As many organizations improve the maturity level of their IT compliance departments, many still struggle with how to translate compliance requirements to tactical operations. Sure, compliance gets it, audit understands it, but this must somehow translate to how the developer actually writes his code or the accountant stores their files. Companies still seem to approach IT compliance in a break-fix fashion and fail to implement the requirements as operational standards.
Similar to many facets of the IT world, compliance departments arose to prominence out of a necessity to fix a big problem fast. Many compliance departments are staffed with the hard working folks that were able to find fixes to the hard problems in a pinch. And as with many areas of IT, there has never been time to think beyond break/fix. Essentially, there was a hole in the bucket and a patch was needed. Unfortunately, the bucket continues to sprout holes in many different places. The problem is that we just keep patching the same old bucket.
Why can’t we find a way to build a bucket that doesn’t leak?
In order for compliance to scale within an organization, accountability for compliance cannot be handled in a centralized manner. We must find a way for the entire organization to bear the burden of compliance. Each team that interfaces with any portion of compliance should have a clear understanding of each of the requirements that affect them and be held accountable for operating within those guidelines. So easy to say, so hard to accomplish.
As a leader in your compliance group, you seem to be stuck in a state of running around policing the organization. You are trying to ensure that the whole company is conforming to the guidelines and standards that they need to be. Just as soon as you are able to get one group of cats back on track, the other group has decided to get crazy with the catnip and raid the fridge for snacks.
The key is clear, concise communication and accountability. It seems like we continue to push the organization, “patch these servers, stop developing bad code, and test the incident response plan.” But did we ever take the time to clearly communicate the expectations to that team? How can we expect to hold them accountable if we never clearly communicated our expectations?
Let’s take a specific example. Like clockwork, it’s two weeks before the end of the quarter and over at Joe Bob’s Online Widget Shop the web server team is struggling to meet the deadlines on remediating their PCI quarterly scan findings. While the team received their scan results at the beginning of the quarter, they are struggling to meet the end-of-quarter deadline. The team is understaffed and over utilized and they just don’t have the budget or time to get it done. The compliance team is forced to work very hard to ensure that the web server team meets their remediation deadlines quarter after quarter.
How can we break this cycle?
In this case, the compliance team should draft up an annual work schedule. This schedule should include each of the PCI requirements that pertain to the team and what their responsibilities surrounding those requirements are. This work schedule would include information on each requirement surrounding the quarterly PCI scanning. It would define when the team can expect scan findings to be delivered, how to engage compliance for re-testing and when the deadlines are for full remediation. These work plans should be presented to the team’s management in order to obtain the proper support.
A solid annual compliance work plan will include the following:
Detailed explanation of each requirement
The work plan should contain a detailed explanation of every requirement that has an impact on each team. This explanation should be provided in clear terms and should indicate the reason or intent of each requirement. Each person affected by compliance should fully understand the requirements that they will be held accountable to.
Calendar of deliverables
The work plan should also include a calendar of deliverables for at least one forward-looking year. This is where the periodic elements of compliance and deliverables are clearly laid out. Examples of periodic compliance elements may include:
- Quarterly firewall and router review
- Quarterly audit inactive user accounts
- Annual off-site storage review
- Annual media inventories
- Quarterly vulnerability scanning
This calendar can be planned out to the day or week and should also define what the deliverable should be.
Now the team and their management are aware of the work effort that is needed in order to support the company’s compliance efforts. The team can now be held accountable for this work throughout the year. If we take it one step further, the team now sees that the level of work will continue to be high unless they implement some proactive measures. So instead of waiting for compliance to deliver the scan findings, they are monitoring the security lists for the versions of software that they support and implementing change in line with expectations. Now the compliance findings are very minimal if they even find anything.
This type of planning, communication and accountability is key to establishing a sustainable compliance program. The communication of expectations and deliverables should be documented and delivered to every team that is impacted by compliance. Once in place, this type of framework allows the compliance organization to measure the consistency of the work produced by the organization as a whole as well as provide the method to hold them accountable.
Don’t rely on the tail wagging the dog approach. You will always find yourself running around in an ever-losing attempt to police the entire organization. Similar to most IT initiatives, in most companies, the compliance group was born out of necessity and like IT are run in a very reactive manner in most cases. Don’t allow the compliance group to get stuck in a constantly reactive mode. Stop reacting and build a plan to make your group proactive. Reporting compliance may be your job, but sustaining compliance is EVERYONE’S job. Build a plan to establish accountability throughout the organization. Communicate it, measure it, improve it. Rinse and repeat.