Running a compliance program is a commitment. As long as you do the right things and avoid making any wrong move, you’re okay. But one wrong move can quickly escalate a happy relationship into a nightmare.
As the day blessed by St. Valentine approaches, we’ve compiled a list of do’s and don’ts to keep you out of trouble.
Heads up before you start: there’s a lot of love metaphors.
Going out with compliance? Trust me, it's a commitment to a long list of promises. Think of it as a one way door with no exit - once you’re in a relationship, breakups can be tricky; similarly, non-compliance comes with serious consequences.
Take GDPR for example. She loves cookies, but gifting her the wrong type and without consent can land you in trouble with her dad - the EU.
Then there's HIPAA who loves privacy in the relationship. Not respecting privacy will have your head hung in the OCR’s wall of shame.
To avoid any sticky situations, keep the spark alive through continuous compliance. From a regulatory perspective, this means monitoring controls against applicable standards, scanning for suspicious activities, collecting evidence, and mitigating issues at the earliest.
Building lasting relations starts with trust. No one reads through the terms and conditions until someone violates a clause.
We recommend outlining a prenup; the policies. A comprehensive set of policies around your compliance framework ensures accountability and maintains transparency.
Developing policies is a tedious and time consuming activity. This is especially true if you are the one drafting them:
The good news is that most frameworks have overlapping requirements. If you date more than one framework, the same policies and controls usually have a significant overlap which can be tweaked with modern compliance tool customizations.
If you're aiming for long-term commitment, expect a few bumps along the way before securing the certification. If the auditor doesn’t see the right fit in the relationship between your policies, people, controls and evidence, they may not officiate the union.
Compliance programs can be confusing, complicated, and chaotic, especially for small to mid-sized organizations diving into a framework for the first time.
Getting the auditor to sign off on the certification requires quite a bit of audit prepwork. That’s where vCISOs come in, like the trusted friend who helps you pick the right outfit and avoid awkward small talk. With their guidance, you’ll sidestep most of the surprises and uncertainties, making the whole process a lot less daunting (and maybe even a little charming).
One of the sharpest corners to navigate is collecting evidence. As the saying goes: if you haven't documented it, you haven't done it. To avoid heartbreak from audit failure, maintain a comprehensive trail of system screenshots, updated asset inventory, security risks, corrective actions, and logs. The evidence is the love letter of compliance which will ultimately save you from a heartbreak.
Everything's fair in love, war, and compliance.
Well, almost everything. Compliance isn't always a bed of roses, but once you've made your bed, lie on it you must.
Here are some warning signs you should be looking out for:
Ignoring these red flags and warning signs can lead to a toxic relationship. If you see them, it's time to evaluate and work on them.
You’ve probably had years of experience with vlookups and other formulas on excel. This expertise usually fails to impress compliance, especially for large organizations with too many complex processes. This is because running a compliance project involves multiple moving parts.
As your program grows, using outdated systems like Excel sheets and Google Drive is not recommended as they stagnate scalability. These systems are tedious for infosec teams due to the manual heavy work requirements, more prone to human error, and ultimately unsustainable.
A better, faster, and cost effective way is using tools that automate the end to end process like Vanta, Drata, Scytale, Secureframe and Sprinto.
Running a standalone compliance project may work in the initial stages. But as you grow and scale, the spark starts to disappear - with more people, processes, and technology added to the infrastructure, you may find yourself at the “it’s complicated” situation.
A smarter and more scalable approach is implementing it as part of the golden trio - governance, risk, and compliance or GRC.
GRC evolved as a response to the complexities introduced by siloed systems (when departments or individuals within an organization function in isolation with little coordination, hindering growth and productivity).
When your compliance project is part of a GRC program, it unifies all relevant information to give you a holistic view of risks, regulatory obligations, and workflows.