1. CUT THROUGH COMPLIANCE COMPLEXITY WITH
CONSOLIDATED OBJECTIVES
RECIPROCITY
A Publication of
www.reciprocitylabs.com
2. Organizations of all sizes and in all industries are wrestling to stay
compliant with a growing number of regulations. Unfortunately, the
burden to manage your compliance and penalties for not being
compliant only increase as your business expands. The
requirements and controls in various regulatory frameworks often
overlap, and differing schedules for updates or changes to these
frameworks can make meeting all your governance requirements an
exercise in duplicative work and wasted resources.
Agility in your compliance program can make you more responsive
to changes in the regulatory environment, changes in your business,
and help maximize your investment in your compliance program.
Automated tools can cut through the complexity—or at least make
managing the complexity less daunting—but one of the best ways to
simplify your compliance program is to implement consolidated
objectives.
2
COMPLIANCE IS COMPLEX.
3. Consolidated objectives are
common requirements across
regulatory frameworks.
While this approach involves a slightly
higher up-front investment in time, the
rewards win out in the long term—lower
management overhead and better
utilization of scarce resources more than
makes up for your time investment.
Consolidating your compliance controls
and objectives brings multiple benefits:
• Better visibility into your
organization’s risk. Duplicate and
overlapping controls can make it
challenging to identify your compliance
posture. A single, rationalized control
gives you a better understanding of
how well you’re mitigating the risks to
your business.
• Increased agility and ability to
respond to change. If you implement
a company-wide change—say
converting from single- to multi-factor
authentication—you’ll waste time trying
to catalog all the authentication-
relevant systems, policies, and parts of
your business. A consolidated
objective dictating user authentication
cuts through the confusion and
clarifies expectations for everybody in
the company.
• Stronger justification of your
compliance budget. If your
compliance program is overly complex
and inefficient due to the use of
multiple spreadsheets, annual budget
discussions with the higher-ups aren’t
going to go very well. Being able to
highlight your fiduciary aptitude will
make your team look better, and makes
it easier to justify requests for
additional budget when you genuinely
need more resources.
3
4. Many compliance and GRC tools offer a set of consolidated
objectives, which help you jumpstart your efforts to meet multiple
compliance programs. Rather than trying to figure out how much of
your ISO 27001 work overlaps with the PCI requirements, these tools
do the work for you. You’ll be able to save time and money up front,
and manage your compliance program with less hassle in the long
run by being able to better prioritize your work and focus your efforts
in areas where you have gaps. The net result is that your
compliance program can be a business enabler rather than a
roadblock.
Take for example password complexity requirements. Virtually all
infosecurity compliance frameworks require that you implement
measures to authenticate your users, and most mandate some form
of password strength and complexity. If you have three compliance
programs, why implement three separate password controls? That’s
3X the work for the same outcome!
Instead of doing your work in triplicate, you can create and
implement a single company-wide control dictating password length
and complexity requirements, then map that to the various
compliance programs you’ve put in place. Using the consolidated
objectives, the work required to design and implement this single
control can be multiplied, boosting your efficiency.
4
WHAT ARE CONSOLIDATED OBJECTIVES
AND WHY DO YOU NEED THEM?
5. 5
Taking a step back and looking at an organization’s big
picture data model is often the difference between a
successful and an unsuccessful technology-
enabled GRC Program Deployment. The ability to take
multiple disparate subsets of compliance requirements,
policies, standards and procedures, and integrate them
into a centralized and integrated framework - enabled
by GRC Technology - is the lynch pin of Compliance
Management. In today’s day and age, minimizing cost of
compliance is no longer a nice-to-have. The ability to
'test once and apply to many' is now the new
standard in Compliance.
-- Kevin Berman, Partner - GRC Strategy and Enablement at Edgile
6. No information security or compliance program ever has a surplus
of staff or budget. Doing more with less is both an art and a science,
and turning overlapping requirements to your advantage can make
your job easier and give you a competitive advantage. Spending
time and money creating duplicative controls isn’t anyone’s idea of
good business practice—yet it’s easy to fall into that trap. The ability
to reuse your efforts in compliance gives you more flexibility and lets
you stretch your compliance budget further. This in turn lets you
invest your limited compliance resources more intelligently to
mitigate and manage your company’s risks.
Consolidated objectives can also help you cut through complexity in
your business processes, and turn your compliance program into a
driver of positive business change. Here’s an example. Most
compliance frameworks require you to perform certain HR tasks like
background checks. Rather than a messy web of compliance
programs driving different HR processes, a single HR-defined
background check process can be mapped across multiple
compliance objectives. This simplifies the strategic management of
your HR efforts, and helps you meet diverse requirements across
compliance frameworks such as ISO 27001, PCI, and FedRAMP.
6
HOW CONSOLIDATED CONTENT REDUCES
COMPLIANCE COMPLEXITY
7. A common affliction in the
compliance world, “audit
fatigue” results when the
auditing process becomes so
burdensome and repetitive that
your team resents it and may
even ignore requests for
corrective action.
