If there’s one word that comes up a lot when we talk about compliance, it’s audit. This makes sense. Audits are a big deal. But here’s something else that’s important: staying compliant between audits.
Let’s use a real-world analogy to put this into perspective. Imagine one day you covered up your speedometer, gas gauge or other warning lights. You’d be operating at a distinct disadvantage.
Now, what if you only saw that information when you serviced your car at the dealer or went in for an oil change? Given that you drive your car every day, seeing that critical data just a few times a year could put you and your car at risk.
Well, it’s not all that different when it comes to managing your infrastructure or environment between audits. Think of it this way: hackers are very well aware that audits only occur once or twice a year. They count on you relaxing between audits and that’s when they make their move.
There’s another benefit here too: staying on top of compliance throughout the year will also reduce that pre-audit panic during crunch time, because you’ll already be in good shape.
The following three practices should help you stay aligned with compliance standards day in and day out.
1. Lead with security.
Security should always lead compliance. Remember, meeting compliance regulations alone does not keep you safe; your organization needs to respond to the daily changes of the security landscape, not just a regulatory institution.
By focusing on security and developing a program built to safeguard against all threats, you will already be ahead of the compliance game. Monitor now, monitor tomorrow and then monitor some more.
We know that constant monitoring can be time-consuming and costly. But it’s still more enjoyable than a breach. Daily log reviews can spot abnormalities and deal with them before they become problems; patching monthly can mean the difference between a small leak that’s easily corrected and a brand-destroying disaster.
Monthly vulnerability scans will go far toward preventing attacks as well. Also consider reviewing access on a quarterly basis. Do your users have the privilege appropriate to their function? Reviewing access can reduce your compliance scope and help ensure data integrity.
2. Check in with your provider.
Since you ultimately have the final responsibility for being compliant, it’s important to practice clear communication with your provider.
- Ask if they’ve moved beyond old compliance standards (e.g., PCI 3.0) and are current with or transitioning to new ones (e.g., PCI 3.1-3.2).
- Review your agreement to be sure any new threats or changes are addressed, and you’re clear on who’s handling what responsibility. Even if everything looked good at your last audit, a lot can change over the course of a year.
- Be sure you still have visibility into your provider’s security controls and practices.
3. Stay current on standards and security threats.
Attack methods and trends can change dramatically in a short period of time. Your team should stay informed on new threats and patterns in cybercrime. Stay proactive and adjust your controls accordingly based on the latest industry knowledge.
With all of the compliance work you manage year in and year out, you may want to take a break from anything related to compliance for a while. But when you think of all the effort you put in, it’d be a shame to let it go to waste after your audit.