eBook: Compliance Management Best PracticesPublished January 8, 2019 by Karen Walsh • 4 min read
As new regulations and updated industry standards bombard businesses, compliance management becomes a focus for all industries. However, increasingly, these new compliance requirements mean checking, double-checking, and triple checking spreadsheets. Cybersecurity analysts note that reviewing your data environment and ensuring control effectiveness can help mitigate the potential for a data breach. However, if your information remains siloed in different departments, you may not be maintaining accurate, up-to-date information.
Compliance Management Best Practices: When Will Excel Crush You?
How to create an effective corporate compliance program
Creating a corporate compliance program means building a team dedicated to overarching legal and industry requirements. However, while traditionally the Chief Information Officer (CIO) or Chief Information Security Officer (CISO) worked with your compliance officer, times they are a’changin’.
Today, your organization needs to establish cross-departmental communications. As your business increasingly incorporates more Software-as-a-Service (SaaS) platforms to enable business operations, you need more internal stakeholder discussions.
For example, your human resources department may be using multiple SaaS platforms to enable their operations, such as a billing platform to pay employees and a platform to track hours. Meanwhile, your marketing department may be using a social media scheduling platform and a contacts database platform. Each of these SaaS enablements increases your compliance risk.
Thus, your corporate compliance program must consist of an interdepartmental team so that you can log all assets.
How to create an effective risk management program
Once you’ve built a working team, everyone needs to sit down together and discuss the risks that their assets create. Creating an effective risk management program requires you to determine not only what digital assets can be breached but also the impact of an information type being breached.
The first step is creating a catalog of all digital information assets. This should include everything from systems and networks to applications and software.
The next step involves reviewing the information those assets store, transmit, and process. The type of information with which your digital assets interact can change the level of risk associated with them. Personally identifying information, depending on the regulation or standard, can be as singular as an IP address or as multi-varied as a name, birthdate, and another identifier.
For example, under the General Data Protection Regulation (GDPR), website cookies that track user interaction care considered technical identifiers of personal data. Meanwhile, under the Payment Card Industry Data Security Standard (PCI DSS), protected cardholder data includes a combination of the primary account number (PAN), in conjunction with either cardholder name, expiration date, or service code.
Data that you must secure changes based on what it is, who’s using it, how they’re interacting with it, where they’re storing, and how they’re transmitting it.
How to effectively manage vendor risk
Vendor risk, with the increased use of SaaS services, becomes an even deeper quagmire. Regulatory compliance requirements such as the New York Department of Financial Services (NY DFS) Cybersecurity Rule and GDPR focus heavily on securing supply chain security monitoring.
Monitoring your vendors increases the amount of documentation required to establish an effective compliance program. You need to ensure that you catalog all your vendors – humans as well as digital – and ensure they maintain security controls.
You need to ensure that your internal stakeholders understand their responsibilities for overseeing their vendors.
You need to document vendor access and authorization to your systems, software, and networks.
You need to maintain updated lists proving effective monitoring over their controls as well as your ability to keep up with any security updates they offer.
You need to make sure that you’ve reviewed their security controls, documented their responses to questionnaires, and examined any internal or external audits they completed.
All of this work also needs to include documentation from the vendors that you store in a single location.
Why spreadsheets are an inefficient compliance management system
When you started tracking your cybersecurity compliance, you either had few integrations or were a small business. Thus, your compliance management system may have started by using a spreadsheet. Simple to use and cost-effective, they allowed you to document your controls easily. As cloud drives enabled document sharing and editing, you found a new way to create internal stakeholder accountability without having to spend more money.
As your reliance on SaaS providers increased and your business scaled, however, those spreadsheets became longer. More vendors meant adding more tabs to a spreadsheet. More employees meant more people working in the same documents.
Additionally, since cloud drives save the most recent data added, you found it hard to track mistakes. Comparing various document histories became overwhelming. You couldn’t determine whether the appropriate responsible parties managed their reviews effectively.
Updates to controls such as security patches were harder to document adequately.
All of this hassle became time-consuming and created a potential compliance risk.
Moreover, your internal audits took longer since auditor questions led to your compliance officer reviewing messy historical documentation to prove that you maintain effective controls.
ZenGRC Eases the Compliance Management Burden
With ZenGRC, you have a single source of truth for overseeing your compliance management program.
Our easy to use platform allows you to create role-based access to documents so that internal stakeholders access only the information they need. You establish access to records by aligning them to job roles and functions so that HR can just make changes to their vendors while Marketing can access only theirs. This allows your compliance manager to more efficiently track changes and ensure appropriate documentation.
Moreover, with our workflow and task management capabilities, you can assign tasks to individuals and track their completion. This eases the burden associated with continuously sending email updates and requests.
Finally, with the platform as a single-source-of-truth for internal and external audit documentation, you save time responding to auditor requests as well as money on the audit itself. For audits that go over their intended time frame, you can be charged by the hour, increasing audit costs. If you streamline the process, then you save money by not needing to respond to audit findings or additional requests.
To learn more about whether your system of using spreadsheets is hindering your compliance, check out our eBook: Compliance Management Best Practices: When Will Excel Crush You?