From our experience working with high-growth technology companies subject to a myriad of compliance obligations, maintaining security and privacy compliance initiatives throughout the year is a prominent challenge that requires good management and a thorough understanding of reoccurring activities.
If no one is tracking which requirements happen at what frequency, and who is in charge of ensuring they are completed, it’s easy to get lost. Documenting such details is the first step in understanding compliance program requirements that span business units, product teams, and geographical locations.
Here is a helpful checklist to help think through ways to manage ongoing compliance, generally:
- Inventory the Universe: Start by taking an inventory of the business’ regulatory and compliance universe (e.g., PCI DSS, SOC 2, HITRUST, GDPR, etc.) and the scope of those requirements. For example, the entire business may need to comply with GDPR, but perhaps only one or more products require a SOC 2 report.
- Understand the Overlap: Map the overlap of compliance requirements across compliance programs (e.g., user access reviews may be done once and provided to meet PCI DSS, SOC 2, HITRUST, etc. requirements). When feasible, utilization of a GRC platform, such as Phalanx GRC, can help to automate and synchronize these efforts as well as the collection of evidence.
- Assign Responsibility & Accountability: Assign control owners to each control/requirement across all programs (consider the scope of each compliance program).
- Collect Evidence Once: Ensure control owners understand their responsibility for operating controls, providing audit evidence per a defined cadence, and how to provide that evidence to a centralized repository (that may be used for various compliance programs).
- Implement Notifications & Technology: Where possible, implement technology to automate evidence collection and configure periodic reminder notifications to be sent to control owners to ensure compliance requirements are not missed (e.g., Phalanx GRC’s Compliance Calendar allows program owners to synchronize all compliance efforts across the business and send notifications to control owners).
Maintaining PCI DSS Compliance
The Payment Card Industry Data Security Standard (PCI DSS) has over thirty recurring compliance requirements, spanning multiple business functions, that must be maintained throughout the year.
As part of Step 1 above, to maintain PCI DSS compliance, it is important to document the recurring PCI DSS requirements and to assign control owners to these requirements. As an example, and for helpful reference, below is a table of recurring compliance activities for PCI DSS (v3.2.1). This table breaks down the PCI DSS requirements that have an associated and specific reoccurrence requirement throughout the year.
By understanding the landscape of these requirements and assigning compliance activity to control owners, an organization can help to ensure the ongoing management and health of the compliance program. As a further best practice, it is recommended that program owners build in checkpoints throughout the year to validate that control owners are operating controls as assigned and intended.
Table of Reoccurring PCI DSS Activities (v3.2.1)
*Note that this list is not meant to be exhaustive but is intended as a tool to assist organizations in thinking through the management of their ongoing PCI DSS compliance requirements. Organizations should read and familiarize themselves with the entire PCI DSS and assign owners to every requirement and sub-requirement to ensure the organization’s ongoing PCI DSS compliance.