Managed Compliance Service
Many organizations lack any formal compliance program or really understand how to navigate their regulatory environments. Some may be naive and think they would pass an audit or assessment with flying colors, some look at various regulations and frameworks and see them as if they were written in a foreign language, while others are so overwhelmed with daily operations they never find the time to improve compliance and IT security-related efforts. The use of technology can help bolster an organization’s compliance program and readiness to pass an audit or vendor risk assessment.
Spark Program Overview
However, the implementation of a compliance management resource like K2 Compliance can be a daunting or overwhelming task for any organization. We recognize that changing an organization’s compliance culture or starting a formal compliance program isn’t something that just happens overnight either. Which is why we created a program to help educate organizations on how to navigate their regulatory environments, become prepared to adequately prove their attestation to various standards and regulations, and mitigate concerns related to change, or in this case, employ and learn how to use new technology.
Our goal is to work with our clients to establish the foundation for a platform that will allow them to maintain a structured compliance program able to withstand the test of any future audit, 3rd party vendor or risk assessment. This multi-phased program outlined within the packet will educate our clients on best practices while allowing them to gradually become familiar with the technology at their own pace.
The Spark program is the spark that ignites your compliance program. Essentially, this means that Etactics will work with your organization to establish, analyze, and enhance your current or infant-stage compliance program.
Discover and Evaluate - Phase 1
During this initial phase, we’ll meet with management to determine what, if any, compliance and information security efforts and measures are currently in place.
Our experts will review any existing policies that your organization currently maintains in addition to the most recently conducted security risk assessment. If there are any security tools that are being leveraged, we’ll evaluate their level of effectiveness as well. The findings will be considered and incorporated throughout the implementation of the Spark Program.
We will identify your organization’s regulatory environment or all of the laws and regulations your required to adhere to. This includes everything from a national or vertical market, to the regional, state or local levels. This will help us build your profile within K2 Compliance and set the scope for your future security risk assessment.
Phase 1 includes the creation of a compliance and information security profile within our K2 Compliance management system. We build an interconnected web establishing ownership of systems, vendor solutions, policy requirements and more. Several components of this profile include:
3rd Party Vendors
Policy Referenced Committes
Identifying where any of your sensitive or protective information exists on your network is an integral part of the Spark Program. We use the InfoGPS 3D technology to scan your network, and identify which of your organization’s assets pose the biggest risk to your organization. It might be a laptop that if stolen, would present the threat of thousands of sensitive data records becoming breached. Records you probably didn’t even know were inadvertently downloaded and stored on the device. Identifying which assets pose the most risk to your organization, we can appropriately address the threat and mitigate the risk.
Creating data flow diagrams with the information gathered in the asset discovery event is the next step in exposing any major areas of risk to your organization. It’s not only important to know where the data exists in your network, but how it flows. While you may think that your data transmission methods are completely secure, we’ll evaluate the mediums it flows through and pinpoint any transmission conduits that might be vulnerable to specific threats.
Phase 2 - Implement and Attest
The next phase of the Spark Program introduces a formal set of information security policies for your organization to adopt. We split the policies up into smaller groups propose implementing them in an attainable time frame.
The first part of phase 2 is to schedule a meet with members of the organization that will in some capacity, maintain a role in your compliance and information security program. Our policies require organizations to create various teams or committees responsible for carrying out particular objectives to each policy.
In this introductory meeting, we’ll go over the origins of the content and the format of the policies. We want your organization to understand what the policies are designed to address and why they require certain activities to be performed. The next objective of the meeting will be to assign membership to the various teams cited within the policies.
Finally, we’ll introduce the first group of policies to be implemented. Our policies are written with specific objectives that provide clearly stated actionable items that need to be performed. We’ll walk through and discuss each policy with your team and add or amend any objectives that don’t quite fit your business model. This process will be repeated for every group of policies until we’ve successfully implemented the entire set.
What is almost worst than not having a formal set of policies is having them but not actually maintaining evidence to support that your organization has implemented and follows the policies.
We’ve written our policies in a format that allows us to easily import them into and manage them within K2 Compliance. Once a group of policies have been approved, we’ll load the approved version into the software and then use the proprietary Information Request feature to collect the required evidence that supports attestation for each policy.
Because the policies are written with “objectives” each objective will have a status identifying whether or not it has been met, partially met or remains in an unmet status. Once all of a policy’s objectives have been met, the policy will be considered fully implemented. Evidence gathered and stored within the system for each objective also has a shelf life according the frequency noted in the objective. K2 Compliance notifies us when we need to update the evidence, insuring that policy adherence is maintained in compliance with the policy and the mandate it inherently addresses.
Phase 3 - Assess and Validate
The final phase of the Spark Program fulfills the industry requirement to conduct an annual security risk assessment of your compliance and information security environment. By completing each of the first two phases, your organization is prepared to participate in this event, with the expectation that the results will be palatable.
Most of the evidence that your organization will be required to produce for the assessors to validate will have already been created and gathered during the first two phases. This significantly reduces a significant and time-consuming step in the assessment process and helps us incorporate this component of the Spark Program at an extremely competitive price. We’ll use K2 Compliance to produce a detailed report of all the collected evidence according to each policy, providing the assessors with nearly all of the information they’ll need to review.
Our certified assessors will conduct interviews amongst your organization’s leadership to identify the most relevant areas of risk. They’ll use the information gathered in the interviews to construct a statement of risk specific to your organization and use it as a basis for the scope of the assessment.
Once interviews have been conducted and all gathered evidence has been reviewed, we will schedule a meeting to present a formal, detailed risk assessment report and discuss the findings of the assessment.
This report will include:
An executive summary of your organizations risk landscape and profile as it relates to your business model.
A list of:
All identified information security threats to your organization
The risk these threats inherently pose to your organization
The risk these threats pose to your organization after taking into considering mitigating security controls that are in place originating from existing measures from before the implementation of the Spark Program and as a result of the policy set that was implemented as part of Phase 2.
Highlighted in this list of threats are those that still pose a moderate to high level of risk to your organization even after considering all current security controls in place.
A list of remediation activities with recommendations on how to further mitigate the remaining moderate to high areas of risk that are identified in the report.
A detailed summary of the findings from the evidentiary review phase of the assessment as they related to assessment items or benchmarks specific to your organization’s regulatory.
It is important to note that this risk assessment report isn’t just proof of compliance to the regulation that requires you to have a security risk assessment conducted. It should become an asset or component to your value proposition. In this day an age, customers want to do business with organizations that publish their data and information security efforts. This security risk assessment event and corresponding report can be a valuable asset as your organization continues to grow and acquire new business.
An important part of the risk assessment process is addressing the outstanding areas of risk that were identified during the assessment. Including a list of remediation activities in the assessment report isn’t something that we invented. However, most firms will simply provide their clients with a list and expect them to complete the activities on their own with little advice or direction on how to accomplish this task.
We’ll present these remediation activities to be presented in the traditional as a part of the risk assessment report. Additionally, we’ll discuss each activity in detail so that your organization understands what is expected to fulfill each. Then we’ll load the remediation plan into K2 Compliance and manage the completion of this plan mirroring the same process applied to the implementation of the policy set from Phase 2. All necessary documentation will be collected to support the completion of each activity and will be available to present during the following year’s information security risk assessment.