To hear the audio version of this blog, click below!
Compliance requirements may evolve over time, but even if they are static for years, organizations may grow, change, or shrink. The data that organizations manage may also change, not only the size of the information, but the types of data. The uses for that data may change and the compliance or regulatory controls required will change along with the data. As we all know, new regulations or compliance requirements can also show up on our doorstep.
How does an organization respond to an ever-changing landscape of data and compliance requirements?
Enter the OODA Loop
An incredible tool, simple in practice, is the O-O-D-A loop, or OODA loop.
OODA is an acronym for:
The OODA loop, or OODA cycle, was originally developed by US Air Force Colonel John Boyd and he applied the concept to combat operations and military campaigns. In the modern day, businesses, litigators, and other organizations utilize OODA cycles to adapt their businesses and strategies to fit their markets or operational goals.
The concept of OODA loops is based on the foundation that all organisms, including people (and we all know that businesses can be organic) are constantly interacting with the environment. We all make decisions based on the stimuli around us which can change at a moment’s notice. If we feel our house is too warm, we adjust the thermostat for the air conditioning to lower the temperature. Is demand lowering for our product based on sales metrics? We may adjust our pricing to meet the lower demand or pivot our marketing focus to a different-yet-related product.
Success with OODA loops is based on completing our own OODA cycle before our competitor’s complete their loops. Loops are not constrained to a competitor—OODA loops can also be used to adapt to shifting regulatory requirements. So, let us break down what those cycles are and how we utilize them when it comes to compliance.
Observation is the foundation of the loop (that is why it is the first “O”). Organizations must be aware and observe the stimuli (business needs) that can impact their compliance. Not only is this the compliance requirement itself, but also the other stimuli that impact compliance. Companies and management must observe the people, processes, and technology in use in their organization and how they each can impact their compliance status. This includes the executive team, strategic vision, team composition, third party suppliers, vendors, support staff, and, ultimately, the end user or customer.
Examples of items to include in the Observe cycle:
- Executive charter and Buy-In
- Laws or regulations that the organization is required to adhere with
- Current controls and frameworks in-place
- Staff composition, training, and expertise
- Data elements or channels in the data ecosystem that are “in scope”
- Third Party Requirements
- Contractual Clauses
- Budgetary constraints
- Feedback from previous OODA cycles
All necessary information gleaned from the observation cycle feeds into the Orient portion of the OODA loop. During the Orient phase, organizations must analyze the data and information from the observation of the business processes and incorporate any new information synthesized from the data analysis. Organizations should also utilize information from previous compliance experiences, such as audit processes, feedback from the audit team, IT staff, or other third parties, and that should be part of the Orient cycle.
Examples of Inputs and Outputs in the Orient cycle:
- Evolving requirements or newly identified requirements
- Customization of existing frameworks
- Due diligence of third parties to meet compliance objectives and outsourcing
- Additional audit reports or evidence of compliance
- Training requirements to improve expertise
- Adjustments to capital and operational budgets
This all moves forward into the Decide phase of the OODA loop. During the Decide phase, organizations must put in place the people, processes, and technology to meet their compliance objectives. In this phase, compliance frameworks, risk assessments and additional testing should be outlined to meet the objectives of the security and compliance program.
Examples of Decide cycle activities:
- Allocation of budgetary funds
- Risk Assessments and internal audit functions
- Vulnerability testing and penetration testing
- Training and/or hiring of skilled staff
- Engage third parties to meet control objectives
With the groundwork laid out for the business, now we Act. We implement the strategies we have planned during the Decide phase and monitor their outputs. Organizations, in this stage, will also look at implementing audit schedules to ensure the organization is meeting their objectives over time. Teams from across the organization will review the results of the Decide phase, such as the risk assessment, internal audit results, third party audit results or other output from testing procedures, to verify that control objectives have been met.
Examples of Act cycle activities:
- Training qualifications
- Assessment of controls compliance including evidence of compliance
- Risk Analysis and Risk Treatment
- Policies and Procedures for people, processes, and technologies
- Incident Response and Business Continuity Plans and testing
- Incorporating feedback from previous OODA cycles
Are We Done Yet?
The OODA loop cycle is never complete. The path forward is to continually utilize the Observe, Orient, Decide, and Act cycles to further improve compliance readiness. Faults or gaps determined from the previous cycles should be addressed in the Observe and Orient cycles and addressed during the subsequent Decide and Act cycles. This is a constant cycle of feedback and adaptation. This is a continual process that allows for that “agility” that organizations seek.
Another way of looking at OODA loops is to compare it to the Plan, Do, Check, Act cycle. Both strategies can be used, even in tandem, to meet compliance objectives. Both focus on a high-level stratagem to establish objectives (Plan/Observe), carry out those objectives (Do/Orient), determine the success of those actions (Check/Decide), and include opportunities for improvement (Act/Act).
Organizations are constantly evolving, but it does not have to be chaos when it comes to meeting regulatory compliance. OODA cycles can be utilized to build a simple framework to meet compliance or regulatory controls and be a foundation for a strong security program. While OODA cycles are not a framework, they are a method for achieving success in modern business.
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs
Jason Likert is a Managing Consultant at SecureTrust, where Jason leads a team of information security professionals and oversees the execution of security audits, PCI compliance assessment, and other professional services engagements. Jason has been involved in the payment ecosystem as a consultant, auditor and assessor since 2005.
Prior to SecureTrust, he served eight years in the US Air Force and was Director of IT and large e-commerce and healthcare organizations. Jason holds the QSA, Certified ISO 27001 Lead Implementer and Certified ISO 27001 Lead Auditor certifications.