How To Achieve Compliance Across Multiple Controls Frameworks
Juggling the increasing complexity and volume of compliance requirements can be a daunting task for any organization. More than ever, organizations are being more scrutinized by their clients through an increasing list of compliance obligations, including: SOC 2 Attestation Reports, ISO/IEC 27001:2013 Certification Reports, HITRUST, HIPAA, FedRAMP – the list goes on. To help your organization in making these determinations, RISCPoint has developed this guide to identify the best practices in implementing a cohesive compliance framework for your organization.
Define your Compliance Objectives
The first step in establishing the compliance program is to define the objectives for the organization. These objectives should define what the organization is seeking to accomplish with both current and long-term compliance goals. For example, do we prioritize a SOC 2 Attestation report to satisfy an existing client need, or do we have more of a runway to scale our compliance operations across multiple frameworks?
The objectives set in this phase help to drive decisions from both a budgetary and operational perspective. In order to get the most impact from the objective setting process, we recommend involving stakeholders from multiple departments to obtain a more holistic view of the organization. This process is important to think through thoroughly, as these decisions will lay the foundation for how we select a controls framework to help meet these objectives.
Select a Controls Framework
There are many methodologies that can be utilized to implement a control set that maps across multiple compliance frameworks. The determination of which l set to use is something that will ultimately be unique for your organization. However, the following items should be considered as a component of your evaluation:
Do you know the types of data processed by our organization? For example, if your organization processes electronic personal health information, then you may be required to comply with HIPAA obligations. If your organization processes the personal data of EU residents, then you may be required to comply with the General Data Protection Regulation, or GDPR Likewise, if you process data of California residents, you’d be required to comply with the CCPA.
Do you classify this data and document where it resides? Understanding the types of data processed by your organization and where this data resides helps to make a better determination of how to protect the organization’s most valuable assets – its data.
Does the industry that you operate within have unique compliance obligations that you need to include within your program? For instance, if your organization is a financial institution in the state of New York, then you may be required to comply with the New York Department of Financial Services (NYDFS 23 NYCRR 500).
Once you have been able to determine the specific data types and other regulatory factors that you may be required to comply with, it is now time to identify a controls framework that can be tailored for your organization.
There are many options that can be implemented such as the Secure Controls Framework, or the Unified Compliance Framework. Each of these control frameworks include mappings across multiple compliance frameworks to help isolate the controls to only what is applicable to your organization to help achieve the stated objectives.
After you have selected the controls framework that best meets your organizational needs, it is time to begin the process of implementing the control set. This process can initially seem overwhelming; however, this can be accomplished with executive support and effective project management techniques. To help facilitate the implementation of controls, we recommend some general best practices:
Control Domains When implementing a controls framework, we recommend breaking down the controls into digestible domains to allocate controls to specific departments or functions. For example, controls frameworks, such as the Secure Controls Framework, will break down controls into more than 30 unique domains. This helps track the effectiveness of the program with enhanced granularity to make more informed decisions on how to improve the program.
Most Restrictive Control Inevitably, there are going to be times when compliance obligations will seem to compete with one another or require a slightly different configuration. When navigating these scenarios, the best practice is to implement the most restrictive control and use this as the baseline across the organization. We also recommend consulting with your service auditor and compliance consultant whenever in doubt. Always better to be safe than sorry.
Control Owner and Control Operator All controls implemented within the organization should be assigned a control owner, who is responsible for ensuring that the control is operating as intended, and a control operator who is responsible for executing the control. The assignment of accountability to control owners and operators is a key component of establishing an effective compliance program.
Control Frequency One often forgotten piece of an effective compliance environment is to automate as much of the required activity as possible. This begins by assigning a control frequency for how often the control operator is responsible for executing the control. The control frequency should be tied to an automated ticket/calendar invitation/reminder to complete the control.
After implementing the control set within your organization, it is now time to assess the effectiveness of your program. The effectiveness of the program should be evaluated against the objectives that were defined at the onset of the project, as well as the specific control requirements set during the implementation phase. The effectiveness monitoring can be performed through the execution of an internal audit against a specific framework, such as the Payment Card Industry Data Security Standard for specific compliance requirements, or against a capabilities and maturity model, such as the NIST Cybersecurity Framework.
RISCPoint revolutionizes the cybersecurity and compliance world by applying a proprietary and innovative approach delivered by experienced professionals. Rather than just meeting compliance requirements, our consultants help you optimize your processes and gain value while minimizing the burden of compliance. We aim to help you meet the relevant standards, while providing a painless audit experience.
Ready to give your organization’s security posture a boost? Fill out the form below to get in touch with a member of our team.