In my numerous discussions with clients, I tend to find a recurring theme of organizations attempting to bridge the gap between business policies tied to regulations and security controls through a process called “The Policy Lifecycle.”

The origin of this lifecycle starts with any number of groups that include compliance, legal, and security, who are responsible for reviewing a myriad of both state and federal regulations on a quarterly basis.   I’ll use security in this example.  After extensive review, the Chief Security Officer (CSO) must determine what regulations apply to the security organization, and then work with other teams to institute policies in order to ensure regulatory compliance.  The policies typically require review and approvals prior to employee distribution.  If the policy is focused on data privacy issues, such as credit card and/or personal/confidential information, any employee who processes or handles this type of information must review and attest to the policy guidelines in order to be compliant with regulations such as PCI. 

Furthermore, controls must be put in place to ensure the policy is being adhered to within the organization.  We know that history shows the damage resulting from public leaks of highly sensitive client information.  Typically, these leaks occur because there is a lack of effective controls in place.  For example, there must be controls that ensure that the assignment of privileges is based upon each individual’s job function and overall responsibilities.   Why is this important?   When dealing with highly sensitive credit card information, it is imperative that the right people have access to the right information based upon their role in the organization.  And more importantly, nobody should have access to information that they don’t absolutely need in order to perform their job function.  This principle includes not only access to the information, but access to all of the information.  Specifically, many workers need to validate a customer by their Social Security Number (typically, the last four digits), but very few need access to the whole SSN. 

Once the controls have been put in place, the CSO (and the IT Security organization) need to validate that they are working effectively.   This typically involves an arduous manual process of checking with management to ensure that only appropriate employees have privileged access to confidential information – and only access to the necessary level of information as well.  Because this is a manual process, the risk of human error looms in the background.  It is highly possible that the wrong employees could obtain access to this sensitive and protected information, which could prove disastrous for the organization.  If any violations do occur, they must be documented, assigned for remediation, and resolved quickly. 

For some policies, a process of self-attestation is required, in which each affected employee is required to attest to the fact that they understand the policy and have complied with it.  This process can be streamlined through automated questionnaires or surveys.

Lastly, the CSO performs a regular review of the company’s “state of compliancy” as it relates to very important regulations – such as SOX, PCI, or HIPAA.  They must produce a report that details their key regulations, the policies in place to meet the regulations, and the state of their supporting controls. The policy lifecycle process is typically performed manually in most organizations, which leads to inefficiencies, inaccuracies and out of date information. 

So, how can a GRC solution help an organization manage the policy lifecycle process? 

The review, approval and attestation processes can be automated in GRC solutions through streamlined workflow processes.  A policy dashboard displays the results of who has, or has not, attested to compliance with the policy.

A GRC solution can also help streamline the process of validating that the controls are operating correctly.  Each control is typically documented in the GRC system, so the current state of its testing is always known.  And, in many cases, through the actual testing of the control, it is possible to automate the process of validating that each user has only the appropriate access entitlements based on his/her role.   This process checks security policies against existing user entitlements, and automatically flags any violations to these policies to business managers.  If violations do occur, action can be taken immediately through the remediation process.   The remediation process ensures the issues are captured and the appropriate person(s) are assigned to resolve the issues in a timely matter, helping to minimize any potential risks to the organization.

The control violations results are integrated back into the GRC system and are represented in an audit card.  The audit card displays the control effectiveness results in a graph.  The audit card history also serves as evidence for the examiners during a PCI audit. 

In addition, by using a compliance dashboard, the CSO can gain a better understanding of the company’s overall policy lifecycle process.  The dashboard displays key regulations, the state of the policies and controls in place to support the regulations, and remediation plans to resolve outstanding issues, all in a centralized, easy-to-read view. 

Rather than relying on quickly out-of-date and error-prone spreadsheets, using a centralized GRC solution helps to provide efficient, accurate, and up-to-date reporting of the state of compliance, streamlining the policy lifecycle process for the organization.

During my customer visits I typically find that organizations are struggling with how to implement effective security policies.   Some companies have committees that create the policies; while others are developed by one or two individuals.  The challenge is to update, distribute and adhere to the policies by establishing good controls.  This is where an effective approach coupled with a good GRC solution can solve this challenge.