Overwhelmed by Domestic and International Authority Documents?
Our series Documentation Readiness for your IRM/GRC ServiceNow Implementation has been written for IRM and GRC professionals with the intention of sharing tips and tricks for your current or future ServiceNow IRM/GRC implementations.?
Part Three: Understanding Authority Documents
Frameworks vs Regulations
Authority documents are usually one of two types. There are frameworks and there are regulations, and it’s important to understand the difference between the two. Frameworks are open to interpretation, just like art. Unlike frameworks, regulations are representative of the law, therefore there is less interpretation possible.?
Frameworks
Frameworks, depending on the company, are sometimes referred to as methodologies or best practices. The terminology does not matter; whatever works at your company is correct. Frameworks can take the form of many different types of guiding principles and should be used as a model when determining how to go about bringing good practices into your company.?
If there’s one thing to take away from this article is that frameworks are recommendations which were written to be intentionally broadly applicable. This means that the framework is written to apply to companies regardless of their maturity, size, systems used in IT, or level of framework adoption.?
Some well-loved framework examples are…
Of course, some of these frameworks lean towards industries, such as Hitrust for healthcare & pharmaceutical, or CIS for DoD. And, although there is alignment, it is still important to remember that these frameworks are written in an intentionally nebulous way so it is up to you to make them yours.?
For example, let’s take NIST CSF. If you don't follow NIST CSF in your company, there are no legal repercussions. Adhering to NIST CSF guidelines can prove advantageous for you as numerous IT industry and security practices rely on these principles. They serve as excellent pillars for establishing and structuring various controls within your IT structure and department. If you are a small company, incorporating certain NIST CSF controls are recommended; however, attempting to adopt all of them may overwhelm and consume your resources. Medium and larger companies can scale to the entire framework over time. Best practice would be to use the framework and to make it work for your company, especially if you don't have a regulation guiding your operations. Another example is ITIL, a fantastic framework used for a myriad of IT Service Delivery constructs. It is the same scenario in this example - the framework does not have to be assumed in its entirety to gain benefit in your operations.?
There are some frameworks that align better to some industries as compared to others. Hitrust is an excellent framework that is used for healthcare to align with HIPAA. HIPAA is a regulation and will be discussed later in this article.?
Companies have various choices when it comes to adopting frameworks, ranging from wholeheartedly embracing them with multiple components to utilizing them merely as a guiding principle. But still, every single citation listed in the framework that you've chosen must be rewritten so that it applies to your company and not left the way that it is stated out the gate within the framework. That's very important to remember.?
As the framework citations are reconciled, develop a roadmap that aligns with your company's one, three, and five-year goals for the citations that your operations cannot assume today.?
Regulations
The other type of authority documents are regulations. These types of documents reflect the law. Unlike frameworks, companies operating in regulated industries must adhere to the regulation.
领英推荐
For instance, if you operate in the healthcare industry, you are obligated to comply with HIPAA regulations. Similarly, GLBA regulations are applicable in the banking sector, while Sarbanes Oxley Act is mandatory for publicly traded corporations.
If your company retains any consumer data, and that consumer data is representative of one of the six states in the US which have privacy laws, you need to understand what your requirements are from a regulatory perspective of how to handle and process that consumer data the right way inside your organization. That is the law.
As a company you should have updated your operations to be in compliance with CPRA as of January 1, 2023. If your company stores, processes or transmits information about consumers in other countries, it’s important to adhere to the privacy bill in Canada, GDPR in Europe, PIPL in China, and LGPD in Brazil, to name a few. Make sure you understand data transfer laws.?
When discussing regulations as authority documents, HIPAA serves as a well-known example. In 1996, when HIPAA was written, the law stated that the safest way to transfer personal health information was through a fax machine. At the time, this was an accurate statement, and fax machines are still considered a secure method of transferring personal health information in the medical industry. However, additional guidelines for transferring electronic personal health information (ePHI) were introduced with the Security Rule and the Electronic Health Records Rule as enhancements to HIPAA. This implies that although HIPAA compliance is crucial, there may be other acceptable ways of handling personal health information in addition to the original guideline provided in 1996.
It is crucial to comprehend the controls listed in the law that your company and industry must adhere to. Pay careful attention to what applies to your company's operations and what does not.?
Each citation, which is a derivative of a regulation authority document, must be acknowledged and appropriated for relevance in your operations. This means that some of the citations are relevant today, some will be on a roadmap, and others will never be applicable to your organization therefore will require risk acceptance or mitigating citation/control objectives. When accepting risk, you must explain why the citation is not applicable, and this should be included in your acceptable risk statement which is reviewed regularly, along with your policies. Reevaluating citations from regulations periodically is crucial to determine their relevance to your operations. Make sure that your compliance team is well apprised of any changes to regulations so that your policies and control objectives can be updated appropriately.?
Citations
ServiceNow refers to the sections, or controls, within authority documents as citations, which are present in both regulations and frameworks. To comply with these citations, your internal published documents, such as policies, processes, standards, procedures, contracts, and programs, must address adherence to them in the form of control objectives. It is critical to align control objectives to the true daily operations in your company so that the rightful owner of the control receives tasks that they can accurately attest to. If we leave citations and control objectives en masse, without appropriating them, we have no owners for attestation requests. See our previous article Ready to Start Writing Your Own Policies? for an in-depth description of how to do this.?
Because it is possible for one control objective to map to one or many citations, the act of attesting to controls will cascade to citations, and ultimately authority documents, when displaying compliance to those authority documents.? Therefore, by addressing one control objective, you can satisfy the requirements of multiple authority documents.
For instance, implementing a Change Management policy and competency can provide you with numerous controls that can be traced back through citations during an IRM/GRC implementation in ServiceNow, connecting to authority documents. By establishing this connection, compliance with various authority documents can be demonstrated through a single Change Management policy.?
Conclusion
Authoritative documents are useful in keeping your doors open if you are adhering to a regulation, structuring operations to conform to standards, adhere to best practices, obtain certifications, and maintain organizational function. However, it's crucial to be aware of common pitfalls when working with such documents to avoid unintentionally overwhelming yourself by taking on more citations than you can handle.
Our next article will explore risk management as a competency across industries.?
You can find part One and Two of this series below