All too often, we “check the box” and address the bare minimum when it comes to IT Controls just to satisfy certain requirements, laws, regulations, or audit findings. We do this for various reasons – limited time and resources, lack of IT knowledge/background, the constant battle of whether to address compliance or security while keeping operations going, etc.
Dedicating your organization to a streamlined approach to IT Controls can actually save time, create efficiencies, and promote an overall more effective control environment.
Let’s look at an example – a small hosting company is required to provide a SOC 1 report to several of its customers. This company accepts credit card payments and stores the card data for recurring payments. At a minimum, this is a company that needs to show it has sufficient IT General Controls at the entity level and with regard to Change Management, Logical and Physical Security, and Backup/Recovery. This company must also meet the incredibly stringent requirements of the Payment Card Industry’s Data Security Standards (PCI DSS). And, since this hosting company presumably houses client data, aligning with NIST as much as possible from a security standpoint would be prudent.
WOW! That’s a lot! Meanwhile, resources are focused on the company’s operations, keeping data safe from a worst case scenario (a major breach or disaster), and addressing the external auditor’s latest finding.
The juggling among security, operations, and compliance/controls will continue, but streamlining the controls will be invaluable to this organization.
If you’re starting from scratch, you’ve got a laundry list of issues to tackle…don’t do them one by one. Build a compliance matrix – list everything – from audit findings to regulatory, legal, and contractual requirements that you have to comply with. Categorize them using the appropriate framework for your organization. Develop control objectives for those areas/categories using the same frameworks. Then, evaluate your current processes/policies – do they sufficiently address the requirements? If not, develop specific controls that support your high level control objectives.
If you know you have been checking the box (or your IT organization has), it’s time to streamline! Build a roadmap to rationalize those controls. More than likely, you have several controls addressing the same issue…you just have them in silos. Identify those areas of overlap and rationalize getting rid of some controls.
Streamlining leads to simplicity, which is just easier from a compliance standpoint. There will be less audit findings associated with controls because the duplication and confusion has been reduced or eliminated. With an increased level of compliance comes a strong overall control environment, which is what every organization wants and needs, for both increased accuracy of financials and other data as well as increased security. So, don’t just “check the box” to say you meet requirements for the sake of meeting them. Your organization will benefit greatly.
Through our Dryve Compliance services, we can evaluate your organization’s environment for streamlining opportunities to meet IT compliance requirements efficiently and effectively. Contact us at firstname.lastname@example.org