Comprehensive software reviews to make better IT decisions
Are Regulations and Compliance Better With Cloud?
When considering taking advantage of external providers (cloud) that may offer more maturity in security and reporting, organizations must think about developing a complete plan outlining compliance and regulations requirements in a constantly shifting landscape.
Many organizations have a standing audit and review group or toolset that is capable of tracking and reporting on compliance and obligations, but these are generally restricted to “what we touch, we can report on.” The model is changing. There are more opportunities to leverage external providers, allowing for more robust platforms, better usage of resources, and expansion of the environment, providing the customers with greater access and reliability. How do I know if this is the right choice for me, or if it should even be a consideration?
The Externalization Opportunity
Compliance and regulations will always be a moving target. The push is generally associated with an unexpected risk, or a legacy control that wasn’t sufficient. When you own the environment, it is often easier to validate a review.
What I mean by this is that you should have existing controls for internal operations.There should be a well-documented, well-managed, and monitored process and implementation. As needs change, are your requirements changing? Do you have the ability to enhance controls? Can you scale to deliver compliance and still maintain your customers’/users’ expectations?
This is the point where we need to consider the cloud. Internal processes and environments are generally easy to report and monitor, but may not allow you the scalability to plan for future concerns. Even if the environment is scalable, are your resources? What would it take for you to design, implement, support, and deliver? Do you have the resources, time, location, and ability to provide for tomorrow?
We are all familiar with some of the basics (HIPPA, PCI-DSS, SOX, NIST, etc.), but we also have obligations to our customers and end users. Are we keeping ahead of the curve and their expectations? Do we have the skills and maturity to meet these requirements?Can we sufficiently report, based on their needs?
The Other Considerations.
Let’s consider the following questions:
- Are we currently able to meet our requirements today?
- Are our controls for internal environments sufficient?
Over time the answer may be no. The consideration now should be: does the move to cloud allow us to level set our baseline?
When documenting our current environment and designing towards our needs, we often realize that we are not compliant and mature in the way that we should be. There are gaps. This requires time and resources, and often those are in short supply. What we need to consider is how we can provide the controls that auditors/customers/users require and expect.
Recommendations
The process for compliance planning does not need to be onerous, especially with help from Info-Tech’s solid planning tools. With the right people involved and enough time invested, developing an SWP will be easier than first thought and time will be well spent. Leverage Info-Tech’s client-tested 9-step process to build a strategic workforce plan:
- Assess the need.
- Assess your resources.
- Identify the impact of internal and external controls.
- Identify the impact of externalization on your compliance obligations.
- Document your current controls (Are they complete? Are they consistent? Are they changing?)
- Consider new controls for the expanded environment.
- Document your obligations. (What do my customers expect? What do my users expect? What are my compliance obligations? Am I required or restricted to support these obligations internally?)
- Scope your growth. (Can we support our immediate and long-term goals by using the cloud? Does the cloud offer us services we can’t provide ourselves? Do we have the resources, time, and maturity to consider this move?)
- Track your changes. (Do we need to make significant changes to how we do business with this move? Is this a process change? Does it lock us into one provider? Can we migrate from this service to a different one? If we had to, could we support this service internally?)
The Bottom Line
This move to external providers isn’t new. We have been through this cycle before, and we can be sure that regulations are going to change. The constant need to innovate, to leverage resources doing more with less, is forcing us to consider the most efficient way to grow. Often, the fastest way to get there is to look outside of your organization to cloud-based services, which are often more mature and functional than internal resources can be. Leverage commoditized services, while taking advantage of existing differentiators that enhance delivery, and grow your customer base.
Want to Know More?
Develop Your Security Outsourcing Strategy