Risk Based Compliance Management

Compliance means conforming to a rule, such as a specification, policy, standard or law. Some compliances are generic in nature catering to all kinds of organizations and sizes, example ISO 27001:2013, NIST-CSF whereas few are more industry specific like PCI-DSS which caters to the payment gateway providers. Adhering to a Compliance ensures best practices are adopted. 

Organizations adopt compliances to improve their information security practices or as it is mandated by regulations or both. In many cases, organizations adopt more than one compliance depending upon nature of business and geography. 

Process

Typically, the process of adhering to a compliance includes the following steps.

  • Identifying the scope
  • Gap assessment
  • Implementation
  • Readiness review
  • Internal Audit
  • External Audit followed by certification*.
  • Subsequent Yearly Audits.

*Certification is not mandatory for certain compliances.

The compliance efforts are usually done manually, led by qualified subject matter experts (either internal audit teams or external consultants). Depending on the size of the company and their current cybersecurity practices, the whole process may take up to several months to a year. Compliance is an ongoing process, even post certification, one must follow the standard and needs to be audited on a regular basis.

Each compliance has well defined set of information security controls broadly categorized into three aspects

  • People related controls cater to onboarding, training, and empowering human resources in an organization while carrying out their roles and responsibilities.
  • Process related controls cater to establishing, adopting, and implementing a well-defined standard operating procedure while conducting business activities.
  • Technology related controls cater to identifying relevant technical tools (both purchased or built in house) and operating, maintaining them with relevant secure configurations and measures in order to deliver business value to the stake holders.

Crux of any compliance is to adopt tried and tested controls to ensure a good cyber hygiene. And to do this optimally, by following a risk-based approach.

Compliance management should not be just gap assessment against the controls.

Compliance Management

An ideal compliance management would involve

  • Continuous Risk assessment across all the assets and processes that are in scope.
  • Prioritize mitigations based on the risk identified
  • Identify the gaps against the standard
  • Apply the controls advocated by the standard where applicable

Iterate over the above process. By doing so, you are de-risking the organization and at the same time achieving compliance.

Once compliance/certification is achieved, it is important to continue the practices established and be compliant all the time.

For regulations like GDPR, there is no certification, but the organization needs to self-regulate and be able to demonstrate their preparedness at any given time.

Seconize – DeRisk Center

Seconize DeRisk Center is a Risk and Compliance Management product which automates the Risk Assessment across assets and applications in the cloud and on-premise.

Given a specific standard and scope

  • It identifies all the risks across assets and applications – continuously
  • Automatically maps the issues identified to the technology controls in the standard
    • Extensible connector framework for additional mappings with existing IT Systems
  • Simplified workflows to enter the status of people and process related controls
  • Overall audit report
  • Assign tasks and track the progress

Seconize Generic Compliance Framework (GCF)

Typically, organizations comply to more than one regulation or standard. Auditing each one, is resource intensive and not very productive.

Seconize Generic Compliance Framework maps one standard to another.  Once a standard like ISO 27001:2013 is audited the controls can be mapped to another standard like PCI-DSS.  Saving enormous amount of time and effort.

Seconize DeRisk Center supports the following regulations/compliances/standards.

  • ISO27001_2013
  • MAS_2013
  • GDPR
  • CIS_CSC_7_1
  • COBIT_5
  • PCI_DSS_3_2_1
  • OWASP_ASVS_4_0_1
  • NIST_CSF_1_1
  • NIST_SP_800_53_Rev_4
  • OWASP_TOP_TEN_2017
  • RBI_BANKING_2016
  • IRDAI
  • CISCO_PSB_1_0
  • CIS_AWS_1_3_0
  • CIS_Azure_1_1_0
  • CIS_GCP_1_0_0
  • CCM_3_0_1
  • SOC_2
  • OWASP_MOBILE_2016

Leave a Comment

Schedule a Demo​

Book a session with one of our senior Customer Success Specialists.​

Copyright © 2020 Seconize Technologies Pvt Ltd. All rights reserved.