Phillip Ferraro, CISO, DRS Integrated Defense Systems and Services
Phillip Ferraro, CISO, DRS Integrated Defense Systems and Services

A major area of concern for security personnel these days is how we are able to achieve and maintain compliance with multiple regulatory governing bodies. You might not have the resources to continuously monitor and maintain compliance. More often than not, the focus is placed on protecting and defending networks and data from malicious actors, rather than an effective compliance program.

Organizations with e-commerce, for example, must comply with the Payment Card Industry (PCI) Data Security Standard (DSS) and implement a long list of NIST 800-53-like security controls to protect the cardholder data during processing, storage or transmission. If you are in the health care industry or maintain any protected health information (PHI), you must maintain compliance with HIPAA.

There are industry-specific regulatory bodies as well. For example, in the insurance industry, each state enacts statutory laws and, in addition, there are federal laws and court decisions that impact compliance requirements. In the gaming industry, there are strict security requirements and controls that must be in place. In both these industries, the requirements can vary from state to state and from country to country – making compliance for a national or international organization even more difficult. Failure to comply can result in loss of licensing. Other industries have similar regulatory requirements.

Compliance is one piece of an umbrella term called governance, risk and compliance (GRC), describing actions organizations should take in each of these closely related areas. 

Before my organization implemented a GRC tool, our processes were manual and we had many different audits by various regulatory bodies annually. Rather than have multiple programs and teams to implement different controls for different regulatory agencies, we created a matrix that covered all the security controls. A majority of the controls were the same for each of the governing bodies. Once we completed our matrix, we then worked closely with our IT teams to implement all of the security controls where we could, and documented those cases where a control(s) could not be implemented. This saved us a significant amount of time and reduced the requirement for additional personnel to manage each of the programs. Regardless of which agency came in to conduct an audit, we were prepared and had all the controls implemented. This ensured that we were able to successfully achieve and maintain our multiple compliance requirements. 

I would highly recommend this procedure to any organization with multiple regulatory bodies, even if you have or are considering a GRC automated tool.