Allocating Resources for a Compliance Audit: A Practical Framework

When companies prepare to meet compliance, whether it’s PCI DSS, HIPAA, or SOC 2, one thing that can be estimated inaccurately is the stakeholders who need to be involved — who they are, what departments they come from within your organization, what their roles are, what knowledge and skill sets they require, how long they’ll be needed, etc. This post is intended as a practical guide to help you develop a thorough and realistic resource plan for your next compliance audit.

Making the Organizational Investment

Many companies underestimate the time and resources it takes to meet compliance. Thinking the compliance process will take just a few months and that it’s a one-time project can leave you severely under-resourced and unprepared. In reality, becoming compliant often takes at least nine months, involves team members from across your organization, and costs upwards of tens of thousands of dollars. And, depending on your industry and company size, you may have to go through audits every year. So it’s hardly a one-and-done process, and certainly not one to be taken lightly or to jump into unprepared.

Our best advice is to treat compliance audits like a year-long product launch. Allocate resources as though your compliance project will generate income for your business — because it certainly can! This means assigning a dedicated project manager(s) and involving people from a variety of departments, from security and compliance to HR and finance as well as top level executives.

The key to making sure you have the right resources is to educate leaders and stakeholders early on about the purpose of compliance — which in many cases, means clarifying and emphasizing its role and value in growing your business. When everyone has bought into the importance of compliance early on, it’s much easier to get people on board to do what is necessary for an audit (and to get an appropriate budget allocated).

Now, let’s take a look at who, exactly, needs to be on your compliance dream team, what their roles should be, and how to go about getting their buy-in.

Dedicated Project Manager

The first and most important thing you must do is appoint a dedicated project manager (or more than one, depending on the breadth of your compliance requirements). This person will be in charge of keeping the train on the tracks, being well-organized, detail-oriented, and not afraid to ask tough questions. This should be a person who is well-versed in the company hierarchy, business objectives, and operating procedures — and, of course, the rules and regulations of compliance.

HR

Next, you need to involve HR. They touch some of the company’s most sensitive data and need to understand the principles and practices of compliance that will impact personnel and the way their personal information is handled.

Appoint an appropriate person in HR — someone who can help map current policies and procedures to new requirements and who also has the authority to implement changes. Make sure the head of HR understands and agrees to the length of time the person will be working on compliance, the extent of their commitment, the nature of their duties, and their deliverables.

Finance

Next, you need to bring in the finance department. This may be a matter of making sure the CFO understands why you are embarking on a compliance audit (again — hello business opportunities). It also requires that you secure a budget to cover both the human resources (man-hours for the people mentioned in this post) and the costs of the actual requirements (technology, assessments, audits, etc.). Companies can easily underestimate how expensive the actual audit will be, so be sure to also look at our Budgeting for a Compliance Audit: A Practical Framework.

Legal and Regulatory Affairs

This one may seem obvious, but if you have a legal and regulatory affairs division, they certainly need to be involved. Be sure they are brought in early and given a seat at the table, since (in theory at least) they should be the most knowledgeable people at your company when it comes to the ins and outs of compliance.

CSO or Head of Security

We’ve said it before: compliance is not security, and vice versa. That doesn’t mean you don’t want to involve your security team in the compliance process, however. Many areas of the two disciplines naturally overlap, and your security team can explain what protocols, practices, and tools are already in place that can help you meet certain requirements.

You don’t need to involve the entire security team, but do bring in the team leader, whether that’s a C(I)SO or security manager, and make sure they have a voice in the process. They can save you a lot of headaches by knowing what the company has already instituted when it comes to vulnerability management, continuous monitoring, data encryption, privacy standards, and more.

IT

Finally, you want to involve the IT department. IT folks know more than almost anyone about what really goes on within your systems, networks, and applications on a day-to-day basis. They are there helping people implement secure passwords (no, you can’t use ABC123), troubleshooting computer issues (did you try turning it on?), performing backups, and undertaking all kinds of other activities that can impact your company’s compliance posture.

Bring IT leaders to the table to talk to you about employee workstation practices, application security concerns, technology implementation hurdles and opportunities, and so on. This will bring to light insecure or unsafe habits that employees have adopted, in spite of your company’s guidelines. It’s better to know the reality internally (and quickly re-educate or course-correct) than to have an auditor surprise you with it down the road. IT can help you make sure these red flags stay out of your audit.

Develop a Project Communication Plan

Bringing the right people into the compliance process at the right time can help to ensure that the whole company is in sync when it comes to the importance of meeting and maintaining compliance in support of business objectives. To get and keep your stakeholders and other individuals who have a need to know in sync and properly informed, you’ll need to create a project communication plan.

Broadly speaking, you need to communicate with two groups:

  1. Senior managers, stakeholders, and project participants; and
  2. The company’s employees

The first group needs to be informed about the project’s:

  • Purpose, objectives, and value
  • Required resources and budget
  • Issues and solutions
  • Schedule, milestones, and organizational changes or changes to policy and procedure that come about as a result of the project

Your broader audience — the company’s employees — needs to be kept in the picture as well. Because the compliance project will have some degree of impact on all levels of the company, they need to understand the project’s nature, objectives, and value as well as:

  • How it affects them
  • How they need to adhere to policies and procedures that support best practices or conform to compliance requirements

As appropriate, keep them informed about the project from start to end, and never simply impose changes without an explanation. Use a mix of communications media and vehicles including the company intranet, email, texts, progress reports, meetings, training sessions, etc., and schedule your communications at appropriate intervals (daily, weekly, monthly, etc. as well as when needed):

The project communication plan can be a powerful tool you can use to:

  • Inform people about the compliance project and why it’s important
  • Obtain and maintain buy-in
  • Enable constructive feedback throughout the project
  • Communicate changes that come about as a result of the project
  • Train employees on new practices that are required to support compliance

Compliance Playbook

If you’d like to know more about the ins and outs of meeting PCI DSS and HIPAA Compliance in the cloud, download our newly released Compliance Playbook for Cloud Infrastructure.

Download the free Playbook now!

Compliance_092016-10.jpg

 

Posts in the Compliance Series

Announcing Threat Stack’s Compliance Blog Post Series

How Compliance in the Cloud Can Strengthen Your Business

How Does Compliance Differ In The Cloud Versus On-Premise?

How to Reconcile Different Definitions of PCI DSS and HIPAA Compliance

Can You Afford NOT to be HIPAA Compliant?

Why You Need to be Compliant Much Sooner Than You Think

The Impact of the Cloud’s Shared Responsibility Model on Compliance

The Importance of Security Monitoring to Achieving Compliance in the Cloud 

Budgeting for a Compliance Audit: A Practical Framework

File Integrity Monitoring and Its Place in Meeting Compliance

When is Good Enough Good Enough? Meeting Compliance Without Losing Your MInd