Perry Carpenter is Chief Evangelist for KnowBe4 Inc., provider of the popular Security Awareness Training & Simulated Phishing platform.
The cybersecurity regulatory environment is becoming increasingly complex. Depending on the industry or the region you belong to, there can be any number of regulations and frameworks that businesses have to deal with, such as the General Data Protection Regulation, Payment Card Industry Data Security Standard, Family Educational Rights and Privacy Act and many more.
Compliance audits are often compared to a dental root canal. You know it’s going to make you feel better, but the process is painful. Audits also tend to take a toll on resources. There’s a lot of documentation, and getting organized and compliant might involve a lot of changes to IT infrastructure and processes. The pandemic isn’t helping matters either, as it adds further challenges to the mix.
The process of achieving compliance can greatly vary, depending on the regulation and what it measures. However, these seven steps can help make the audit preparation process more streamlined and painless.
Step 1: Begin with a self-assessment.
One of the best ways to prepare for an audit is by taking a self-assessment. There are a number of self-assessment tools available that cybersecurity teams can use to gauge their readiness and also perform a quick gap analysis. The great thing about using a tool is that reports are available instantly so you can prepare to address any deficiencies that might have been identified in the assessment.
MORE FOR YOU
Step 2: Identify and prioritize gaps
After the assessment, ensure you document and prioritize the changes involved in bringing your organization to compliance. From there, look at costs and what it will take to implement each change. This will help you figure out what to prioritize and develop a plan. Note that the more things you deprioritize, the more likely they will grow, fester and become complicated, hairy problems that you have to deal with in the future. This is because the technology environment and the business, user requirements and the regulatory landscape all are fast evolving.
Step 3: Develop a timeline.
Once you determined the changes that need to be made, it’s time you create a roadmap or timeline to address these changes in the order of priority you defined. In my experience, newer accreditation bodies might require that you plan at least six months before the audit — and possibly much earlier if you do not have a robust security program in place.
Step 4: When using automation to meet compliance goals, choose wisely.
While you can use manual spreadsheets and processes, you can also consider using a ready-made governance, risk management and compliance platform. (A number of companies, my own included, offer these types of platforms.)
GRC platforms can help streamline compliance- and audit-management processes and provide control guidance during implementation. GRC platforms can also provide a single-pane view of the organization’s overall state of IT risk and compliance. They’re typically equipped with built-in templates for widely used regulatory frameworks, and these can reduce the time, effort and money required in meeting your compliance goals.
Because keeping up with risk assessments is a continuous problem, savvy leaders will need to choose wisely when selecting a GRC platform. One checkpoint I suggest keeping in mind is whether the tool can run audits easily and at a cost you can afford. As well, think about whether automation features, such as pre-built templates for the most widely used regulations, are important to you. And assess whether the tool can manage the distribution of policies and confirm compliance, as well as whether it can monitor and keep track of your vendors’ risk requirements.
Step 5: Monitor and fine-tune.
You can quickly fall out of compliance if you are not monitoring your controls and actions on a routine basis. Make sure you have a process in place for monitoring and fine-tuning so that routine updates to systems, controls and processes are less likely to catch you off guard and lead you to non-compliance. Implement a system to identify security issues in hardware and software assets and alert notifications in case of any gaps in compliance. Certain regulations also require contractors to report incidents, so ensure that you have a way to monitor third-party vendors and contractors.
Step 6: Train users on cybersecurity hygiene, policies and procedures.
All major cybersecurity regulations require an element of user-awareness training. All users, both on-site and remote, must comply with security policies and procedures to ensure they meet the requirements of how data must be handled, stored, backed up, archived or deleted. Additionally, users should routinely undergo training exercises to practice good cyber hygiene, such as safe browsing, use of strong passwords, recognizing phishing attacks and more.
Step 7: Capture, track, report and document at all times.
Companies once had the luxury of time, usually several weeks, to furnish documentation requested by an assessor. Nowadays, regulators expect companies to produce documents on-demand, so it’s important to continuously capture processes, controls, metrics and other historical data, as these can be presented as evidence whenever needed. Smart companies know to behave as though every day is an audit day; that’s why these organizations tend to fare better come audit time.
Finally, businesses must look at compliance as an opportunity, not an obligation. The real difference lies in the day-to-day governance — between teams that must prepare for an audit and those that are always prepared for an audit. It’s about the use of automation, tools and processes that help the business stay on top of mandates, while also minimizing the chances for fines and penalties. If played correctly, a proactive approach to complying with regulations can provide businesses with a distinct competitive edge.