What Does a Compliance Manager Do?Published January 31, 2019 by Karen Walsh • 4 min read
Many people think that a compliance manager does nothing more than checkboxes on forms. However, in reality, your regulatory program manager coordinates across a variety of departments within your organization to keep your daily processes in alignment with your policies, procedures, and processes.
What Does a Compliance and Regulatory Program Manager Do
What are the legal IT compliance requirements?
Legal requirements governing IT environments vary by industry.
As such, compliance managers need to know how to implement a variety of controls foisted upon them by different agencies.
For example, HIPAA governs the healthcare industry. Despite the high incidence of non-profit healthcare providers, many must still comply with the Sarbanes-Oxley Act of 2002 (SOX). This overlap of regulations requires strict attention since both invoke monetary penalties for noncompliance.
Financial institutions need to comply with a variety of IT controls set forth by the Federal Deposit Insurance Company (FDIC) and the Federal Financial Institutions Examination Council (FFIEC). Moreover, the Office of the Comptroller of the Currency (OCC) announced in 2018 that it would evaluate special purposes national bank charters to fintech companies, which will increase their regulatory compliance requirements.
These legal requirements often incorporate fines and penalties for noncompliance making them a compliance management priority.
What are compliance issues are related to industry standards?
Unlike government regulations, industry standards do not always invoke penalties. Despite that, competitive businesses must meet the best practices these standards control.
For example, the Industrial Standards Organization (ISO) established the ISO-27001 standard to develop controls over the IT landscape.
However, businesses that accept credit card payments need to comply with the Payment Card Industry Data Security Standard (PCI DSS). It’s important to keep in mind that although not governed by statute, PCI DSS noncompliance also comes with fines imposed by the payment card companies. Additionally, many payment card companies will stop processing payments for organizations that do not comply with the security standard.
How do compliance managers engage in program planning?
The first step to creating a compliance program lies in assessing risk. Your compliance manager will look at the potential threats to data integrity, accessibility, and confidentiality. Then, they will look at the types of data stored, accessed, and transmitted throughout your IT environment. Once they review these two things, the compliance manager will determine the overall risk a system, network, or software poses to your organization.
After this, the compliance manager determines whether you have the appropriate controls in place to protect data. These can include ethical as well as technical controls. For example, workforce members may want to use customer data for their nefarious purposes in the same way that external malicious actors do.
Thus, your compliance manager will ensure that your organization creates policies that govern internal access and authorization as well as ones that set controls such as firewalls, encryption, and other external threat mitigations.
Why compliance managers engage in policy enforcement
Once your compliance manager has reviewed the risks and controls in place that mitigate those risks, they will evaluate whether the organization enforces policies.
Writing policies is easy. However, it’s not as easy to maintain internal compliance with them. Think of it this way, as a child, you might have told your parents that you would clean your room, but if it was a chore you disliked, you often postponed it until the last minute. The same is true with many compliance activities.
For example, access reviews act as primary protection against internal and external data threats. However, updating access logs is time-consuming. Department managers need to review their workforce roles and responsiblities continuously. As employees change positions, even within a department, they may require different system access rights. While department managers may remember to ask for additional access, they often forget to send messages to their IT departments revoking unnecessary access. Unnecessary access can put data at risk since outdated authorizations become a threat vector for social engineering attacks.
Your compliance manager acts as a second set of eyes to review whether the internal communications process works as intended. Thus, by examining policy enforcement, your compliance manager enables a more robust security and compliance stance.
How to use a compliance management system to enable your compliance manager
Automated tools allow for stronger internal and external communications. Additionally, compliance managers can maintain better documentation over your organization’s compliance program when they have a single source of truth.
Compliance managers need access to and control over compliance documentation. If multiple versions of policy exist within the organization, then the compliance manager cannot protect against a potential standard and regulatory violations.
For IT compliance managers, this becomes an even more difficult task. Malicious actors continuously evolve their threat methodologies which means risk mitigation strategies can become outdated overnight. Thus, if a compliance manager is reviewing an outdated policy or procedure, they may find your company in noncompliance.
Access and authentication serve as an example. Increasingly, best practices include incorporating multi-factor authentication for employee access to systems, networks, and software. Many organizations are moving from a simple password-protected environment to one that includes a password and either something a user owns (such as a token or cell phone authentication) or something the user is (such as biometrics) or both of these authorization techniques.
If multiple versions of your access and authentication procedures sit on a shared drive, then your compliance manager may be unable to locate the most updated version. Additionally, if these sit on a shared drive and someone accidentally changes them, then the procedure’s integrity is at risk.
How ZenGRC enables your compliance manager
With ZenGRC’s compliance management software, you can share information between stakeholders and set the appropriate role-based privileges to keep your controls accessible yet safe from tampering.
Moreover, with ZenGRC’s built-in mapping capabilities, your compliance manager can more easily employ gap analysis to determine the additional controls needed to support your company’s compliance program.
Many companies assume adding the cost of a compliance management software on top of a compliance manager salary is redundant. However, a compliance system allows your employee to focus on compliance, meaning the organization’s protocols and policies, rather than spending time on tedious tasks like gathering information for audits. ZenGRC acts as a single source of truth streamlining the audit process.
For more information on how ZenGRC can maximize your compliance manager’s efficiency, request a demo today.