Risk and ComplianceAre You Suffering From Compliance Overload?
PCI DSS, ISO27001, GDPR, HIPPA, CPS234, CCPA. Just a few of the compliance standards that may apply to your company and I would guess there may be one or two you haven’t even heard of before. The number of acronyms seems to be growing, and it can feel overwhelming, but there is a way to cope and it involves some project management fundamentals.
As much as I prefer not to use the word “synergies” it does apply to managing the ever-growing number of compliance requirements. There are synergies between each that can make being compliant much easier to multiple standards. For example, ISO27001 requires a risk assessment to be performed to determine if a control is required to reduce risk, and the extent to which it should be applied. You may find conducting a risk assessment is a requirement across multiple compliance standards, so why not ensure the results are utilized across all compliance standards you are required to meet. A simple example, but you get the idea.
____
Evaluate your company’s security posture with SecureTrust compliance, privacy and risk assessment services.
____
The issue is identifying and managing what applies across all the compliance standards you are required to meet.
The larger your organization, the more co-ordination is required to ensure one group is not re-inventing the wheel to meet a compliance requirement that has already been met under another standard by another team. For example, your security team may need to conduct a firewall rule review to meet a PCI DSS requirement only to find the network team did the same earlier as part of good practice.
Also waiting until the last moment to make your run to compliance is like creating a steep hill for you to run up, only to probably find you may not indeed be compliant because you didn’t maintain a compliance program throughout the year. And even if you manage to achieve compliance you get to the top exhausted and basically roll down the other side too tired to maintain what you put all the effort into achieving in the first place.
This is where project management fundamentals come in.
Running all your compliance requirements as part of an overall program will help identify commonalities that will reduce overall effort. Consider if your compliance program was managed along the lines of project management principles:
- There would be no surprises. Your program would be part of the change management process and you would have mechanisms to approve and adapt to changes, putting in required controls to meet compliance along the way.
- Stakeholders would be constantly engaged so the curve flattens out over the year rather than the steep climb.
- Everything would be managed to a plan so everything has a home on a calendar, and everyone is aware of what is required when. This would address significant holes like missed compliance requirements.
- Costs associated with compliance would be more transparent.
- Required artifacts like network drawings and data flow diagrams would be managed, controlled and updated when change occurs.
- Commonalities would be identified and controlled to ensure efficiencies across all compliance requirements.
- Reporting to senior management on status and compliance would be reliable and based on some real science.
With an overarching compliance project plan, accountable people, solid change and risk management, and with good communication (amongst other things) you can flatten your curve and make your compliance program so much easier on yourself rather than panicking just before your compliance date arrives.
If you have to meet multiple compliance standards in a project management approach, rolling all of them up into one program is the best way to ensure efficiencies and to ensure you aren’t running a steep uphill race to be compliant. Treating compliance as a point in time check is almost a sure-fire way to failing compliance, so implement a controlled program if you want all of those compliance acronyms to weigh a little less heavily on you.
_______________________
Evaluate your company’s security posture with SecureTrust compliance, privacy and risk assessment services.
_______________________
Written by Brian Odian
Brian is the Director of Asia Pacific Global Compliance & Risk Services Consulting at SecureTrust, based in Sydney. He has over 33 years IT industry experience including roles as a Security Delivery Manager and Global Security and Transformation Lead for large worldwide information technology corporations. During his career he has been across a wide range of industries and roles, including global management experience across multiple cultures and business environments. Experienced in running global security programs, and some of the largest regional projects in Asia Pacific, Brian brings a mix of project management, security and compliance credentials together (CISM, CRISC, PMP, QSA, CDPSE, ISO27001 IA) to achieve the best results in delivering security solutions and compliance programs. He has been published by the Project Management Institute (PMI) and by MSSP Alert, presented at industry conferences and conducted webinars on topics like the General Data Protection Regulation (GDPR) and Compliance Intelligence.