How do you stay compliant with multiple frameworks simultaneously?

Small to medium-sized businesses are faced with the same Cybersecurity challenges and compliance

requirements as large companies but generally don’t have the budget or internal resources to address

these requirements. One of the questions we always receive from small and medium-sized companies

is: What is the best strategy for remaining compliant with multiple IT regulations (PCI-DSS, SOC2,

ISO27001, GDPR, HIPAA, CMMC, etc.)?

There actually is a simple answer to this difficult question. RITC Cybersecurity’s mantra is that if you are

secure, you will be compliant, but if you focus solely on compliance, you won’t be secure. Not only do

we have a plan to make you secure, but also a way to keep your company secure year-round, not just at

audit time.

Before you can be compliant, however, you need to assess your environment against a cybersecurity

framework. For small to medium-sized businesses, we recommend NIST CSF for those with compliance

requirements like SOC2, PCI, or HIPAA. All these frameworks require you to document your processes,

which is necessary for compliance. Starting with NIST CSF will establish the proper basis and

documentation for being compliant with SOC2, HIPAA, or PCI. Generally, we have found that by being

compliant with NIST CSF, you will be somewhere between 80-85% compliant. This leaves the last roughly

15% that is compliance framework-specific to complete. If your only responsibility is securing your

environment and establishing secure processes for cybersecurity insurance or customer questionnaires,

CIS is an excellent option.

When it comes to gathering evidence, RITC Cybersecurity has found that operationalizing the evidence-

gathering process is the best way to ensure you are compliant year-round. Evidence gathering as part of

your KTLO staff’s monthly, or quarterly job functions enables you to operationalize tasks across your

entire team, verifying security configurations with screenshots, documentation and process reviews,

collecting vulnerability reports, and other risk-specific processes throughout the year. No special tools

are needed for tracking this evidence collection; we recommend simply creating help desk tickets or

managing a team calendar to ensure the tasks are completed. For an evidence repository, you can use a

secure SharePoint or a secured network drive. However, it is critical that this evidence is secured, with

access available only on a need-to-know basis. This data should be classified as highly confidential.

Now, I am sure you are thinking to yourself: My team is lean, or I am the team. How much time and how

many resources will I need to maintain compliance year-round? The answer to this question really

depends on your team size and the size of your environment. Let’s use policy review as an example. The

best way we have found to deal with policy review is not to look at all 20-25 policies once a year, but to

break them down quarterly. So, if you have 20 policies, that’s 5 policies once a quarter, and if nothing

changes, how hard is that really? At that point, you are mostly just updating the review date on the

documents and checking off that they have been reviewed. It gets a little more difficult if your policies

are continually changing. Back to the time commitment, though — in our experience, the extra

workload is generally 5-10 hours a quarter per team member, based on the factors of scope and team

size. The key to making this manageable is the first 12-18 months when you are working on getting the

company compliant with a security framework.

So, what does this really get us? The methodology has multiple benefits: It gets your team used to

gathering the required evidence for the annual audit, eliminates chaos and overload at audit time, and

provides you with a continual snapshot of where you stand from a security and compliance perspective.

Using SOC2 or PCI as an example, when this process is operationalized, you will save time when the QSA

or auditor arrives, reduce auditors' hours, engagement time, and cost. Your internal teams will spend

less time figuring out how to do an annual one-time task, and they may already have some evidence

ready, as both PCI and SOC2 require things like vulnerability scans, remediation, help desk tickets,

penetration test reports, etc., as part of the audit. By operationalizing compliance, costs are typically

reduced by 15%-25% in the years after the first audit.

Lastly, you may ask: I am a team of one or two — how am I really going to do this? Well, the answer is

simple: Contact RITC Cybersecurity, and we will provide the resources and experience you need to

support and streamline your compliance efforts for less than the cost of bringing in additional resources.