Comprehensive software reviews to make better IT decisions
Are Regulations and Compliance Better With Cloud?
When considering taking advantage of external providers (cloud) that may offer more maturity in security and reporting, organizations must think about developing a complete plan outlining compliance and regulations requirements in a constantly shifting landscape.
Many organizations have a standing audit and review group or toolset that is capable of tracking and reporting on compliance and obligations, but these are generally restricted to “what we touch, we can report on.” The model is changing. There are more opportunities to leverage external providers, allowing for more robust platforms, better usage of resources, and expansion of the environment, providing the customers with greater access and reliability. How do I know if this is the right choice for me, or if it should even be a consideration?
The Externalization Opportunity
Compliance and regulations will always be a moving target. The push is generally associated with an unexpected risk, or a legacy control that wasn’t sufficient. When you own the environment, it is often easier to validate a review.
What I mean by this is that you should have existing controls for internal operations.There should be a well-documented, well-managed, and monitored process and implementation. As needs change, are your requirements changing? Do you have the ability to enhance controls? Can you scale to deliver compliance and still maintain your customers’/users’ expectations?
This is the point where we need to consider the cloud. Internal processes and environments are generally easy to report and monitor, but may not allow you the scalability to plan for future concerns. Even if the environment is scalable, are your resources? What would it take for you to design, implement, support, and deliver? Do you have the resources, time, location, and ability to provide for tomorrow?
We are all familiar with some of the basics (HIPPA, PCI-DSS, SOX, NIST, etc.), but we also have obligations to our customers and end users. Are we keeping ahead of the curve and their expectations? Do we have the skills and maturity to meet these requirements?Can we sufficiently report, based on their needs?
The Other Considerations.
Let’s consider the following questions:
- Are we currently able to meet our requirements today?
- Are our controls for internal environments sufficient?
Over time the answer may be no. The consideration now should be: does the move to cloud allow us to level set our baseline?
When documenting our current environment and designing towards our needs, we often realize that we are not compliant and mature in the way that we should be. There are gaps. This requires time and resources, and often those are in short supply. What we need to consider is how we can provide the controls that auditors/customers/users require and expect.
The process for compliance planning does not need to be onerous, especially with help from Info-Tech’s solid planning tools. With the right people involved and enough time invested, developing an SWP will be easier than first thought and time will be well spent. Leverage Info-Tech’s client-tested 9-step process to build a strategic workforce plan:
- Assess the need.
- Assess your resources.
- Identify the impact of internal and external controls.
- Identify the impact of externalization on your compliance obligations.
- Document your current controls (Are they complete? Are they consistent? Are they changing?)
- Consider new controls for the expanded environment.
- Document your obligations. (What do my customers expect? What do my users expect? What are my compliance obligations? Am I required or restricted to support these obligations internally?)
- Scope your growth. (Can we support our immediate and long-term goals by using the cloud? Does the cloud offer us services we can’t provide ourselves? Do we have the resources, time, and maturity to consider this move?)
- Track your changes. (Do we need to make significant changes to how we do business with this move? Is this a process change? Does it lock us into one provider? Can we migrate from this service to a different one? If we had to, could we support this service internally?)
The Bottom Line
This move to external providers isn’t new. We have been through this cycle before, and we can be sure that regulations are going to change. The constant need to innovate, to leverage resources doing more with less, is forcing us to consider the most efficient way to grow. Often, the fastest way to get there is to look outside of your organization to cloud-based services, which are often more mature and functional than internal resources can be. Leverage commoditized services, while taking advantage of existing differentiators that enhance delivery, and grow your customer base.
Want to Know More?
TrustArc is partnering with BigID to add protection of sensitive data to its roster of data privacy and compliance capabilities. The move closely follows a partnership announced by two other major players in the data privacy and governance space, OneTrust and Integris.
An acquisition borne out of its users’ primary needs, OneTrust’s recent integration with data discovery giant Integris optimally positions the privacy program management software vendor against competitors in the market.
Data intelligence software vendor Alation has made the move to emphasize data governance amongst its solution offerings to make the data catalog a dynamic platform for “a broad range of data intelligence solutions.”
The industry’s first self-service privacy software solution Ethyca receives its second round of investor funding, aptly timed with the release of Ethyca Pro. The privacy management solution provides full automation capabilities for data mapping, data subject requests (DSRs), and consent management for various international privacy regulations.
To further capabilities in the data privacy space, top-tier vendor OneTrust has acquired Integris, another leading vendor within the data discovery and classification sphere. This is a two-part note that focuses on the acquisition and anticipated synergies between the two companies.
SECURITI.ai Addresses the Privacy vs. AI Debacle With the Industry’s First AI-Powered Privacy Solution
AI-powered privacy is here to stay, driven by the innovative team at SECURITI.ai. The company injects automation through AI with its PrivacyOps solution, PRIVACI, taking the effort out of mapping out personal data within its various repositories.
The privacy management software space is rapidly becoming crowded with vendors all looking to add value. 2B Advice has released the most recent version (7.0) of its software, emphasizing the support tools needed to build a privacy-aware culture.
Proteus-Cyber, a leading vendor within the privacy program management space, has added two standout features to its current privacy software offering. The Threat Intelligence feature tracks and links directly to CVEs discovered daily and can be integrated within the IT asset register of current Proteus-Cyber NextGen Data Privacy users.
In response to criticism over data collection practices, Google is introducing default deletion of location history in its web and application activities for new accounts.