CUT THROUGH COMPLIANCE COMPLEXITY WITH CONSOLIDATED OBJECTIVES

RECIPROCITY

A Publication of

www.reciprocitylabs.com

Organizations of all sizes and in all industries are wrestling to stay compliant with a growing number of regulations. Unfortunately, the burden to manage your compliance and penalties for not being compliant only increase as your business expands. The requirements and controls in various regulatory frameworks often overlap, and differing schedules for updates or changes to these frameworks can make meeting all your governance requirements an exercise in duplicative work and wasted resources.

Agility in your compliance program can make you more responsive to changes in the regulatory environment, changes in your business, and help maximize your investment in your compliance program. Automated tools can cut through the complexity—or at least make managing the complexity less daunting—but one of the best ways to simplify your compliance program is to implement consolidated objectives.

2

COMPLIANCE IS COMPLEX.

Consolidated objectives are common requirements across regulatory frameworks.

While this approach involves a slightly higher up-front investment in time, the rewards win out in the long term—lower management overhead and better utilization of scarce resources more than makes up for your time investment.

Consolidating your compliance controls and objectives brings multiple benefits:

• Better visibility into your organization’s risk. Duplicate and overlapping controls can make it challenging to identify your compliance posture. A single, rationalized control gives you a better understanding of how well you’re mitigating the risks to your business.

• Increased agility and ability to respond to change. If you implement a company-wide change—say converting from single- to multi-factor

authentication—you’ll waste time trying to catalog all the authentication-relevant systems, policies, and parts of your business. A consolidated objective dictating user authentication cuts through the confusion and clarifies expectations for everybody in the company.

• Stronger justification of your compliance budget. If your compliance program is overly complex and inefficient due to the use of multiple spreadsheets, annual budget discussions with the higher-ups aren’t going to go very well. Being able to highlight your fiduciary aptitude will make your team look better, and makes it easier to justify requests for additional budget when you genuinely need more resources.

3

Many compliance and GRC tools offer a set of consolidated objectives, which help you jumpstart your efforts to meet multiple compliance programs. Rather than trying to figure out how much of your ISO 27001 work overlaps with the PCI requirements, these tools do the work for you. You’ll be able to save time and money up front, and manage your compliance program with less hassle in the long run by being able to better prioritize your work and focus your efforts in areas where you have gaps. The net result is that your compliance program can be a business enabler rather than a roadblock.

Take for example password complexity requirements. Virtually all infosecurity compliance frameworks require that you implement

measures to authenticate your users, and most mandate some form of password strength and complexity. If you have three compliance programs, why implement three separate password controls? That’s 3X the work for the same outcome!

Instead of doing your work in triplicate, you can create and implement a single company-wide control dictating password length and complexity requirements, then map that to the various compliance programs you’ve put in place. Using the consolidated objectives, the work required to design and implement this single control can be multiplied, boosting your efficiency.

4

WHAT ARE CONSOLIDATED OBJECTIVES AND WHY DO YOU NEED THEM?

5

Taking a step back and looking at an organization’s big picture data model is often the difference between a successful and an unsuccessful technology-enabled GRC Program Deployment. The ability to take multiple disparate subsets of compliance requirements, policies, standards and procedures, and integrate them into a centralized and integrated framework - enabled by GRC Technology - is the lynch pin of Compliance Management. In today’s day and age, minimizing cost of compliance is no longer a nice-to-have. The ability to 'test once and apply to many' is now the new standard in Compliance.

-- Kevin Berman, Partner - GRC Strategy and Enablement at Edgile

No information security or compliance program ever has a surplus of staff or budget. Doing more with less is both an art and a science, and turning overlapping requirements to your advantage can make your job easier and give you a competitive advantage. Spending time and money creating duplicative controls isn’t anyone’s idea of good business practice—yet it’s easy to fall into that trap. The ability to reuse your efforts in compliance gives you more flexibility and lets you stretch your compliance budget further. This in turn lets you invest your limited compliance resources more intelligently to mitigate and manage your company’s risks.

Consolidated objectives can also help you cut through complexity in your business processes, and turn your compliance program into a driver of positive business change. Here’s an example. Most compliance frameworks require you to perform certain HR tasks like background checks. Rather than a messy web of compliance programs driving different HR processes, a single HR-defined background check process can be mapped across multiple compliance objectives. This simplifies the strategic management of your HR efforts, and helps you meet diverse requirements across compliance frameworks such as ISO 27001, PCI, and FedRAMP.

6

HOW CONSOLIDATED CONTENT REDUCES COMPLIANCE COMPLEXITY

A common affliction in the compliance world, “audit fatigue” results when the auditing process becomes so burdensome and repetitive that your team resents it and may even ignore requests for corrective action.

