Multiple Industries | Multiple Frameworks
When all your clients come from the same industry, you can expect that their Information Security requirements will be similar. But when your clients represent different verticals, security compliance becomes more challenging. Modifying your Information Security Program to support multiple cybersecurity frameworks can be overwhelming—especially for smaller organizations.
Cybersecurity Frameworks | Alphabet Soup
You are likely familiar with the names of the cybersecurity frameworks that your clients will request (HIPAA Security Rule, PCI DSS, SOC 2, NIST CSF, CIS v7, FIPS, FISMA, and ISO 27001). But, are you confident that your team knows how to deliver the requirements? The frameworks are different—but not totally different. Some frameworks overlap, while others don’t. Our Marketing Research customers have found that an ISO 27001 certification is the most widely accepted cybersecurity standard. So, while some clients will require a specific framework, most will be happy knowing that you have professionally audited ISO 27001 controls in place.
Tracking Your Progress
For years, compliance teams managing information security programs used spreadsheets to track tasks, owners, and deadlines. Now, dynamic, cloud-based portals are quickly replacing Excel as the platform of choice for monitoring activities, implementing controls, and improving team collaboration. These SaaS platforms make it easy for project managers to centralize the data required to produce live dashboards and detailed compliance reports. The Ezentria ComplyWise Portal (powered-by Apptega) allows our clients to organize, update, and share their compliance activities effortlessly with teammates and auditors. The ComplyWise Portal becomes the system-of-record for tasks, policies, procedures, and controls used throughout the certification process.
Ezentria ComplyWise is a flexible process for helping organizations comply with industry standards, government regulations, and privacy laws. We will help you select and load the most appropriate framework for your Information Security Program into the ComplyWise Portal. Each framework has its own set of controls and sub-controls that need to be reviewed, assigned, and completed to prepare your organization for a third-party audit. You may choose to accomplish those tasks on your own or with the assistance of Ezentria. Either way, everything is entered in the portal, so team members, management, and your auditor will be able to track your progress easily. Depending on the framework chosen, this process can take six to twelve months.
Managing Multiple Frameworks
The Ezentria ComplyWise Portal supports multiple cybersecurity or privacy (GDPR, HIPAA Privacy Rule, CCPA, etc.) frameworks simultaneously. You can choose to manage the frameworks separately or together in a single, cohesive Information Security Program. Managing a unified framework is over 50% more efficient to operate than multiple individual frameworks when considering time, effort, and resources.
With Harmony Intelligent Framework Mapping, you can:
- Combine an unlimited number of frameworks, controls, and subcontrols
- Build dashboards to view the status of your entire Information Security Program
- Produce one-click reports for both the unified program or the individual framework
- Uncouple the frameworks and retain the shared data in the stand-alone frameworks
To better understand how this works, let’s look at a “Harmonized” multi-framework dashboard in the ComplyWise Portal (enlarge screenshot). In this example, an ISO 27001-certified organization has received a new client requirement to attest to the SOC 2 Trust Service Criteria for security. When the team uses Harmony to unify its current ISO 27001 framework with the new SOC 2 requirements, the combined dashboard immediately reflects the overlaps and gaps between the two frameworks. The “overlaps” show where the existing ISO 27001 controls meet the SOC 2 requirements, and the “gaps” show where the team has a little work to do.
In this example, you will see that the controls requiring the most work are Identity and Access Management (35.1% complete) and Configuration & Change Management (58% complete). They will also need to review and improve the controls for Application Security, Incident Response, Endpoint Security, and Risk Management before preparing for their SOC 2 internal audit.
Once you pass your audit and achieve your initial certification or attestation, your portal will help you keep an eye on your frameworks and Information Security Program. As incidents test your defenses, proactive adjustments to your controls and procedures continually mature your program. Keeping the portal up to date with the changes will simplify your quarterly and annual information security management reviews and future re-certifications.
Compliance Portal Benefits
Once you get your compliance portal populated with some data, you’ll begin to discover benefits that weren’t initially obvious. Whether you are just starting your compliance journey or maturing your current information security program, moving from spreadsheets to a shared, cloud-based repository will help you organize, track, and visualize your risks, progress, and goals. Here are some ways organizations are streamlining their compliance programs and getting the most out of a portal:
Understanding Framework Requirements
The portal contains the most common cybersecurity and privacy standards. If you not familiar with a framework, you can examine the required controls (and sub-controls) and explore the documentation.
For each control and sub-control, you can create and assign associated activities to team members. The task can include attachments, action items, notes, comments, and priority. During the workflow, task owners can add content, provide feedback, and collaborate with others.
Reporting is the most used feature of a compliance portal. With one click, you can export summary or full program reports directly to Word, Excel, or PowerPoint for managers, executives, and auditors.
Linking to Policies and Procedures
For collaboration and tracking document revisions, our clients typically store their policies and procedures in Microsoft SharePoint. The compliance portal is a great place to organize the SharePoint links and associated them with the appropriate control in your Information Security Program.
Tracking Information Security Expenses
The portal allows you to establish a budget for a program or framework and allocate the budget to controls and sub-controls. You can even include a vendor name and any applicable notes.
Leveraging Real-time Connectors
For truly dynamic dashboards, cloud-based portals can integrate with live feeds from other security tools. If you had a security control that required a scheduled activity (i.e., a vulnerability scan), a connector would allow the portal to receive the daily scan results directly from the tool in real-time.
Asking for Help
For Ezentria ComplyWise clients, users can reach out to their assigned consultant for assistance with frameworks, controls, reporting, or activity workflows—right from within the portal.
Client information security requirements will vary significantly from industry to industry, and sometimes within an industry. To prepare for (or avoid) the inevitable second or third cybersecurity framework, migrating your Information Security Program spreadsheets to a SaaS compliance portal will give you the flexibility to pivot and respond quickly to client inquiries. With any luck, your existing information security investments will apply to the new client requirements. But, if they don’t, the portal will help you better understand the gaps you have to fill.
You don’t have to be a large organization to benefit from a cloud-based compliance portal. Ezentria offers packages with and without our framework consulting services. So if you prefer a DIY Information Security Program, Ezentria ComplyWise can help you avoid static spreadsheets and get you started with a dynamic compliance portal.
Our next post in this newsletter will be in January. Until then, be safe and secure.