Companies are struggling to understand and implement the right policies and controls to meet ever-evolving compliance mandates. Yet strict adherence to individual compliance standards means they’ve likely implemented controls they do not need, while inadvertently leaving out important controls necessary for an effective program. This cookie-cutter approach can actually leave organizations more exposed than ever before to potential security risks and controls failures.
In this slideshow, Unified Compliance CEO, Craig Isaacs, explores current compliance gaps, major compliance challenges and practical tips to create more effective compliance programs.
Creating an Effective Compliance Program
Click through for eight compliance challenges organizations face, as well as steps that can be taken to limit exposure, as identified by Craig Isaacs, CEO, Unified Compliance.
Compliance Gaps
Compliance Challenge #1: Compliance Gaps
In the alphabet soup that is today’s regulatory compliance landscape, there are several prominent standards that are so broadly implemented that organizations often mistakenly believe that adhering to one, and one alone, is sufficient for building an effective, legally defensible compliance program. But did you know that though ISO 27002 has 238 direct controls, only 16 percent of them overlap with the Sarbanes-Oxley Act (SOX), which mandates 174 direct controls? And when these two standards are compared with PCI DSS 3.0, which has 293 direct controls, only nine common controls span across all three.
To reduce audit requirements and curb compliance chaos, organizations must find ways to more efficiently analyze these gaps and overlaps.
Skyrocketing Costs
Compliance Challenge #2: Skyrocketing Costs
According to Thompson Reuters, more than one billion accounts were compromised last year alone, costing organizations globally up to $1 trillion dollars in losses. In this current threat landscape, regulations and standards continue to increase exponentially, causing many organizations to experience governance, risk and compliance (GRC) like a constant, never-ending root canal…without painkillers, while spending massive amounts of money and time on research, hoping they’re getting it right.
Organizations must find ways to reduce audit and compliance costs by properly defining system scope and related control requirements. This can be done by leveraging a comprehensive compliance framework that provides guidance across a wide range of standards, laws and individual mandates.
Compliance Mapping Madness
Compliance Challenge #3: Compliance Mapping Madness
Too many compliance professionals get bogged down trying to make sense of their IT, privacy, physical security, records management and supply chain requirements. They spend countless hours mapping specific controls to compliance efforts in a piecemeal fashion: regulation statement by regulation statement.
To automate and streamline this time-consuming and maddening process, organizations must adopt tools that enable them to sort through up-to-date demands, figure out which controls they need to implement, and understand how they overlap, quickly and efficiently.
The Spreadsheet Burden
Compliance Challenge #4: The Spreadsheet Burden
Evidence gathering, compliance correlation and ongoing compliance review means massive piles of spreadsheets and templates – and a nagging headache to go with them – for most compliance professionals.
To ease this chronic spreadsheet pain, organizations should look for ways to sort through and identify the controls that directly impact them – while eliminating those that do not.
Speaking Different Languages
Compliance Challenge #5: Speaking Different Languages
Compliance professionals shouldn’t feel like they need an interpreter to communicate with IT and legal teams. In addition, most also serve as a translator to make sense of the laws and standards they’re charged with analyzing. However, a truly effective compliance program will rely on a framework that not only includes a single, comprehensive taxonomy that intelligently classifies standards, guidelines and best practices, but also clearly defines terms through a common language so that people across the organization can get – and stay – on the same page.
Having a common language in place helps bridge the gap between ever-evolving regulations and internal company processes. It ensures that content is easily digested and understood, helping to streamline workflow, empower teams to make faster, better-informed decisions, and maximize business performance.
Unique Business Requirements
Compliance Challenge #6: Unique Business Requirements
Many organizations believe they can address compliance requirements using high-level frameworks including NIST’s Framework for Improving Critical Infrastructure Cybersecurity or SANS Institute’s Top 20 Critical Security Controls (which is actually 246 direct controls, not 20). High-level frameworks require organizations to fill in the blanks using more prescriptive controls from other authority documents, whether laws, standards, or contractual obligations like PCI.
Organizations must determine which implementation controls must be in place to meet their specific requirements. This can be done by leveraging a framework that aggregates all disparate cybersecurity regulations into one database, allowing them to create a concise, harmonized list of necessary compliance controls to implement.
Endless Auditing Cycles
Compliance Challenge #7: Endless Auditing Cycles
Organizations should not rely on disjointed compliance systems that don’t speak to one another – it often just results in duplicated efforts and missed or misunderstood requirements. This further drives up costs and decreases the effectiveness of overall compliance efforts. Not to mention the toll it takes on compliance professionals, who are forced to test and re-test the same compliance controls over and over again manually.
Organizations must find ways to streamline auditing by measuring compliance across a multitude of domains, including PCI, SOC1 and SOC2, HIPAA, FISMA/FedRAMP and ISO, at the same time.
Overwhelmed into Inaction
Compliance Challenge #8: Overwhelmed into Inaction
While it’s important to understand the whole picture when it comes to your risk landscape and compliance requirements, some organizations become so overwhelmed by it all that they give up entirely, instead of making incremental improvements to their program and processes.
For example, if a company has gone through a series of failed compliance audits, it would be wise to focus attention on one area at a time, PCI for example. After they get it right, they can then move on to master the next area – instead of starting from the beginning all over again.