts.

Penetration Testing
Blogs
TPRM Blog 6-Writing Clear Questions

Our GRC Practice Director explores the importance of clear communication and how to achieve it in your third party questionnaires. Read more here.

Third-Party Risk Management GRC
Vector (7)
Vector-1
Compliance Management, GRC

Compliance Optimization: How To Streamline Your Compliance Obligations

Compliance Optimization: How To Streamline Your Compliance Obligations
Written by

Matthew Davies

Published on

10 Aug 2021

Compliance Optimization: How To Streamline Your Compliance Obligations

 

Today’s tangled web of compliance obligations impacts each and every corner of an organization’s day-to-day operations. Yet, despite this, countless organizations still take a siloed, reactive approach to their compliance obligations, often leaving themselves to unpick overlapping requirements while they play a constant game of catch-up. Not only are these businesses likely to miss things, their approach to compliance is often so poorly optimized that they’re spending far more than they need to, investing in repetitive manual processes to deal with overlapping compliance requirements.

So, with everything from GDPR to CCPA, NIST to ISO, what should organizations be focusing on to ensure that they maintain compliance, effectively address overlapping requirements, and generally take a more proactive approach?

How did things get so complicated? 

In today’s interconnected world of rapid data exchange, online documentation and evolving supply chains, it’s easy to see how regulatory compliance could become unwieldy for even the smallest of organizations. Business goals and objectives can change from month to month and new ones can be added into the mix. New contracts and partnerships can materialize quickly, which come with additional regulations and standards to adhere to. New people can join the business, bringing with them new ideas and processes which can also add additional complexity and standards for the business to manage. Then of course, there are the regulations and underlying citations themselves, which are prone to changes and frequently updated.

With all of this – and more – going on, organizations can end up dealing with countless regulations, frameworks and standards. This is and of itself isn’t a problem – remember, regulations are in place to protect customers, businesses and the industries they operate in. What is often a problem, however, is the way in which this web of compliance is often handled by separate teams and departments, often in completely different geographical locations. This can lead to stakeholder complaints, audit fatigue, duplicated effort asking for the same thing to satisfy multiple overlapping requirements.

The pain of overlapping requirements

Overlapping requirements can work to an organization’s benefit, but only if it’s equipped to deal with them in the right way. A few examples of regulations and standards with overlapping requirements might be as follows:

  • ISO: 5.1.1 Policies for information security

A set of policies for information security should be defined, approved by management, published and communicated to employees and relevant external parties.

  • NIST: Governance (ID.GV)

ID.GV-1: Organizational cybersecurity policy is established and communicated.

  • PCI DSS: Requirement 12: Maintain a policy that addresses information security for all personnel.

12.1 Establish, publish, maintain, and disseminate a security policy.

Each of these requirements shares common ground, but too many organizations work to comply with them separately as they are added into the mix. If a business already complies with NIST ID.GV-1, for instance, and then it makes a business decision which means it has to demonstrate compliance with PCI DSS Requirement 12.1, it will find itself duplicating a lot of work in terms of collecting data multiple times and auditing essentially the same requirement.

How should overlapping requirements be addressed?

Instead of dealing with these regulatory requirements separately and adding them onto the pile, businesses need to rationalize them. This can be achieved using or developing a set of baseline controls – a set of controls baselined to the internal and external requirements you as an organization want to meet. So instead of having dozens of similar controls in place to meet overlapping requirements, you have one control. This helps to simplify compliance and security operations by reducing the number of controls an organization has to deal with, therefore reducing its workload to test and audit the controls. Consistent organization-wide formats and language can be employed across a control base to aid with reporting and evidence collecting, making audits less of a burden.

One of the great things about working with SureCloud is that we are framework agnostic. That means we can support out-of-the-box control sets like SCF and UCF and direct framework access to the likes of CSA, CIS, NIST and more. There’s no reason to reinvent the wheel when it comes to compliance, but using a combination of pre-mapped IT compliance frameworks a set of baseline controls can be enough to turn compliance around within your organization.

Matthew Davies - VP of Product

About Matthew 

Matthew Davies is a Senior Director of Product Management at SureCloud and works with Information Security, Risk and Compliance professionals to help them establish consistent and repeatable Governance, Risk and Compliance processes and tooling.

Matthew has been working in GRC technology and IT Risk assurance for the last seven years. In that time, he worked at PwC and Deloitte before joining SureCloud, working with RSA Archer, ServiceNow GRC, Auris GRC, IBM OpenPages and Bwise. Matthew supported organizations with building their GRC framework to automate and optimize their manual GRC processes.