During my time in compliance, I have worked with a lot of small teams, sometimes even working with companies that have five or less employees. For many of these organizations, their key personnel only have so many hours in the day and need ways to show reasonable assurance without having to spend too much time in meetings and checking boxes. Here are five of the most common controls or strategies I recommend to clients with lean teams to save them time and make their annual compliance engagements smoother:
1. Policy Matrix/Critical Policy Review Checklist
One of the most critical parts of compliance is having fresh evidence and up-to-date policies and procedures. However, while critical, it can be meticulous to manually edit policies and procedures each year. One potential method is to condense all information security policies into one large document, but this often does not cover other important policies, such as risk assessment, vendor and key human resource policies. This method can also be cumbersome depending on the level of versioning and frequency of edits.
What I recommend instead, or in tandem with this option, is a Policy Matrix and/or Checklist that is reviewed/performed annually. By putting all your critical policies in a central document and listing them, you can more easily review them and keep track of your major edits, and this can be leveraged as a control for your audit. This is commonly an Excel document but could be a ticket or Word doc depending on your organization. What matters is ensuring that all critical policies are in the document, the responsible policyowner is identified and performs the review, and that it is dated.
2. Quarterly Security Meetings
In cybersecurity and engineering, the speed of information is very fast, and communications are often informal unless required to be otherwise. It can easily become the norm to meet often with no notes or communicate everything over channels in Teams. While this is fine for day-to-day operations, it can be hard to quantify the hard work and progress done by these teams. I recommend documenting the major changes, incidents and successes in a quarterly meeting. There are countless templates on how to complete these and I recommend taking two or three of your favorites and blending them together.
One of the best things about setting up these meetings early is that as your organization expands and your audits/frameworks change or increase, you can adapt this meeting to satisfy other requirements, such as the ISO 27001 Information Security Management System management review.
3. The Internal Controls Matrix
Anyone who has worked on a lean team will know people sometimes wear a lot of different hats. In compliance, we see this as a risk not only from a cybersecurity standpoint but also when it comes to sustainability. If your lead engineer has to be on-call during vacation and never gets to truly relax, they may not be your lead engineer this time next year.
To stop this, as well as an issue we call “job duty creep” early on, your organization should document the critical job duties in an internal controls matrix. The term internal controls carries a lot of weight, but if we simplify the term, all these are individual or team duties that can be reverse-engineered from your job descriptions, if accurate. There are many ways to document this, but it can simply be a spreadsheet housed in your shared drive and reviewed annually. It should document what the job duty is, who performs it and how often, and you should assign one-to-two backup control owners.
A lot of frameworks recommend or require an Internal Controls Matrix. As you grow and spread out these critical duties, it is a fantastic way to reduce burnout, avoid missing key duties and give management an honest representation of the critical duties within the organization.
4. The User Access Review
Performing a User Access Review (UAR) is a habit that can sometimes seem odd to smaller teams. The UAR is a review or recertification that all users’ access is reasonable and all user groups’ access rights are correct. This review can feel unnecessary when there has only been one termination in the last 18 months, but the UAR is a necessary control. When supporting another team member, people will gain access to a tool, and then this is forgotten. Over time, this can cause an employee to gain several admin credentials. This often happens with long-term interns as well as high-performing associates.
5. Know Your Busy Season
Tying all these together and scheduling them properly is our last good habit. If your organization closes out its major projects every year in Q4, you should not be administering annual requirements during this time, such as performance evaluations or annual information security training.
This goes for the other habits stated above, as well as when you are planning your annual attestations to be performed. For many of these engagements, when discussing scope, you can decide when you perform these engagements. I highly recommend doing so when it would be your “slow” season. You should have a general quarter of the year that is a tad slower to perform these engagements. Plan your other annual controls so that they occur the quarter before or after, if possible. This is so you either just completed these controls or can have the audit team’s comments fresh in your mind when performing these controls and can avoid any risks identified.
Setting a Strong Foundation
Once all these habits are being performed and your team feels the ebb and flow of compliance and security controls at your company, then you have set up a strong, robust foundation of compliance habits. They will help you avoid major growing pains due to new compliance audits and sudden expansion. More importantly than that, however, the different members of your team can plan proper vacations with their families, invest in themselves to grow professionally, and spend time doing the things that matter most.