The Infosec Compliance Process in 3 Simple Steps

This article is part of the Twingate Infosec Compliance Series. Written for IT admins, security ops, and anyone else tasked with implementing infosec requirements imposed by compliance standards, this series explains common standards, how they relate to information security, and how to get started with attaining compliance.

It can be imposing to embark on the compliance process for a new standard - particularly if you haven’t had prior experience with it before. Fortunately, although compliance standards vary significantly in content, the approach to tackling each one is actually very similar. The compliance process can be viewed as comprising three main components:

Attaining Compliance: Bringing the organization up to speed and meeting all of the requirements for the first time.
Maintaining Compliance: Compliance is almost never a “one and done” event. Compliance is an ongoing process that needs to be sustained indefinitely, and determining how to efficiently maintain compliance year in, year out is important.
Demonstrating Compliance (or Ascertaining Compliance, if you want to make it rhyme!): In addition to simply doing what a compliance standard says, you will often need to create evidence of your compliance, such as by preparing documentation. For example, some standards are certified, meaning that they are only issued after a third party auditor has been able to verify your compliance.

1. Attaining Compliance

Initially attaining compliance is typically the most intensive stage of any compliance program.

Start with Project Management

Compliance standards usually contain a laundry list of requirements, so the first step from an infosec perspective is to identify all the infosec requirements in that list. You should compile them into its own list so you can review and track them individually. During that review, you should assign each requirement to a directly responsible individual (DRI) who is tasked with ensuring the requirement is met, and for reporting progress towards satisfying the requirement. Even if you think you have already met a requirement, a DRI should still be assigned to confirm that is the case.

While implementing each of those requirements is the bulk of the work, project management is a critical part of ensuring success. Project management is a discipline that others are more qualified to write about, but suffice to say, organizations should appoint a project manager (or a PM team) who is responsible for tracking the overall status of the project, identifying roadblocks, escalating decisions when needed, etc. Tasks are frequently cross-functional, so project managers are important for facilitating communications between teams to ensure everyone is on the same page.

If a compliance standard isn’t exclusively about infosec, another team may be responsible for project managing compliance and will delegate the infosec requirements to you. You may, in turn, decide to have your own project manager for those requirements.

A wide variety of tools and frameworks exist to help with managing compliance projects. You may also want to consider retaining a consultant familiar with the compliance standard to act as a project manager.

Implementing Requirements

Security requirements can generally be grouped into physical, organizational/administrative and technical requirements that variously involve:

Procuring and deploying new technology systems or reconfiguring existing systems (for example, setting up an intrusion detection system, or hardening a server)
Developing new, or editing existing, processes, policies and documentation (for example, establishing a formal written approval process for granting systems access to new employees)
Disseminating new policies and processes throughout an organization (including providing training to affected teams)

Most infosec compliance standards aren’t super prescriptive when it comes to implementation, and they leave the exact details up to the organization. This means that there’s flexibility to select a solution based on the organization’s profile and resourcing constraints. A typical goal here is to seek the most efficient solution, while also keeping in mind future scaling needs. Sometimes the most efficient short-term solution will be a manual one, but they tend not to scale well. As an IT professional, you’ll be best placed to judge what approach makes the most sense for your organization.

For example, a common infosec requirement relates to having an offboarding process to ensure that systems access for departing employees is revoked. This can be achieved by having a manual process where you maintain a list of systems to manually review each time an employee is offboarding, disabling the employee’s account wherever it exists. This process may work initially, but maintaining the list will become challenging, and reviewing each system on the list will become more time consuming and error prone as time progresses. With a little additional upfront investment, you can implement a system like Twingate that avoids the need to maintain a separate list of systems and enables offboarding from most or all systems with just a few clicks (or even programmatically through an API). Organizations will need to assess when it’s the right time to invest in scalable solutions.

Should You Get Outside Help?

It can make sense for companies with resource constraints or tight deadlines to hire a security consultant or firm to help. If you don’t have prior experience with a compliance standard, they can help you get oriented quicker. The experience that consultants gain from working with multiple clients also allows them to advise on the different approaches to implementing requirements that your peer companies take, and to recommend technology or services in the market that may be helpful. Make sure you define a scope of work that gets you the best bang for your buck. Consultants can help with a little (being available to answer questions on an ad hoc basis) or a lot (project management plus implementation).

