Technology and Its Regulator Burden
Companies completely rely on GRC Labs as their common platform to manage controls across frameworks, and a dashboard that lets CISOs monitor key performance indicators for compliance and IT security efforts.
Companies are today face an enormously volatile environment. Big organizations demand for technology services is high, and the range of services they want is diverse data storage, audit management, document management, payroll processing etc
That is a large opportunity for technology firms, and the cloud is a fantastic vehicle to help them meet those corporate customers’ needs. The firms can provision services to their customers on an as-needed basis; customers get to save money on equipment purchases, time on implementation, or manpower on maintenance.
At the same time, however, the cloud also means barriers to entry are low. Many technology companies might compete to serve the same sales prospect. To prevail, they will either need to offer the lowest price or offer the best service.
Many regulatory burdens for technology providers come from their clients; whatever regulatory obligations those clients have also extend to service providers supporting those clients. So the clients themselves have a compelling interest to assure that the service provider can meet their standards.
For example: A tech provider might be exposed to the following.
- HIPAA requirements, if clients use it to store or process health information.
- State-level breach disclosure laws, if the tech firm stores or processes other personally identifiable information.
- NIST security protocols, if the client is a government agency or government contractor.
- The COSO framework for internal control over financial reporting, if the tech firm helps clients manage accounting or financial functions.
- Achieving a SOC 2 certification.
- A clients own unique privacy or security demands, regardless of regulatory requirements.
Compliance Objective
Typically organizations will request a SOC 2 audit from tech providers. That audit assesses the design of a provider’s security controls and how well those controls perform.
SOC 2 audits however can be tailored to assess a wide range of concerns: security, privacy, availability, process integrity, and confidentiality. A tech provider will need to be able to address a wide range of client demands, depending on the specific engagement and the clients data security needs.
Assess vulnerabilities in the network and application layers .
Remediate any weaknesses, either through security patches to software or through changes to data collection practices.
Be prepared to report those risk assessments and remediations to other parties as necessary.
Study data collection practices for non-compliant behaviors (say, failure to secure consent for collecting data from EU citizens).
Map progress on those remediation efforts.
Integrate new threat alerts or updated regulations into your compliance program as they come along.