Simplifying Compliance Management

Compliance management is the ongoing process of monitoring and assessing systems to ensure they comply with industry and security standards, as well as corporate and regulatory policies and requirements.

The seeds of compliance were sown in the 1970s and 1980s when scandals in the USA (Watergate, Lockheed) highlighted the widespread practice of companies bribing politicians and government officials. These events led to the US passing the Foreign Corrupt Practices Act (FCPA) in 1977 which outlawed corporate bribery of foreign government officials for the first time. More corporate scandals and breakdowns such as the Enron case in 2001 have increased calls for stronger compliance and regulations, particularly for publicly traded corporations. The most significant statutory change in this context was the Sarbanes–Oxley Act 2002 which defined significantly tighter personal responsibility of corporate top management for the accuracy of reported financial statements. Since then increased regulation in both USA and Europe (UK Bribery Act, SAPIN II in France, EU Whistle-blowing Directive) has caused top management to place greater emphasis on compliance and ethical conduct, reinforce their compliance departments and implement widespread compliance management systems.

Organizations today are committing an ever-growing share of their IT security budget to cyber-related compliance tasks. Yet, they still struggle to maintain their desired risk profile even as they devote more resources to the challenge. The inefficiencies in compliance management have an insidious effect on organizations.

A 2020 report from Coalfire and Omdia found that for the majority of organizations, growing compliance obligations are now consuming 40 percent or more of IT security budgets and threaten to become an unsustainable cost.

Organizations in all industries, locations, and company sizes are spending more time and money on compliance programs than ever before, for a few different reasons.

If a company is new to compliance management, the following six steps will help to get started:

• Make sure everyone is on board – from the leadership to subject matter experts, all relevant stakeholders should understand why a compliance programme is important and what it aims to achieve. This sets the tone from the top.
• Conduct a risk assessment – This focuses the board and senior management on those risks that are most significant within the organization, and provides the basis for determining the actions necessary to avoid, mitigate, or remediate those risks.
• Conduct a policy audit – to take inventory of what is already out there. This will expose any gaps in your existing policy library, and any necessary updates that need to be made.
• Provide training – it’s not enough to simply update the policies. Employees need to both understand the policies and how they apply to their day-to-day work. That’s where training comes into play.
• Establish a monitor and review process – this will future-proof your programme and ensure your programme stays relevant.
• Build in accountability – there needs to be procedures in place for when an employee fails to comply. These should include clear disciplinary guidelines and protocols that are actively and consistently enforced.

Regardless of a company's specific situation, it’s important to have a working knowledge about the types of regulatory compliance audits and what they entail. Below is a list of the most common compliance audits team members experience at an organization:

1. HIPAA (Health Insurance Portability and Accountability Act of 1996)
2. PCI-DSS (Payment Card Industry Data Security Standard)
3. SOC 2 (Systems and Organizational Controls)
4. SOX (Sarbanes-Oxley Act of 2002)
5. ISO (International Organization of Standardization)
6. GDPR (General Data Protection Regulation)

Even though compliance is mandatory for all organizations, most firms still manage their compliance efforts with spreadsheets, file storage and email. The process is manual, error-prone, redundant and reviled by virtually everyone who has to participate in it.

There are products available in the market that simplifies evidence collection and compliance management. This reduces huge manual efforts that are in place today and makes compliance management an effortless exercise.

One such product is Hyperproof, which integrates with dozens of services across cloud storage, project management, communications, cloud infrastructure, DevOps, security, and business applications so that compliance work can fit seamlessly into your existing business processes and workflow.

Hyperproof is an intuitive, easy-to-use platform for doing work in the security assurance, privacy and corporate compliance realms. With Hyperproof, companies can get started quickly with any compliance framework, cut out manual work related to control mapping, control testing, evidence collection/management, and gauge their audit-preparedness posture in real-time.

With Hyperproof, companies save time when collecting evidence of controls’ effectiveness, while ensuring that evidence collection tasks happen consistently to produce relevant and fresh compliance artifacts. Further, Hyperproof makes it easy to organize evidence so it can be reused to satisfy multiple compliance.

Hyperproof's hypersyncs collect evidence from dozens of cloud-based apps and services on a cadence or on-demand.

With Hyperproof, all the evidence is centrally stored, categorized appropriately, labelled, mapped back to specific controls and regulatory requirements, and made accessible to stakeholders across all various corporate and product groups.