Have you curled up with any good IT compliance books lately?
Yeah, we haven’t either — except for JumpCloudian Kate Lake who has been digging into The IT Manager’s Guide to Data Compliance Hygiene. Understandably, most IT managers avoid dealing with compliance until deadlines are looming.
Maybe it’s because the subject matter is about as dry as one of those bird seed-looking crackers. You know, the kind you can only buy at organic and specialty grocery stores.
If you’re not into bird food, or you’ve been too busy troubleshooting tickets, monitoring security threats, and onboarding new employees to look into compliance protocols, this article is for you. We’ll discuss the four most common surprises you will likely encounter when spearheading the IT compliance audit process for the first time.
Whether you’re prepping for SOC 2, PCI DSS, or another security standard, use the following information to mentally prepare for what’s to come.
4 Challenges to Staying IT Security Compliant 24/7
Data compliance necessitates following several overlapping guidelines ranging from disclosing how collected data is used to restricting access to sensitive information to fixing security vulnerabilities to ensuring the accuracy of information.
But the real challenge lies in meeting these obligations in the context of having to comply with multiple regulations at once! Let’s discuss some common challenges you may face when implementing compliance regulations and how to confront them:
1. Long Review Periods
Timing — it’s one of the most nerve-wracking aspects of data compliance audits. Take SOC 2 Type II for example.
It involves a 2 to 3 month remediation period followed by a 3, 6, or 12 month observation period. The length of the observation period is up to your organization.
During this period, auditors can conduct interviews with stakeholders, request evidence of controls, and assess compliance at random. Unfortunately, this means they may happen to choose a nontypical day with a high number of control failures.
In such instances, it’s your responsibility to explain what’s going on. For example, you might present the auditor with a list of your devices and a list of items that aren’t yet compliant. You might then say something like: we have tickets open on 10 devices and a handful of devices that were recently deployed for new hires yesterday.
Consistent and clear communication is essential.
2. Unclear Control Guidelines
The next frustrating roadblock you may encounter are ambiguous control guidelines. Regulatory agencies provide little guidance toward selecting and defining controls.
While certain guidelines leave no room for misinterpretation (e.g., employ multi-factor authentication), others provide significant leeway on the best course of action for achieving results.
Even the AICPA is a bit vague when it comes to providing instructions for SOC 2. With dozens of controls spanning multiple security avenues, it’s easy to get lost in the weeds. Audit workflow software is one way to expedite the process.
In addition, the JumpCloud Open Directory Platform provides recommended policies that you can turn on with the flip of a switch. The platform’s customization makes it easy to automate the most common controls and hygiene standards you need to achieve compliance.
3. Competing Regulatory Requirements
Sometimes the problem isn’t “not knowing what to do,” but navigating seemingly conflicting standards and regulations. Just ask Idan Mashaal, JumpCloud senior EMEA solution consultant and Israel country manager.
During his time as employee no. 5 at Plus500, Idan confronted many unexpected challenges while managing requirements from multiple countries including the UK (FCA), Australia (ASIC), Cyprus (CYSEC), and more.
“In one particular instance, the GDPR said we needed to allow users to be forgotten, but the financial regulations said I needed to store the information for seven years,” he said. “So, we were in a debate between the law and the European Union, which dictated a 50 million euro fine, and the license that will allow me to make money.”
In addition, the GDPR only applies to the EU, which begs the question: Should the organization apply the regulatory standard universally (at the expense of global business) or should it create a system for separating businesses outside of the EU?
Ultimately, Idan realized “the right to be forgotten” isn’t synonymous with the “right to be deleted.” The solution was to “forget” who the user was as a person while still keeping the data intact. This is just one example of the many types of unexpected situations you may encounter when becoming compliant.
4. Balancing Usability and Regulatory Compliance
Balancing data compliance controls with workflow efficiency isn’t always easy. In some cases, regulations present unrealistic parameters that defeat their purpose. For example, say one regulation requires the enforcement of a lock screen mechanism every 10 minutes.
But your research and development (R&D) department says that any locking mechanism under 15 minutes interferes with their daily processes. This is just one of many small, but significant challenges that can occur when balancing controls with user experience.
Admins are often faced with answering a difficult question: Do we run the business most effectively or most securely? This unintentional catch-22 can make it even more difficult to find effective solutions that achieve both ends.
As an IT manager, you can and are expected to solve problems in innovative ways. You can ideate creative workarounds as you build toward compliance so long as you can:
a) provide the reason behind the control failure and
b) provide documentation of proposed remediation.
In such instances, your auditor will check back in 30 days. As long as you have followed through with your remediation plans, and demonstrated intelligent thought in following guidelines, you’re in good shape.
Remember: auditors aren’t pencil-pushing enemies analyzing rows of data for breakfast!
They are supportive professional partners who possess valuable insights to help you succeed.
The more transparent you are from the beginning, the better equipped they are to propose unique solutions to your problems. Work with your auditor to seek solutions to whatever makes it tough to follow a particular regulation, rather than assuming nothing can be done.
Simplify Security Compliance with JumpCloud
If you’re ready to streamline IT security compliance planning, we recommend consolidating your stack as much as possible. Fewer tools means less time spent sifting through copious amounts of compliance data and less risk of human error when cobbling it together.
JumpCloud’s Directory Insights feature allows admins to access a variety of data points that can be quickly filtered for internal and external auditing purposes. Admins can also enjoy Users to Devices, Users to Servers, and Users to Directories advanced reporting options.
Ready to get compliant? Our IT Compliance Quickstart Guide will walk you through how to prepare for an audit and how to boost your IT security baseline.