In a recent article, we introduced Codify’s Pyramid of Implementation model: our heuristic for understanding the various standards, rulesets, controls, and requirements that your FSI business may be subject to.
And although the information in the article provides a helpful starting point for compliance planning, we felt there was still more we could offer teams that are struggling to move through the compliance process — specifically, how executive leadership and technical IT teams can have a compliance conversation and identify a path forward that both can feel confident about.
Building from the Ground Up
Compliance challenges start at the base of the Pyramid of Implementation — even if the teams involved don’t realise it.
You likely have some compliance measures in place at this point. If you didn’t, you’d risk suffering heavy compliance costs to remediate noncompliance findings by an auditor — or even the loss of your financial service license. But don’t underestimate how much your compliance requirements can change over time.
- Remote work adoption, for example, has grown significantly throughout the COVID-19 pandemic. The last time you audited your compliance, was remote work even an option at your organisation?
- Cloud adoption is up significantly as well. For instance, if you recently transitioned to Microsoft Azure cloud computing, are you still using the same audit processes and tools as you did on-prem? Not only is it possible that your compliance needs have changed, you may also be missing out on tools built into Azure that can make compliance management much easier.
Challenges like these make regularly revisiting your compliance obligations a must — but this is where conflict can arise on teams.
First, you’ve got your executive who’s primarily concerned with the left-hand side of the Pyramid. They’re thinking, “We’ve got these bodies that enforce these requirements on us, and they’ll all fine us or kick us out of their service if we don’t do this”.
Then, you have your IT person scaling a different side of the pyramid. And they’re much less worried, thinking, “Great, this is just an implementation thing. I just need to buy this product, turn this on, and then I’ll get a bunch of things to action. And I can do that. That’s easy, because that’s technical.”
Ultimately, they’re on the same journey — they’re climbing the same Pyramid — but they’re approaching it from different faces, and that leads to a chasm of expectation. Without an understanding of both sides’ priorities, organisations risk missing the outcome; with no plan, there can be no confidence. Instead, both parties need to make the climb together and meet at the top.
But, if that’s the case, why aren’t executives and IT already working in lockstep? As we explored in our first article on this topic, this is a very complicated space. There are a lot of acronyms — think ISO and NIST — but there are also a lot of figurehead words that don’t really mean anything to the parties involved. That can make achieving compliance seem insurmountable.
Moving Up the Pyramid
If you look at the Pyramid from the base, it’s easy to intuit how companies starting in a single corner might feel that they’ll never be able to piece together the compliance puzzle — especially if they don’t really understand the differences between things like rulesets and standards.
When you move up to the middle of the Pyramid, however, it shrinks down in some ways as both executive and IT teams are better able to see the totality of the scope of the compliance process. It’s still a monumental undertaking, but teams can gain some confidence at this stage by understanding the things they’re required (or not required) to implement to get to the standard at the top of the Pyramid faster.
What companies at this stage will notice is that the requirements, as they’re written, tend to have three common elements:
- There needs to be some type of documentation or record of what’s been done and what decisions were made to be implemented into other documents or processes. This documentation drives the business outcome of the requirement.
- Next, in most — but not all cases — there will be a technology implementation with a focus on enforcement of the requirement.
- Then, the audit component protects the integrity of the documentation and the technology by providing evidence that things are running as they should. Once this is in place, teams can go back and look at their prior audit results if they need to change their policies or manage the actions that have come out of them.
As a simple example, take establishing compliance around working from home. Documentation, in this case, might involve establishing a remote working policy that sets guidelines around things like who can access technology or how workers should lock their devices when they’re stepping away.
The technology piece of the implementation recognises that it’s impractical to expect that workers will follow all of these guidelines, 100% of the time. So teams can use things like firewalls, Intune or Azure AD to enforce the policies they’ve established in their documentation.
Finally, conducting an audit in this example might mean regularly checking users’ devices to ensure the appropriate security software is running or measuring how frequently users’ behaviour was out of compliance with the policies you established.
Compliance in Microsoft Azure
For many customers who are already in Azure, the implementation of these types of controls can be relatively easy. Rather than buying a bunch of extra pieces, you may be able to simply turn on fundamentals that are already baked into the platform.
Just be careful not to think of Azure’s controls as a silver bullet. Out of the box, you can turn these features and wind up with what we call a ‘red dashboard’.
But then, you run the risk of doing the same thing you’ve always done — which may be to not actually execute or action any of the feedback that comes out of the process. Azure’s tools make visibility and implementation easy, but don’t assume that any issues that arise will be automatically resolved for you.
And if you aren’t on Azure, you may still have access to Microsoft solutions like Arc and Intune that can span your cloud-based workloads into on-prem spaces and give you that ‘single pane of glass’ visibility for managing your compliance across any location.
Reaching the Top
Most companies are familiar with ISO standards, and many FSI businesses will set achieving at least one of them as a compliance goal. At Codify, we decided to pursue ISO 27001 certification — given the work we do for customers, it made sense to practice what we preach.
So if you’re trying to achieve ISO, why not just start there, at the top of the Pyramid? The reality is that, although these standards are well-known, they’re also generic. They might tell you to implement things like strong passwords and multifactor authentication, but they don’t actually tell you how to do it. If you try to figure out how to implement their recommendations on your own, you’re setting yourself up for a lot of unnecessary work.
Instead, you can start with the rulesets from the CISs and NISTs of the world, which will give you specific guides for your technology stack. Often, all you need to do is to download the resource for your specific platform — like the NIST Guide to Window Server or the CIS Guide to Azure — and follow the instructions. In some cases like CIS, these resources have PowerShell built in. All you have to do is just run it.
Essentially, this stage is where you connect the dots between the standards you’re trying to achieve, the target business outcomes you’ve documented, and the technology platforms you’re already using to identify a path forward towards fulfilling your governance regulation compliance. When that happens, executives and IT align and gain confidence in their work, knowing that standards are assured through the implementation of rulesets.
At least, that’s what we believe. Have you found this information helpful? Does it resonate with how your FSI business has approached compliance (or how you might do so in the future)? We’d love to be challenged on our thinking, so contact us to continue the discussion.