I have written before about a security compliance tool we have been using, ComplyUp. (You can read about it here and here.) If you know your organization will not be audited for information security, ComplyUp is a handy compliance tool. As in, “handy, but not must-have.”

But what if you think (or know) that your organization might be audited for its information security stance? Then, ComplyUp is more of a required compliance tool for your organization.

Should I Worry About Information Security Compliance?

If your organization operates in an industry subject to government security regulations, you had better worry about information security compliance. We have customers that operate in the US financial markets. These customers are subject to regulation such as FINRA, PCI/DSS, SOX and more. We have other customers that are selling to the US Department of Defense and US security agencies.

For these customers, it is not enough to say you are compliance with information security regulations. These customers must show that they are compliant. And if they are not fully compliance with the regulations, they must show that they have a plan to become compliant. For these customers, a compliance tool is critical.

Do you know who else is asking to see your compliance with information security regulations? Your cyber insurance company. If you can show compliance, you might get a better rate from the insurance company. If you cannot show compliance, they might not underwrite a policy at all. Insurers want to manage their risk exposure. (Ask me sometime how I know this.) Demonstrating compliance with information security standards is akin to showing your property/casualty insurer that you have working smoke detectors in your home.

What Does a Compliance Tool Do for Me?

Think about how you manage IT compliance and remediation today. You get an audit report from the consultant (ours are suitable for framing LOL). You create a spreadsheet to list all the compliance and remediation items and track your progress in closing the actions. Welcome to your compliance tool.

Over time, the spreadsheet gets messy. One audit item requires multiple actions to close. You are not going to address some audit items because compliance would be overly burdensome for the organization. Or the cost and effort to close the item does not match up with the benefit.

Then things get worse. You cannot close an item because it is dependent on closing a separate item. Or you want to note the important updates that occur as you work the problem prior to its closure. Six months after the audit, you cannot recall where you left the spreadsheet as you try to update the auditors on progress.

How You Can Benefit from a Fit-for-Purpose Compliance Tool

Now, imagine this experience.

• You use the compliance tool to step through a series of questions. Each question represents a compliance requirement. For instance, “Does the organization have an authentication mechanism?”
• The compliance tool has information on the compliance requirement and the questions. This information helps you understand what the requirement is and why the question is relevant to determining compliance.
• If you fully comply with the requirement, you can indicate this and (importantly) show evidence that you have complied. This might be a screen shot of an MFA request.
• If you partially comply with the requirement, or have not started to address the requirement, you can indicate this. The compliance tool can capture your notes.
• It also captures your plan to address the requirement. What actions will you take? Who has the responsibility for each action? Is there a milestone you want to track to confirm that you have completed the actions and achieved compliance?

Now, fast forward to your IT audit. The auditor asks about compliance with a requirement, such as use of multi-factor authentication. You open the compliance tool, go to that requirement section, and show them the evidence that you comply with the requirement. (Or you give the auditor temporary access to the compliance tool and let them check for themselves.)

Decide Your Position on the Make-Buy Continuum

The compliance tool is doing the same things you could do with a spreadsheet, list, or wiki page. The value of the compliance tool is in its integration across the compliance steps. And in its capture of information in a single place. Could you reproduce the functionality of a compliance tool? Yes. Do you want to spend your time putting your own tool together? I doubt it.

I remember when a software developer friend created a US 1040 tax form using Excel. It was cool. But it did not take me long to abandon his tool in favor of dedicated tax preparation software. Who would want to build in all the twists and turns of the US tax code? Tax preparation is about much more than making sure the numbers add up.

The information security compliance tool we are using, ComplyUp, requires a license. And you must renew the license annually if you want to maintain up to date information on your compliance. That is a pain. But you get the reward of having all your answers and work notes in one place. I call that a bargain.