Audits are always stressful, right? How many of us have been in a state of mad rush just before an audit?
Well, it's not just you. I'm sure a lot us including me, have been there.
So, this brings up the question of why we're stressed, and why we scramble to ensure everything is in place before a major audit comes up? The simple answer is we see compliance as a separate documentation process of our security practices, and not an integral part of it. Imagine how easy life would be if we integrate the necessary documentation and practices of compliance with our everyday work. In other words, if our compliance is continuous, we won't have to do any extra work when an audit is round the corner!
Before we go any further into how to best integrate compliance with our daily work, let's briefly understand compliance and its need in today's business environment. In general, compliance should never be the goal of any security practice, rather it should be a by-product of our security policies. According to Mark Nunnikhoven, Vice-President Cloud Research of AWS, "Compliance is the output of a well-run security practice." In other words, compliance is not something that you should do separately, rather it should be an evidence of the good security practices that you follow in your organization. This way, you'll meet all the compliance standards, without ever having to put in extra effort for each audit. More importantly, it'll help you sustain the compliance levels, given the ever-growing number of compliance standards.
Another advantage of integrating compliance with your security practices is the savings you'll get in terms of time and resources. Today, many companies are forced to have a separate department for quality and compliance, not to mention the inordinate amount of time, money, and effort being put into compliance. Despite this, compliance levels fall. According to a Verizon payment Card Industry Report, for PCI DSS, compliance levels fall to 18 percent within just 60 days of certification. This should give you an idea of the efforts needed to sustain compliance if you have to do it as a separate task.
However, when you do it as a part of your security practice, the time and effort needed is greatly reduced, though in the initial few months, it may look like you're spending more resources. This may be because you'll have to automate many manual processes, and make other necessary changes to tasks such as reconciliation of assets, alignment of technical controls, streamlining of quality practices, automation of data classification, and more. But over time, you're sure to reap the benefits by way of enormous savings in time and effort, improved accuracy, and better operational efficiency.
In addition, your security policies will tend to be more fool-proof - a vital aspect in today's threat-driven environment. Given these benefits, it's no brainer to make continuous compliance a part of your security practices.
To help you move forward in this line of thought, here is a set of simple steps.
Steps for continuous compliance
Here is a generic set of steps that can help you started on the road of continuous compliance. The actual efforts, however, will depend to a large extent on your organization's nature of business and your current compliance levels.
Understand your compliance standards
The first step is to understand the number of compliance standards you have to follow. Again, this differs from organization to organization, based on the nature of business, size, global footprint, and other pertinent factors.
Close the gap
This is a good time to talk to different stakeholders, and close the gap on your security requirements. This can help you decide the changes you need, to make your existing security practices not just compliant, but also fool-proof.
Choose the right tools
Continuous compliance requires automation tools, and you can choose to either build it in-house or buy it from a provider. It's a good idea to do some extensive research before making your choices.
Make it a part of your development process
Once you've tweaked the security policies to incorporate continuous compliance, it's important to ensure that your development process is built on it. In other words, keep the compliance aspect in mind while creating software components, so you don't complete the product and then, realize that some components need to be changed because they don't meet your compliance standards. Likewise, if you're planning to buy software components from a third-party provider, check if it matches with your established compliance practices.
It's not just the software, but also the hardware that needs to be compliant. Often, we would look only at the software as that's what we tend to create, but the hardware is equally important too.
Stay on top
Even when you use compliant components, you can do things that can get you out of the compliance procedures. To avoid such headaches, understand the features and settings of each component, and how they fit into the product as a whole. This can help you avoid any costly compliance errors.
Now that you know how to go about it, let's delve into some best practices that can help you sustain it.
Get everyone on board
Compliance is an organizational process, so it's important to get everyone on board including the collaborators. Explain to them about each compliance standard, why it's important, and how it can be best achieved.
Compliance is the baseline
It's important for every stakeholder to understand that compliance is the baseline, and every process or activity should be on top of it.
A good approach to achieve continuous compliance is to record evidence as you go. Every activity or process should be documented as they're being done.
Set the logging structure
A critical component of compliance is logs, so get the logging structure right. Decide where your logs should be stored and how it should be analyzed.
During security and compliance, your costs can add up quickly. Many hidden costs such as consultations and compliance components quickly rake up your costs, so have a budget and make sure you stick to it.
Understanding and working with compliance components may require some amount of training, especially if you're new to it. Consider this cost and time too, while budgeting.
During the initial stages of setting up continuous compliance practices, it's important to have constant interactions with different teams, including the devops and cloudops teams.
High levels of visibility
Never constrain yourself to a single component or a practice, rather get the highest possible level of visibility, so you know how a process affects the organization as a whole. Getting this visibility is key to understanding the impact of compliance on security, as well as on other aspects of your organization's operations.
Remember, small and steady steps are the best way to achieve lofty goals. You need a steady progress towards compliance, so start with reasonable short-term goals. This is a vital aspect of achieving continuous compliance because if too many people have big to-do lists, then it's highly likely to get out of control. Start small, but aim for a steady progress.
In short, continuous compliance can save you a lot of resources and hassles in the long-run, even if the setting up period may seem otherwise. When you automate compliance and integrate it with your security policies, you get the double benefit of better security and constant compliance. Try it right away to appreciate the positive difference it is likely to make to your organization.