Understanding the work to be done to achieve compliance
Compliance can seem daunting. Understanding the work to be done helps relieve the stress.
Compliance standards have work that typically fall into a few simple buckets. Understanding this allows you to build the team, roll up your sleeves and get the job done.
People
Key people need to be identified for named roles, authorities, responsibilities. Data Privacy Officer. Technical Information Security Officer. Job descriptions and reporting structures need to be defined.
Policies
Policies help guide employees, IT staff and others on day-to-day activities within the organization and with assets and data. Do you have a policy that requires multi-factor security on any code repositories? Is anyone allowed to stand up a new service or is there a policy on how these decisions are made and who makes them?
Process
What is the process for vulnerability management and remediation? How do you identify and manage risk? What happens when you have a system outage? What are the steps you need to take and who needs to take them when you have a data breach? Process is about the activities, methods, procedures undertaken by team members to deal with various aspects of the compliance program.
Technology
Many standards require specific technical controls (or often, alternative compensating controls) to help address specific areas of risk. Perimeter firewalls to help secure office locations. Endpoint security and encryption to ensure data held on laptops and removable devices are secure. Some standards demand specific controls, others have only specific aims/objectives in mind.
Artifacts
Many compliance standards require not just written policies and technologies, but evidence that they are being used, stored as artifacts for an auditor to confirm adherence. Collecting and maintaining artifacts can be a significant portion of staff’s time in helping to achieve compliance.