Continuous Compliance Best Practices

October 19, 2021 | By IANS Faculty

Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance (GRC) tools and platforms. A variety of stakeholders will need to be involved in these projects, and most enterprise organizations prefer to “buy” versus “build” a central platform to help in accomplishing this goal. This piece explains the processes, tools, stakeholders and focus required for a best practice continuous compliance program. 

Common Tools for Continuous Compliance 

In addition to a traditional best practices list of controls to meet compliance initiatives in the categories of network security, identity management, data security, vulnerability management and so on, continuous compliance requires an overlay of continuous controls monitoring to ensure any changes/drift to controls are detected and remediated so compliance posture is maintained. 

Continuous controls monitoring (CCM) is an integrated set of processes and techniques, enabled by technology, which is designed to help an organization: 

  • Automate the ongoing monitoring of the control environment. 
  • Identify control exceptions continuously (daily, weekly, monthly) based on pre-defined business rules. 
  • Monitor, track and report the effectiveness of controls. 
  • Identify root causes and improve related processes in a timelier manner. 
  • Reduce the cost of controls. 

A continuous compliance program is desirable, but it requires a significant investment to build automated processes, develop dashboards and key performance indicators (KPIs), and ensure stakeholders are committed to controls and security posture in diverse areas across the organization. In most cases, in addition to the existing controls mentioned earlier, continuous compliance is achieved with: 

  • GRC platforms for controls mapping across different regulations: A GRC platform such as RSA Archer should be more than adequate for this. It is a platform many enterprises use to document controls and map frameworks and requirements together. 
  • Scanning services or platforms: While most vulnerability scanners are traditionally configured to assess systems for vulnerabilities, most leading solutions can now also report on a variety of system/device/application configuration elements and assist with asset discovery. 
  • Discovery/configuration management platforms, including a configuration management database (CMDB): Asset discovery and CMDBs are pivotal elements in a continuous controls monitoring design for continuous compliance. 
  • Dedicated continuous compliance platforms: Dedicated continuous compliance tools can be considered as each include some elements of the previous three solutions (and often have integration capabilities with existing tools), and they also provide the needed process workflow engines, dashboards, metrics and KPIs organizations need to establish and maintain these programs. 

Examples of dedicated continuous compliance tools include: 

  • ControlCase Continuous Compliance 
  • Chef Inspec 
  • SecurityScorecard 
  • AuditBoard CrossComply 
  • LogicGate 

Continuous Compliance Program Stakeholders 

A continuous controls monitoring program requires investment from stakeholders, but not necessarily equal investment across the organization. Figure 1 highlights some of the stakeholders that should be involved in this type of program, and their overall alignment in terms of risk and value. 

<Figure 1: Continuous Controls Monitoring Requires Focus from Key Stakeholders

Stakeholder

CIO

Chief Risk Officer/Chief Compliance Officer

Chief Financial Officer/
Controller

Internal Audit Director

Business Process Owners

RISK FOCUS

Enterprise risk management

IT risk

Business risk

Financial risk

Control risk

Business process risk

Regulatory compliance

Compliance with IT standards

Overall compliance

Sarbanes-Oxley (SOX)/ financial statement

Overall compliance

Impact on my business process

Audit/compliance scope

IT controls

Efficiency and effectiveness

External audit/ External auditor reliance

Internal audit

Impact on my business process

Controls monitoring

Controls dashboard

Compliance dashboard

Compliance and controls dashboard

Compliance and controls dashboard

Compliance dashboard

VALUE FOCUS

Process and control effectiveness

IT controls

Risk management controls

Financial statement controls

Overall controls effectiveness

Business process controls

Cost of compliance (e.g., SOX 404)

Manual vs. automated controls

Regulatory compliance

Assurance and coverage levels

Assurance and coverage levels

Impact on my business process

Business case/return on investment (ROI)

IT investment

Overall investment/ redeploying resources

Overall investment

Redeploying resources

Operational impact

Business performance monitoring/

decision support

Controls dashboard

Compliance dashboard

Compliance and controls dashboard

Compliance and controls dashboard

Compliance dashboard

 

KEY:

Primary Focus

Secondary Focus

Affected Stakeholder

 

Source: IANS, 2021


Continuous Compliance and Controls Architecture 

Functional design of a continuous compliance and controls monitoring program requires that organizations put some work up front into the governance of controls analysis tools. This means they must: 

  • Determine ownership of controls analysis rules, including their design, maintenance and access. 
  • Determine how best to structure analysis rules, based on your business objectives. 
  • Determine the degree of analysis rule standardization required across the enterprise. Some organizations require more standardization than others. 
  • Determine how to manage analysis rules across multiple CCM instances (if applicable).

 

READ:  How to Set Up a Strong GRC Program

 

Continuous Compliance Challenges 

Organizations face a number of known challenges when implementing continuous compliance controls and solutions. Two of the most common are: 

  • Data acquisition. It’s critical to start planning for data acquisition and management up front by: 
    • Identifying systems to be queried for controls data. 
    • Determining how to populate non-automated data into tools and dashboards. 
  • Governance. This can be another sticking point if not organized and coordinated early. It’s important to: 
    • Start early: Involve business units, as well as internal and external auditors early in the process as needed. 
    • Tune up the monitoring: For any exceptions that exist, be sure to adjust the thresholds in the controls monitoring solution. 
    • Build an efficient exceptions process: Limit exceptions being routed to stakeholders and maintain a consistent process for exception response handling.

Continuous Controls Guidance 

A continuous controls monitoring model will greatly facilitate a continuous compliance program that works in alignment with existing regulation mapping and GRC tools. While some organizations choose to build this themselves, depending on your organization’s needs and available resources, acquiring an on-premises or cloud-based solution that includes data ingestion, monitoring and reporting/metrics may be a viable option. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice. 


Find additional resources from our security practitioners.


2021 CISO Compensation Benchmark Report