Harmonizing an HR process might not seem like
an obvious driver of business efficiency, but by
understanding how HR processes support
multiple compliance programs, you can reduce
audit fatigue in the HR department.
Gathering evidence of effective background
checks can be done once, and that evidence
reused when you undergo audits against your
various compliance frameworks. Your HR
department will thank you when they are asked
for evidence only once a year instead of four
times when your PCI, ISO, FedRAMP, and SOC
2 auditors come to visit!
7
8. Many companies spend valuable time and resources struggling with
a compliance burden that continues to grow in both complexity and
size, using a disjointed combination of spreadsheets, emails,
documents, and manual processes. You can manage more
efficiently and cut out the complexity by choosing the right
compliance software.
Look for a tool that makes it easy to identify overlapping content
among frameworks. For example, ZenGRC's standardized content
hierarchy—the structure of compliance frameworks within the tool—
makes it easy to translate between frameworks and leverage work
done in one framework to meet other compliance requirements.
8
READY TO TAKE ADVANTAGE OF
CONSOLIDATED OBJECTIVES?
9. Enterprises are shifting more and more IT to the cloud,
either by switching to cloud infrastructure and away
from data centers, or by directly procuring cloud-based
software solution where data and services are more
vendor responsibilities. Compliance questionnaires
and reports are the vehicles by which vendors satisfy
enterprise security requirements. Therefore, new
demands are being placed on both vendors and
enterprises to manage and communicate their
compliance programs. Compliance management has
become as important as Agile or DevOps. Modern
tools and methodologies are sorely needed.
-- David Bernstein, CEO and Founder of Cloud Strategy Partners
10. THREE THINGS YOU SHOULD
LOOK FOR IN A GRC TOOL TO
HELP YOU ACHIEVE GREATER
EFFICIENCY WITH
CONSOLIDATED OBJECTIVES
1. Relational modeling: Your GRC tool needs to make it easy
for you to establish and visualize the relationship between
your controls and consolidated objectives. Identifying the
commonality between frameworks helps you supercharge
your compliance efficiency.
2. Reusability: A compliance tool should let you test once, use
many times. If you have a single password control that
satisfies objectives in multiple compliance frameworks, any
testing you do on that control should be reusable in audits of
all objectives it satisfies, regardless of the framework.
3. Reduced effort required for compliance: Consolidating
objectives across multiple frameworks is part of the work, but
writing the controls you need to achieve those objectives is
really where your compliance team needs to focus. A tool
should give you the ability to highlight those objectives which
are not covered by your existing controls, allowing you to
focus your resources on these high priority areas.
10
11. • Attestation – like an audit, except the organization and third-party
examiner share the responsibility of an inaccurate examination
• Audit – an examination performed by an independent third party
that verifies the guidelines outlined by a regulatory body
• Audit fatigue - the resentment that occurs when your team is
constantly being audited or asked for the same things over and
over again as the company gets audited against different
frameworks.
• Compliance – adherence to a set of rules established by a
regulatory body
• Consolidated Objectives - Mapping of requirements in one
framework to another. We have several common frameworks,
including PCI-DSS, NIST/FedRAMP, SOC 2, HIPAA, and ISO
27001/27002. In addition, the Reciprocity GRC Experts can help
you create mappings from other programs or your own internal
compliance programs.
• Control – a step in the process that monitors and mitigates risk
• Framework – an approach with risks, controls, and processes to
put in place a compliance model
• Objective – discrete requirement within a compliance framework
• Regulatory body – the organization that defines the rules and
methods to verify the rules
• Risk – the chance that a negative outcome, financial loss, or error
can damage the organization
• Scope – the boundaries to examine, which are usually dictated by
a regulatory body
• Standard – the specific law, rules, or requirements that make up
the scope during an examination
GLOSSARY OF COMPLIANCE TERMS
Governance, risk management and compliance is a complex and challenging business even for the most seasoned of experts. Here are
some of the commonly used terms in the compliance world that you need to understand as you embark on a compliance program.
10
12. COMPLIANCE AGILITY
REQUIRES AGILE TOOLS
Are you ready to make the transition to a more
comprehensive compliance solution? Our GRC experts
can help guide you through that journey and
recommend the best solution for your organization.
Call us at (415) 851-8667 to schedule a consultation,
or visit us online at www.reciprocitylabs.com.
12
13. Reciprocity makes compliance work more engaging and rewarding.
Reciprocity’s mission is to turn corporate compliance from a cost center into a valuable strategic
asset. We make compliance and risk officers more nimble with lightweight software designed
for hot growing companies. Our Governance, Risk, and Compliance (GRC) Software
encourages compliance, risk, and audit managers to act more nimbly and stand toe-to-toe with
the fast paced world of business.
Visit us online at www.reciprocitylabs.com.