Build a Security Compliance Program
Cost-effective compliance is possible.
Your Challenge
- Most organizations spend between 25 and 40 percent of their security budget on compliance-related activities.
- Despite this growing investment in compliance, only 28% of organizations believe that government regulations help them improve cybersecurity.
- The cost of complying with cybersecurity and data protection requirements has risen to the point where 58% of companies see compliance costs as barriers to entering new markets.
- However, recent reports suggest that while the costs of complying are higher, the costs of non-compliance are almost three times greater.
Our Advice
Critical Insight
- Test once, attest many. Having a control framework allows you to satisfy multiple compliance requirements by testing a single control.
- Choose your own conformance adventure. Conformance levels allow your organization to make informed business decisions on how compliance resources will be allocated.
- Put the horse before the cart. Take charge of your audit costs by preparing test scripts and evidence repositories in advance.
Impact and Result
- Reduce complexity within the control environment by using a single framework to align multiple compliance regimes.
- Provide senior management with a structured framework for making business decisions on allocating costs and efforts related to cybersecurity and data protection compliance obligations.
- Reduces costs and efforts related to managing IT audits through planning and preparation.
Start here – read the Executive Brief
Read our concise Executive Brief to find out why you should manage your security compliance obligations, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.
Guided Implementations
This guided implementation is a nine call advisory process.
Guided Implementation #1 - Establish program
Call #1 - Scope requirements, objectives, and your specific challenges.
Guided Implementation #2 - Identify obligations
Call #1 - Establish framework and roles.
Call #2 - Identify operational environments.
Guided Implementation #3 - Implement compliance strategy
Call #1 - Identify compliance obligations and conformance levels.
Call #2 - Map obligations into control framework.
Guided Implementation #4 - Verify
Call #1 - Review policies and strategy.
Call #2 - Develop test scripts.
Guided Implementation #5 - Track and report
Call #1 - Track status and exceptions.
Call #2 - Report on program status.
Book Your Workshop
Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.
Module 1: Establish the Program
The Purpose
- Establish the security compliance management program.
Key Benefits Achieved
- Reviewing and adopting an information security control framework.
- Understanding and establishing roles and responsibilities for security compliance management.
- Identifying and scoping operational environments for applicable compliance obligations.
Activities
Outputs
Review the business context.
- RACI matrix
Review the Info-Tech security control framework.
Establish roles and responsibilities.
Define operational environments.
- Environments list and definitions
Module 2: Identify Obligations
The Purpose
- Identify security and data protection compliance obligations.
Key Benefits Achieved
- Identifying the security compliance obligations that apply to your organization.
- Documenting obligations and obtaining direction from management on conformance levels.
- Mapping compliance obligation requirements into your control framework.
Activities
Outputs
Identify relevant security and data protection compliance obligations.
- List of compliance obligations
Develop conformance level recommendations.
- Completed Conformance Level Approval forms
Map compliance obligations into control framework.
- (Optional) Mapped compliance obligation
Develop process for operationalizing identification activities.
- (Optional) Identification process diagram
Module 3: Implement Compliance Strategy
The Purpose
- Understand how to build a compliance strategy.
Key Benefits Achieved
- Updating security policies and other control design documents to reflect required controls.
- Aligning your compliance obligations with your information security strategy.
Activities
Outputs
Review state of information security policies.
Recommend updates to policies to address control requirements.
- Recommendations and plan for updates to information security policies
Review information security strategy.
Identify alignment points between compliance obligations and information security strategy.
Develop compliance exception process and forms.
- Compliance exception forms
Module 4: Track and Report
The Purpose
- Track the status of your compliance program.
Key Benefits Achieved
- Tracking the status of your compliance obligations.
- Managing exceptions to compliance requirements.
- Reporting on the compliance management program to senior stakeholders.
Activities
Outputs
Define process and forms for self-attestation.
- Self-attestation forms
Develop audit test scripts for selected controls.
- Completed test scripts for selected controls
Review process and entity control types.
Develop self-assessment process.
- Self-assessment process
Integrate compliance management with risk register.
Develop metrics and reporting process.
- Reporting process
- Recommended metrics
