By Will Whitaker
A common controls framework is the ultimate goal for most risk management groups. Whether you’re facing HIPAA, SOX, ISO 27001/2, NIST 800-53, HISTRUST CSF, or other mandates from your regulators, your IT organization has a variety of compliance requirements to meet and a common controls framework is the best way to meet them.
Establishing one common control framework to rule them all seems like the proverbial “easy button” since it has the potential to eliminate the duplication of requirements within frameworks and simplify the process of scoping, defining, and maintaining compliance. As a result, you save your organization significant time and resources, and you’re not forced to reinvent the GRC security wheel every time a new compliance mandate is published. In short, it gives you the power to “test once, comply with many.”
Turning on Your Compliance Risk Management Easy Button
Unfortunately, building this easy button is not always quite that simple.
The reality of the situation is that resources dedicated to framework development and maintenance are thin in most organizations. Different frameworks, though often containing common domain or control areas, contain varying levels of control granularity, making a 1-1 mapping between frameworks a virtual impossibility and necessitating mapping judgment calls. Typically, whichever regulator is knocking on your door the loudest gets the most attention. You have annual audits, and your key controls will need to be tested every year. You have management-directed goals of aligning your organization’s controls more closely to important industry standards, and you need to somehow incorporate what’s already built so you’re not starting at ground zero.
So, while that easy button and 100-percent “strict” compliance with every framework may be a unicorn, there is an achievable solution. The realistic goal should be to build a grc technology framework that takes advantage of industry best practices and techniques, as well as third-party solutions that help you comply with the spirit of the regulations and get as close as possible to the letter of the law when it makes sense to do so. And, it should be solid enough to evaluate and accommodate the inevitable changes to those regulations (GDPR, anyone?!).
Recommendations for Getting Started with a Compliance Risk Management Common Controls Framework
Before you set about the task of creating a common controls framework, determine what you really need and your organization’s capability for implementing it. You should have answers to the important questions, including:
- Which regulations are you subject to and what is the cost (risk) of noncompliance?
Not every regulation will impact your organization equally, and sometimes noncompliance may be an acceptable business decision. If that thought makes you squirm, hear me out. Compliance is just another risk and therefore should be assessed and treated accordingly. Evaluate the risks of noncompliance holistically (external and internal impacts) and, where possible, quantify their costs to decide with senior management on the best route forward. Acknowledge that risk acceptance within certain areas of a framework may be an appropriate response by management when the costs of compliance don’t exceed the intended benefit.
- Do regulators expect strict compliance?
Understanding the regulators’ expectations can help you avoid unnecessary expenses, since full compliance can be costly. Consult with your regulators to understand their process and expectations. It may be acceptable to comply with the spirit of the law if the business can provide sound justification on your chosen implementation of the framework. Realize that, if strict compliance is truly mandated or expected, that same strict compliance won’t happen automatically if you’ve selected a different framework as your core set of common controls, since mappings between frameworks always include an element of subjectivity.
- What is your organization’s appetite and readiness?
You will likely pick a marquee industry framework with which to comply (such as NIST CSF). When you select a new compliance risk management framework on which to build your common controls core, the team will be extremely excited to roll it out. However, be strategic in how you “sell” it internally. Not everyone will share your team’s enthusiasm. Because organizational change is always difficult, set realistic expectations. Start small; don’t anticipate you’ll be able to implement more controls than the compliance risk management team can realistically consume or afford! But allow the framework to help management prioritize funding initiatives and shape your implementation roadmap.
Armed with these answers, you’ll have a better idea of the path forward for your compliance risk management common controls framework goal that accommodates the regulations at hand, the regulators monitoring them, your management’s expectations and appetites, and your organization’s readiness. From here, it’s a matter of determining the best grc tool for creating and maintaining that framework.