An example of an area where a consultant can be particularly helpful is documenting security policies and procedures. This can be a very time consuming task, even if you are starting with templates, such as those from the SANS Institute. Having someone who comes in and takes care of interviewing your team and getting your policies down on paper for the first time can alleviate much of your workload. (Stay tuned for our forthcoming article about our SOC 2 audit process and the tools we used to help us get ready for it.)

2. Maintaining Compliance

Attaining compliance is a major step, but it is only the first step. Compliance is an ongoing process that needs to be sustained over the long term. Some ongoing compliance requirements are event-driven (e.g. in response to a security incident or hiring of an employee) and some follow a regular schedule (e.g. quarterly reviews of security policies or conducting annual training).

Ensuring compliance obligations continue to be met over time requires establishing operational processes supported by tools and systems that help to ensure the processes are actually carried out as intended. For example, scheduling reminders, or having automated systems that monitor activity and send out alerts when certain events occur so that further action can be taken. As mentioned above, investment into better systems and automation can make compliance easier as an organization grows in size and complexity, and prevent you from falling out of compliance.

3. Demonstrating Compliance

Many modern compliance standards not only require compliance, but they require organizations to be able to demonstrate or prove that they are in compliance.

Sometimes this is because the standard requires certification by a third party who must be able to verify compliance based on evidence. For example, a SOC 2 Type 2 report requires an independent auditor to verify that security controls have been attained and maintained over a defined period of time, and the auditor will request evidence (e.g. screenshots and written records) to do so.

Even if a compliance standard doesn’t require any formal certification (or is a self-certification standard), organizations may sometimes choose to voluntarily retain a third party auditor or consultant to review or double check their compliance and publish an unofficial compliance report which can be used to build trust with customers and partners.

Other times, the compliance standard itself requires compliance to be documented. For example, Article 5 of the GDPR contains an “accountability principle” that requires organizations to not only be responsible for compliance, but to “be able to demonstrate compliance with” its requirements.

Therefore, organizations should build into their compliance activities rigorous documentation and record keeping procedures, and ensure that those records are kept up to date.

How Twingate Helps with Infosec Compliance

Access controls are a cornerstone of all security compliance programs. When it comes to ensuring that the right people have access to the right systems and data, in the right context, Twingate makes attaining, maintaining and demonstrating compliance simple:

Attaining Compliance. Twingate makes attaining compliance easy by:

Enabling access controls for all types of IT assets: Twingate allows Zero Trust-based access controls to be applied to all types of resources, including private apps, data, servers, and networks (whether on-prem or cloud-based) and public SaaS apps.
Making deployment painless: IT teams have enough on their plates without having to worry about managing an intensive project to deploy a new system. Twingate can be deployed in 15 minutes without any changes to network infrastructure required. End users can self-onboard without any configuration or tech support needed.
Least privilege access by default: Least privilege access is a security best practice and Twingate makes implementing it a reality. Twingate allows access to be assigned granularly at the user and application level.
Identity provider integration: Leverage your existing IdP and apply SSO and MFA to any private app, service, or other resource.
Supporting modern workforces: With remote work, independent contractors, and cloud-based resources becoming more prevalent, Twingate’s zero trust access model adapts to today’s dynamic work environment by tying access to user and device identities - not context-poor IP addresses.

Maintaining Compliance. Twingate makes maintaining compliance easier as well:

Centralized access control: Manage access controls to any app across your entire organization from a single administrative console, instead of multiple app-specific ones. Twingate also makes periodic access reviews straightforward since you only need to review one system.
Easy onboarding/offboarding: Twingate provides a single point of management, making onboarding and offboarding users a snap. The Twingate API also lets you automate access provisioning and deprovisioning tasks to further reduce workloads.
Scaling: Have a growing organization? Adding more users is easy. And because Twingate takes care of scaling for you, you don’t have to worry about performance issues or outgrowing the solution.

Demonstrating Compliance. Twingate helps third parties determine whether you comply with access control requirements with less effort on your part:

Enterprise-wide network visibility: Because Twingate manages access across the entire enterprise, our logging and analytics functionality provides you with enterprise-wide visibility, helping you detect and respond to anomalous events, and giving you insight into access patterns to help you refine your access policies.
Single source of truth: Auditors only need to inspect a single system to understand who has access to what.