Third Party Reporting
How To Achieve Compliance Across Multiple Controls Frameworks
January 10, 2021 • Jacob Nix
Juggling the increasing complexity and volume of compliance requirements can be a daunting task for any organization. More than ever, organizations are being more scrutinized by their clients through an increasing list of compliance obligations, including: SOC 2 Attestation Reports, ISO/IEC 27001:2013 Certification Reports, HITRUST, HIPAA, FedRAMP and the list goes on. To help your organization in making these determinations, RISCPoint has developed this guide to identify the best practices in implementing a cohesive compliance framework for your organization.
Define your Compliance Objectives
The first step in establishing the compliance program is to define the objectives for the organization. These objectives should define what the organization is seeking to accomplish with both current and long-term compliance goals. For example, do we prioritize a SOC 2 Attestation report to satisfy an existing client need or do we have more of a runway to scale our compliance operations across multiple frameworks? The objectives set in this phase help to drive decisions from both a budgetary and operational perspective. In order to get the most impact from the objective setting process, we recommend involving stakeholders from multiple departments across the organization to obtain a more wholistic view of the This process is important to think through thoroughly as these decisions will lay the foundation for how we select a controls framework to help meet these objectives.
Select a Controls Framework
There are many methodologies that can be utilized to implement a control set that maps across multiple compliance frameworks. The determination of what control set to utilize is something that will ultimately be unique for your organization, however the following items should be considered as a component of your evaluation:
Do you know the types of data processed by our organization?
For example, if your organization processes electronic personal health information then you may be required to comply with HIPAA obligations. Or if your organization processes the personal data of EU residents, then you may be required to comply with the General Data Protection Regulation.
Do you classify this data and document where it resides?
Understanding the types of data processed by your organization and where this data resides helps to make a better determination of how to protect the organization’s most valuable assets, its data.
Does the industry that you operate within have unique compliance obligations that you need to include within your program?
For instance, if your organization is a financial institution in the state of New York, then you may be required to comply with the New York Department of Financial Services (NYDFS 23 NYCRR 500).
Once you have been able to determine the specific data types and other regulatory factors that we may be required to comply with, it is now time to identify a controls framework that can be tailored for your organization. There are many options that can be implemented such as the Secure Controls Framework or the Unified Compliance Framework. Each of these control frameworks include mappings across multiple compliance frameworks to help isolate the controls to only what is applicable to your organization to help achieve the stated objectives.
After you have selected the controls framework that best meets your organizational needs, it is time to begin the process of implementing the control set. This process can initially seem overwhelming; however, this can be accomplished with Executive support and effective project management techniques. To help facilitate the implementation of controls, we recommend some general best practices:
When implementing a controls framework, we recommend breaking down the controls into digestible domains to allocate controls to specific departments or functions. For example, controls frameworks such as the Secure Controls Framework will break down controls into more than 30 unique domains. This helps to track the effectiveness of the program with enhanced granularity to make more informed decisions on how to improve the program.
Most Restrictive Control
Inevitably there are going to be times when compliance obligations will seem to compete with one another or require a slightly different configuration. When navigating these scenarios, the best practice is to implement the most restrictive control and use this as the baseline across the organization. We also recommend consulting with your service auditor and compliance consultant whenever in doubt.
Control Owner and Control Operator
All controls implemented within the organization should be assigned a control owner who is responsible for ensuring that the control is operating as intended and a control operator who is responsible for executing the control. The assignment of accountability to control owners and operators is a key component of establishing an effective compliance program.
One often forgotten piece of an effective compliance environment is to automate as much of the required activity as possible. This begins by assigning a control frequency for how often the control operator is responsible for executing the control. The control frequency should be tied to an automated ticket/calendar invitation/reminder to complete the control.
After implementing the control set within your organization, it is now time to assess the effectiveness of your program. The effectiveness of the program should be assessed against the objectives that were defined at the on-set of the project as well as the specific control requirements set during the implementation phase. The effectiveness monitoring can be performed through the execution of an internal audit against a specific framework, such as the Payment Card Industry Data Security Standard for specific compliance requirements or against a capabilities and maturity model such as the NIST Cyber Secure Framework.
RISCPoint revolutionizes the cybersecurity and compliance world by applying a proprietary and innovative approach delivered by experienced professionals. Rather than just meeting compliance requirements, our consultants help you optimize your processes and gain value while minimizing the burden of compliance. We aim to help you meet the relevant standards while providing a painless audit experience!