As organizations mature and grow, the security requirements placed on them by their customers evolve and grows. You may be in a large enterprise organization that has made the transition from small or mid-market business and during that transition your compliance or security requirements went from one or two security assessments to an endless alphabet soup of security assessments: HITRUST, HIPAA, SOC 2, CSA STAR, ISO 27001, FedRAMP, PCI-DSS -- the list is endless and as you expand into new markets, this list may continue to grow.
Whether this transition is obligated because a customer or potential customer is demanding it or you are one of the rare organizations that are proactively expanding your compliance programs to demonstrate security to customers, the process is grueling. Multiple security frameworks often result in a lot of time spent with third-party auditors.
At some organizations, there are multiple auditors each performing different assessments. This redundancy of assessments places an unnecessary burden and significantly disrupts the operations of your teams. For example, a senior engineer may be required to explain the change management process to three different auditors at three different times during a one-month timeframe because of your annual audit cycle. The hours your senior engineer is spending with these auditors is time that they are not working on the things that matter.
Depending on your organization it may make sense to have different auditors for different frameworks or assessments and perform these assessments at different times throughout the year. However, there is a proven model to reduce the audit fatigue your teams experience as you comply with multiple frameworks and standards despite how you schedule the assessments.
Implementing a central control framework that is focused on the unique security of your organization is an effective way to reduce the operational disruption of your organization. Focusing on security first and mapping your security-focused controls to compliance frameworks will help you comply with several security certifications, standards and regulations. Most frameworks have the same underlying security principles with minor differences in how you produce evidence and how your auditors evaluate your environment.
This model has worked for many Fortune 100 organizations I advised in my past life as an auditor. Some of these organizations display their central or common controls framework publicly on their websites. This article is not a primer on how to develop a common controls framework because that is a task that is unique to every organization. There is no one-size-fits-all because these controls, to be effective, must be tailored to your technology stack and organizational needs.
However, I do want to outline the tangible benefits that you will experience after successfully implementing a common set of controls that is focused on security. Three of those benefits are described below:
Ease Communication With Internal Teams
The first benefit is easing communication with internal teams that enables them to focus on the control activity, not the compliance framework. Implementing a common framework is a project that will require an analysis of existing compliance frameworks or standards as well as an analysis of the current state of security controls or certifications in your organization. The output of this detailed analysis is a set of controls that aligns with your organization’s needs and technology.
A technique that has worked well for organizations is creating an internal control naming convention for their central control framework (i.e. ABC Company controls are ABC-01, ABC-02, etc.). This allows you to assign controls to your teams that are static and aligned with their departments or specialties. Your development team will no longer be concerned with PCI requirement 13.XYZ or SOC 2 Trust Services Criteria CC2.XYZ, they can just focus on the internal control ID and the most important aspect, the control activity.
When it comes time for your compliance assessment, whether that is SOC 2, ISO, or some other alphabet framework, your teams produce evidence and discuss the controls they are assigned. Let the compliance professionals (internal and external) focus on the compliance frameworks and let your teams focus on their specific security control activities.
Quickly Assess Yourself Against Future Frameworks
A central control framework is great to help guide you and your auditors through existing compliance assessments. This central framework can also allow you to easily identify any gaps with other frameworks that you may explore in the future. You can perform an analysis of your current control set against existing standards and avoid auditor fees for readiness assessments. This central framework gives you more control over understanding your current state and allows you to easily adapt and expand into different security certifications and requirements.
Onboard New Products or Acquisitions
As large enterprises grow, they expand their product portfolio with either organically grown new products or acquisitions. In either case, the organization has to ensure these new products or organizations are in alignment with the security expectations of the large enterprise.
A common controls framework helps with this onboarding process. These new services will have a set of controls to immediately adapt to and implement. This gives these new products a direction and clear guidance on how to be considered a secure product at your organization.
Another benefit of a mature common framework with these new services is the ability for controls to be inherited amongst departments. As we discussed earlier, a central, static set of controls will be provided to each department. As an example, the Human Resources department will have a set of security controls for onboarding and offboarding purposes (ABC-01-ABC-10). These controls will be the same for every product or service line if your HR function is centralized, which is at most large enterprises.
This allows your new products and services to focus on their product and not on building a compliant HR department or interfacing with the HR team to ensure they can comply with the latest industry standard.
Conclusion
As your organization expands its compliance program into multiple frameworks, it is important to ensure this growth and evolution do not negatively impact your team and operators. Establishing a centralized control framework that is focused on security and the specific needs of your organization is a great first step to reduce the operational disruption your compliance processes are placing on your different departments and leaders.
AJ Yawn is a cloud security subject matter expert that possesses over nine years of senior information security experience and has extensive experience managing a wide range of compliance assessments (SOC, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers.
AJ spent over five years on active duty in the United States Army, earning the rank of Captain. AJ has earned several industry-recognized certifications, including the CISSP, AWS Certified Security Specialty, AWS Certified Solutions Architect-Associate, and PMP. AJ is involved with the AWS training and certification department, volunteering with the AWS Certification Examination subject matter expert program.
AJ graduated from Georgetown University with a Master of Science in Technology Management and from Florida State University with a Bachelor of Science in Social Science.