If you’re about to face a compliance audit, undergo an assessment, or produce an industry certification — and are doing so without much serious consideration for what it means to embody information security and data privacy throughout the organization — you are likely missing the forest for the trees. If the actions taken are solely about achieving certification and remain unclear and impractical from the intent of the regulatory requirements, what you don’t see can come back to haunt you.
By Bryan Cline, Ph.D., Chief Research Officer at HITRUST
Compliance isn’t supposed to be about ticking a bunch of checkboxes, which when “completed” represents a binary result: pass or fail. What may not be as clear, even by achieving compliance, is that you may still be left with substantial exposure to compliance risk.
In effect, by simply achieving the letter of compliance, you leave your company unnecessarily exposed to business risk: plain and simple. There is a residual risk in the continuum that falls between doing the bare minimum to address compliance requirements and doing what is actually needed to address the intent of the requirements: providing a reasonable level of due diligence and due care.
The Three Levels of Compliance Maturity
Achieving a risk score isn’t the solution. Neither is ticking a bunch of non-verifiable checkboxes. The correct solution involves moving beyond the binary state of the letter of compliance and, instead, striving to achieve compliance in a way that meets the intent of the regulations and standards. To get to the right solution, let’s first take a broad view at three levels of compliance maturity.
1. Zero visibility and disorganized control
At this level, businesses are subject to maximum unmitigated exposure. IT risk assessments are limited as most regulations are concerned with information security (more so than IT) and individual privacy, which information security supports. The business is likely stuck at this maturity level because there is an unclear association between compliance risk, information security risk, privacy risk, and business risk.
2. The letter of compliance is achieved
Organizations that reach this level recognize the connection between information risk and business risk but have minimum mitigations in place. At this level, compliance risk still exists as organizations have implemented an incomplete set of controls, and many times, those that have been implemented fail to meet the outcomes intended by the regulation — as interpreted by the regulator.
The drivers to achieve this level include the risk of fines, penalties, and loss of business. Many businesses choose to stop at this level because compliance is enough, and the self-assessments show everything is OK; after all, the letter of compliance was achieved.
3. Intent to protect is embodied throughout the organization
Those that reach this level have an understanding of risk and visibility into how it can affect the business. Furthermore, that risk is sufficiently mapped to business risk and paired with proactive controls and responses designed to meet the letter of compliance and support, with a clear and focused goal of keeping the company’s information safe, which is often the intent of information security and individual privacy regulations. The common drivers that cause organizations to reach this level often include direct experience with a breach, awareness of a breach at another company, or the loss of business due to an inability to articulate proactive risk management. Perhaps it’s time organizations don’t wait for one of these negative drivers to surface before taking action.
Achieving an Appropriate Level of Assurance
But even if you are following the spirit of compliance, you may not be able to adequately demonstrate compliance when a regulator comes knocking at your door. For example, self-assessments are generally less trustworthy than independent assessments and are almost always inflated due to a lack of understanding of the requirements and a desire to cross the finish line to pass an audit or close on new business.
Ultimately, though, compliance boils down to achieving an appropriate level of assurance:
- What level of assurance do you want to achieve?
- What level of assurance can you demonstrate?
- Can you demonstrate assurance to ALL stakeholders?
Then consider whether you have provided the level of assurance you want and that your stakeholders require. Have you gone beyond ticking the boxes of compliance, or is it just a charade?
The Three Dimensions of Intent-Driven Assurance
To answer these questions, we will explore the three dimensions of assurance and the attributes associated with each:
1. Suitability: The controls must manage risk to a level deemed acceptable by the organization, not just what is described in the regulation(s) you are managing to.
2. Impartiality: For both the letter of compliance and the intent of compliance, independent assessments are more trustworthy than a self-assessment, and help improve the level of assurance provided.
3. Rigor: The results must accurately reflect the organization’s information security posture as it relates to the regulatory requirements.
This story first appeared in the November 2020 issue of CISO MAG. To read the full story: Subscribe now!
About the Author
Dr. Bryan Cline provides thought leadership on risk management and compliance and develops the methodologies used in various components of the HITRUST ApproachTM. This includes a focus on the design of the HITRUST CSF® and the assessment and certification models used in the HITRUST CSF Assurance Program, for which he provides technical direction and oversight. He’s also responsible for addressing emerging trends impacting risk management and compliance to ensure the HITRUST Approach sets the bar for organizations seeking the most comprehensive privacy and security frameworks available. Dr. Cline is currently leading a joint public-private effort to update NIST Cybersecurity Framework implementation guidance for the health care sector, which will better support the use of NIST’s Online Informative References like the HITRUST CSF in organizational cybersecurity programs. He is also working with the FAIR Institute to integrate elements of their quantitative approach to risk analysis with HITRUST’s control-based risk management framework, which will allow organizations that use the framework to more easily communicate risk in business terms and better facilitate risk-based decision making. Dr. Cline previously served as HITRUST’s Vice President of Standards and Analysis.
Disclaimer
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.