Let’s say you just found out that you need to be compliant with HIPAA or PCI DSS in order to win a big piece of new business for your organization.
Whether it’s a potential customer, a partner, a regulatory body or government making the demand, business often can’t move forward without demonstrable compliance with certain frameworks. And these can be thorny, complex, and time-consuming to meet.
You’ve heard the horror stories about becoming compliant — it can take twice as long as expected to get all your requirements up to par; it can cost way more than budgeted; and sometimes organizations don’t pass an audit even after all that hard work.
So what do you do?
We know meeting compliance isn't a walk in the park. But if you’re prepared, you can cut to the chase a lot faster, within budget, and with fewer hiccups along the way. In this post, we’ll share a framework you can follow so you can get on the fast track to compliance. While a lot of tasks are involved in meeting compliance, there are ways to gain efficiencies as you work to meet a broad range of requirements.
Ready to dive in?
1. Assign a Project Manager
With tight deadlines and a lot to do, someone needs to be in the driver’s seat overseeing and moving efforts forward. Otherwise, there is no accountability, no management, and no follow-through on critical tasks.
A compliance project requires the careful orchestration of your people, tools, and policies — and especially under a deadline, nothing can slip through the cracks.
Who should this be? The best person for the job depends on your organizational structure. Here are a few scenarios:
- Security/Compliance: If you already have a built-out security and/or compliance team, find out who has the most experience with the type of compliance in question and who is comfortable managing the process.
- IT/Operations: If you have little to no in-house compliance expertise, look to your IT or operations team for help. They should be up to speed on the various technologies and controls you have in place across the organization and may be the next best fit to understand and manage the project.
- Project Manager: That said, technical resources may not always be the best option to lead such an all-encompassing project. In some cases, you may want to assign an in-house project manager (or bring on a new project manager) who is well-versed in driving complex projects under a deadline.
- Consultant: If in-house resources are tight, your best bet is to look outside. Seek out consultants with expertise in the compliance framework you’re working with to see that the project goes off without a hitch. Just keep in mind that these resources won’t come cheap.
2. Understand What You Need To Do vs. What Your Cloud Provider Already Does
If you’re operating in the cloud, it’s important to know what areas of compliance your cloud provider offers out of the gate and what you need to do on top of that. If your business runs on AWS, then the shared responsibility model is a good point of reference. This model breaks down the areas of compliance AWS satisfies so you understand what to focus on outside of that.
As AWS states, “Vendors are responsible for security of the cloud; companies are responsible for security in the cloud.” In practice, that breakdown looks like this:
- Compliance of their global infrastructure
- Identity and access management tools and processes
- Operating systems
- Firewall configurations
In The Impact of the Cloud’s Shared Responsibility Model on Compliance, we explain more on the impact of the shared responsibility model when it comes to compliance.
3. Find Out How Far You Need To Take It
Perfect is the enemy of good when it comes to compliance. Especially under a tight deadline, your goal is to be as compliant as you need to be to meet each requirement — no more than that. Many organizations get overwhelmed by the whole process and unnecessarily go above and beyond what’s required. That’s not to say you shouldn’t (especially if it protects your business from a security perspective), but when time is short, your focus needs to be on meeting what you need to and leaving the rest for later.
For example, one PCI DSS requirement states that businesses must “Change ALL wireless vendor defaults at installation, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.”
You’ll note that it is requiring you to change default passwords, not implement a complex password policy or system. While you should, of course, look to do that at some point, in the interest of time, prioritize ensuring that no default passwords are being used. Later on, you can plan for a more robust password policy.
4. Leverage Platforms, Not Tools, To Cover a Broad Range of Requirements
You could go line-by-line down the checklist of compliance requirements and purchase a unique tool or solution to satisfy each. But all that leaves you with is a library of tools you now need to implement, manage, and pay for. Many organizations find themselves saddled with a couple of dozen tools once compliance is all said and done and often lose time on a daily basis just managing and keeping up with the new set of tools.
Be efficient both now and in the future by finding solutions that meet a broad range of compliance requirements under one umbrella so you can mark off more checkboxes with fewer tools and in less time. This will also make managing compliance on a daily basis a whole lot easier with fewer tools to jump between, fewer boxes that beep, and fewer costs to justify.
When it comes to meeting PCI DSS, as an example, just having the Threat Stack platform satisfies:
- Requirement 6: Develop and maintain secure systems and applications
- Requirement 7: Restrict access to cardholder data by business need-to-know
- Requirement 8: Identify and authenticate access to system components
- Requirement 10: Track and monitor all access to network resources and cardholder data
- Requirement 11. Regularly test security systems and processes
The same goes for many other compliance frameworks, like HIPAA and SOC 2.
Companies including MineralTree, Springbuk, and Twine Health were all able to fast-track their journeys to compliance using Threat Stack as a key part of their solution.
Taking the High Road to Compliance
With this framework in mind, you should be able to jump into action, knowing who to appoint as the head of the project, what you’re required to do, how far to take compliance, and how to leverage technology to make it all happen efficiently.
While compliance will always be a time-intensive project, taking the preceding steps can go a long way toward fast-tracking your journey, so you can get the green light and move business forward.
Need more support meeting compliance under a tight deadline? Download a copy of our free eBook: Fast-Tracking Compliance in the Cloud: A Guide to Meeting Customer Requirements Now