One of the toughest compliance challenges facing organizations is how to build a program that efficiently manages...
all the compliance controls and mandates without overlap. Adobe recently released a white paper detailing its Common Controls Framework (CCF) and how it helps meet important standards. While vague, the whitepaper emphasizes multi-standard compliance from the perspective of a company that makes a software product that must also comply with standards.
The CCF white paper doesn't provide enough detail to influence the details of security programs used by other organizations, but it does offer a good conceptual approach to conducting business in a world of overlapping regulatory requirements.
Rationalizing security requirements
The most important function of the Common Controls Framework is to perform a rationalization process. In this approach, compliance and security experts pour over the details of various compliance regulations and identify common controls required by two or more requirements. This reduces the complexity of managing compliance programs with overlapping regulations.
For example, the federal government publishes the Federal Risk and Authorization Management Program (FedRAMP), a set of compliance requirements for vendors seeking to provide cloud services to federal agencies. FedRAMP requirement RA-5 mandates annual independent vulnerability scans of computing systems.
At the same time, the Payment Card Industry Data Security Standard (PCI DSS) regulates merchants and service providers handling credit card information. PCI DSS requirement 11.2 mandates quarterly scans of computer systems performed by an approved scanning vendor.
An organization seeking to rationalize the FedRAMP and PCI DSS requirements would likely create a single control that overlaps both requirements. In this example, the organization's compliance framework might include a requirement for quarterly vulnerability scans that use a PCI DSS-approved scanning vendor. This rationalized control would then satisfy FedRAMP RA-5 and PCI DSS 11.2. The organization would only need to continue meeting its own control standard while remaining confident it is compliant with both requirements.
Adobe's CCF rationalizes the requirements of 10 different security requirements important to Adobe. These include PCI DSS, FedRAMP, Sarbanes-Oxley Act, ISO 27001 and others. Adobe's rationalization process collapses 1,000 detailed requirements into 200 rationalized requirements.
Phasing in compliance rationalization
In its white paper, Adobe characterizes CCF as a work-in-progress with an implementation roadmap stretching across four years. It outlines a phased approach that deploys CCF across multiple Adobe products through the end of 2016.
Organizations building their own compliance programs may use this phased approach as an example of a reasonable approach to compliance. Presumably, Adobe performed a risk assessment and targeted the highest risk and lowest effort areas for initial phases of the program. This approach attacks the low-hanging fruit first, delivering immediate benefit to the organization. Organizations may choose to prioritize compliance activities based upon current control status, likelihood of audit, security risk, enforcement penalties and other criteria.
Building your own compliance program
Unfortunately, Adobe does not publish the details of its Common Controls Framework for public consumption. Therefore, organizations can't simply adopt it as the framework for their own compliance programs. This leaves two options: Create a new compliance framework or build upon an existing system.
Building a new program is a time-consuming process and is likely only valuable if your organization has highly specialized compliance requirements not already addressed by an existing framework. Most organizations seeking to rationalize compliance would benefit from starting with an established framework, such as the Unified Compliance Framework (UCF). The UCF provides a pre-rationalized listing of over 90,000 requirements from over 800 laws and regulations.
While a company can't directly leverage Adobe's CCF for its own compliance program, it can be used as a model for an organization's approach. Begin by inventorying compliance obligations. Once a complete list is built, perform control rationalization by either performing an assessment or building upon an existing framework such as UCF. Your organization may then proceed to map its security controls against the rationalized requirements and streamline the compliance process.
About the author:
Mike Chapple, Ph. D., CISA, CISSP, is a senior director of IT with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Chapple is a frequent contributor to SearchSecurity.com, and serves as its resident expert on enterprise compliance, frameworks and standards for its Ask the Experts panel. He is a technical editor for SearchSecurity.com and Information Security magazine and the author of several information security books, including the CISSP Prep Guide and Information Security Illuminated.