Harmonizing an HR process might not seem like an obvious driver of business efficiency, but by understanding how HR processes support multiple compliance programs, you can reduce audit fatigue in the HR department.

Gathering evidence of effective background checks can be done once, and that evidence reused when you undergo audits against your

various compliance frameworks. Your HR department will thank you when they are asked for evidence only once a year instead of four times when your PCI, ISO, FedRAMP, and SOC 2 auditors come to visit!

7

Many companies spend valuable time and resources struggling with a compliance burden that continues to grow in both complexity and size, using a disjointed combination of spreadsheets, emails, documents, and manual processes. You can manage more efficiently and cut out the complexity by choosing the right compliance software.

Look for a tool that makes it easy to identify overlapping content among frameworks. For example, ZenGRC's standardized content hierarchy—the structure of compliance frameworks within the tool—makes it easy to translate between frameworks and leverage work done in one framework to meet other compliance requirements.

8

READY TO TAKE ADVANTAGE OF CONSOLIDATED OBJECTIVES?

Enterprises are shifting more and more IT to the cloud, either by switching to cloud infrastructure and away from data centers, or by directly procuring cloud-based software solution where data and services are more vendor responsibilities. Compliance questionnaires and reports are the vehicles by which vendors satisfy enterprise security requirements. Therefore, new demands are being placed on both vendors and enterprises to manage and communicate their compliance programs. Compliance management has become as important as Agile or DevOps. Modern tools and methodologies are sorely needed.

-- David Bernstein, CEO and Founder of Cloud Strategy Partners

THREE THINGS YOU SHOULD LOOK FOR IN A GRC TOOL TO HELP YOU ACHIEVE GREATER EFFICIENCY WITH CONSOLIDATED OBJECTIVES

1. Relational modeling: Your GRC tool needs to make it easy for you to establish and visualize the relationship between your controls and consolidated objectives. Identifying the commonality between frameworks helps you supercharge your compliance efficiency.

2. Reusability: A compliance tool should let you test once, use many times. If you have a single password control that satisfies objectives in multiple compliance frameworks, any testing you do on that control should be reusable in audits of all objectives it satisfies, regardless of the framework.

3. Reduced effort required for compliance: Consolidating objectives across multiple frameworks is part of the work, but writing the controls you need to achieve those objectives is really where your compliance team needs to focus. A tool should give you the ability to highlight those objectives which are not covered by your existing controls, allowing you to focus your resources on these high priority areas.

10

• Attestation – like an audit, except the organization and third-party examiner share the responsibility of an inaccurate examination

• Audit – an examination performed by an independent third party that verifies the guidelines outlined by a regulatory body

• Audit fatigue - the resentment that occurs when your team is constantly being audited or asked for the same things over and over again as the company gets audited against different frameworks.

• Compliance – adherence to a set of rules established by a regulatory body

• Consolidated Objectives - Mapping of requirements in one framework to another. We have several common frameworks, including PCI-DSS, NIST/FedRAMP, SOC 2, HIPAA, and ISO 27001/27002. In addition, the Reciprocity GRC Experts can help you create mappings from other programs or your own internal compliance programs.

• Control – a step in the process that monitors and mitigates risk

• Framework – an approach with risks, controls, and processes to put in place a compliance model

• Objective – discrete requirement within a compliance framework

• Regulatory body – the organization that defines the rules and methods to verify the rules

• Risk – the chance that a negative outcome, financial loss, or error can damage the organization

• Scope – the boundaries to examine, which are usually dictated by a regulatory body

• Standard – the specific law, rules, or requirements that make up the scope during an examination

GLOSSARY OF COMPLIANCE TERMSGovernance, risk management and compliance is a complex and challenging business even for the most seasoned of experts. Here are some of the commonly used terms in the compliance world that you need to understand as you embark on a compliance program.

10

COMPLIANCE AGILITY REQUIRES AGILE TOOLSAre you ready to make the transition to a more comprehensive compliance solution? Our GRC experts can help guide you through that journey and recommend the best solution for your organization.

Call us at (415) 851-8667 to schedule a consultation, or visit us online at www.reciprocitylabs.com.

12

Reciprocity makes compliance work more engaging and rewarding.

Reciprocity’s mission is to turn corporate compliance from a cost center into a valuable strategic asset. We make compliance and risk officers more nimble with lightweight software designed for hot growing companies. Our Governance, Risk, and Compliance (GRC) Software encourages compliance, risk, and audit managers to act more nimbly and stand toe-to-toe with the fast paced world of business.

Visit us online at www.reciprocitylabs.com.