Musings of the middlemen
The drivers
What do you need to generate a wave that reaches every corner of a system? An epicenter. In this case, you want to ensure every department, employee, and function in your company is compliant. The epicenter for compliance is a central team.
This diagram illustrates exactly what it takes to make a product, and you can draw this diagram for each of your company’s products. Here is what you should take note of:
- Each box will involve a set of teams. Overall compliance can only be achieved when each of those teams ensures their activities are compliant.
- The stars in the diagram above indicate the security, privacy, and audit (SPA) team, the driver of compliance:
- They are a stakeholder in every process.
- They ensure that each team is aware of its compliance responsibilities and is carrying out the required activities for compliance.
- They facilitate and organize external audits.
- They manage any deviation from standards in processes.
The SPA team and shared responsibilities
And as its name indicates, the SPA team eases an organization's compliance experience. But it cannot do it alone. Each team must do its part for compliance.
Compliance is a shared responsibility.
For each security, privacy, and audit function within an organization, there are responsibilities that the SPA team must conduct and those that the other teams pointed out in Illustration 1 must carry out. Zylker, our example company from earlier, has an SPA team where there are three divisions, but they all work together. Here's what the shared responsibility model of Zylker would look like:
Note: There are more activities to compliance apart from those mentioned above, and how responsibility is shared varies by organization. However, it should be noted that creating this model and communicating the shared responsibilities to upper management and individual teams is essential.
What should the SPA team muse on?
Compliance is a shared responsibility between each member of the organization, but it has to be driven and managed from a central team. The three divisions of the SPA team are like warriors defending a castle from the same enemy but on different fronts. Consider this scenario:
Zylker wants to get ISO 27001 certified, and they stumble upon the following control:
"Agreements on information transfer shall address the secure transfer of business information between the organisation and third parties"
This control talks about how secure the transfer of information should be when Zylker shares data with third parties, and how data sharing should be captured in the agreement between the two organizations. Zylker's SPA team will work towards this control, but each division will have its own questions.
Security's musings about the agreement
- Is the information safe at rest in our company? Is it encrypted?
- Do the third parties have sufficient technology and procedures to keep the information safe at rest?
- Through what medium is the information going to be transferred?
- If it is going to be transferred online, is the communication encrypted in transit?
- If the information will be in a common place (like the cloud) and we provide the third party with the access, do we have sufficient access control to ensure they do not misuse it?
- If the information is compromised by a hacker in any way, how do we respond immediately and effectively?
Privacy's musings about the agreement
- What is the category of information in question? Is it personal data?
- Who from the third-party organization gets to see this information? Do they really need to?
- If the information relates to people who are not concerned with the third-party organization, should those people be informed about the data handling first?
- Can we hash information wherever possible to minimize the risk of a personal data breach?
- What is the purpose of sharing this information? Have we been transparent about this purpose?
- What is the third party going to use the data for? Do we have controls to ensure they do not misuse this information?
- Will the third party store this information? Do they really need to? If so, how long will they store it?
- Will the third party share this information with anyone else? If they do, how will they ensure the information remains private?
Audit's musings about the agreement
- What is Zylker's policy on transfer of information? Are the transfers in accordance with that policy?
- Which people at Zylker are accountable for this transfer?
- What procedure do they follow? How do they ensure they are following the procedure?
- How do we measure the effectiveness of the transfer?
- Do we have sufficient evidence that this transfer is secure as per the ISO control?
Although the divisions of the SPA team handle different questions, they assume similar roles:
Facilitators: As its members have significant compliance know-how, the SPA team is well-suited to help any process become compliant. A standard like ISO 27001 or a regulation like the GDPR has almost everything to say about how best a company should function. The SPA team can apply this knowledge to each process so that it happens in the best possible way and is also compliant.
Critics: Standards are ideals, and members of the SPA team are bound to be idealists when it comes to processes, which also makes them the biggest critics in the company. They scrutinize every single process and drive the responsible individuals and teams towards improving it until the process is as close to its ideal state as possible.
Consultants: The SPA team has experts whose opinions should be sought out when implementing any new process. It could be a location change, migration to a new service provider, introducing a new feature in an offering, or discontinuing a product. In all of those cases, SPA experts must be consulted so that you know the implications, risks, and necessary controls.
ZOHO STORY
Zoho's SPA team eases all kinds of troubled processes. A security team of more than 30 professionals creates in-house technology for code checking, vulnerability management, education, frameworks, and audits. The privacy team has analysts who coordinate with all product and operations teams to ensure privacy is blended into our processes and products. The audit team has certified internal auditors who keep tabs on processes.
All of these teams work together when an audit, incident, or new regulation comes up. The reason is simple: unless they collaborate, compliance isn't complete. The security requirements of a standard play a crucial role in privacy and audit requirements. Likewise, privacy implications affect how security controls and audit requirements are handled. The three divisions are interrelated yet different. For setting up infrastructure that is continually compliant, the SPA team must be one big group but with clear segregation of responsibilities and ownership between the security, privacy, and audit teams.
We are now moving towards a system where we establish compliance expertise within each team. These experts carry out typical compliance activities needed for their team. The SPA team now needs to coordinate only with these experts when required. The SPA team's main focus will now be on continual improvement of processes and enhancing the compliance profile of Zoho.