Compliance as a Service

Thursday, October 01, 2009

Bob Broda


In response to Compliance as a Service. Does it Exist?

CaaS would be a value added service that would attract plenty of customers. But how real is the likelihood of this service being offered? There are a number of issues associated the CaaS concept:

 - You can’t outsource your responsibility, if you outsource any functions, it is your responsibility to ensure your regulatory responsibilities are still covered by the service provider

 - The AaaS (Anything as a Service) provider will most likely only cover a portion of the customers regulatory requirements and will have to be VERY specific on what is and is not covered

 - Most service providers currently put the “regulatory compliance” responsibility on the customer. One example of this is a hosting provider providing a copy of their SAS70 to their customers with the expectation that the customer will determine applicability and compliance.

 - The current idea of AaaS focuses on lowering the cost to the end customer. Having the provider assume the liability for the customers regulatory requirements would add significantly to the cost structure.

 - Although PCI, GLBA, SOX, and HIPPA have similar security requirements, not many companies have detailed knowledge of all these regulations. Other regulations and customers concerns cover more than just security risks. There are a number of regulations that change periodically and most service providers do not have the time or staff to stay current.

 - There is not a single auditor available who has the knowledge or authority to certify multiple compliance requirements. Unless vendors are responsible for executing or monitoring all transactions, it will be difficult for vendors to assume the responsibilities for someone else’s regulatory requirements.

The financial services industry (banks, credit unions, etc) have been looking to outsource their regulatory requirements for some time. Being able to focus on your core business and pay a fee for others to focus on their own core competency makes good business sense. Except when it comes to regulatory compliance, your regulator will hold YOU responsible, no matter what kind of service level agreements you may have from your auditor.

The current financial services companies that “outsourced” their compliance efforts, have largely contracted with a firm to periodically perform a “pre-audit”, ensure you can pass the audit BEFORE the real auditor shows up. With the changing regulations on the horizon, the concept of “Compliance as a Serice” is becoming more intriguing in the Financial Services sector.

Other industries are now facing these same challenges, especially the IaaS and SaaS providers. These providers can potentially have customers that have to abide by virtually any and all regulations. They do not have the resources or the culture of dealing with regulatory requirements and regulators. These vendors can start addressing these challenges by:

 - Take an assessment of the controls currently operational in their organization.

 - Map these controls to regulations that their customers most frequently ask for (SOX, HIPAA, PCI, etc).

 - Identify missing Controls required to satisfy the regulation.

 - Implement the missing Controls. Have an auditor (ISO, PCI, CPA) issue a statement on the effectiveness of the controls.

 - Construct a report illustrating controls by regulation to clearly show existing and potential clients the AaaS provider meets their regulatory requirements.

After the AaaS vendor decides that they do have the knowledge of their controls and the regulations their customers ask most about, they then can determine if they can indeed offer CaaS to their customers.

Visage offers its own variation of CaaS. Although Visage works on behalf of its customers and is not responsible for the operation of their controls, Visage does offer a service that includes:

 - Mapping Current Controls to regulations deemed appropriate by the customer

 - Make recommendations to remediate problems to improve regulatory compliance

 - Assist in remediation or documentation activities

 - Provide Independent Testing to ensure controls are working effectively Monitor regulations for changes that may affect your control structure  

Is CaaS impossible? Only if you expect to outsource your responsibility to a third party. Your regulator will ALWAYS hold your organization responsible.

Possibly Related Articles:
Cloud Security General
Compliance CaaS
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.