And now, we comply...

So far we have discussed various instruments, methods, and approaches that can help your organization be more compliant. However, the ideal way to achieve compliance is through standardization, which will bring together all these instruments in a coherent manner that can be used by anyone at any time without any uncertainty.

Standardize: Business functions approach

Like Zylker - Think, the company also offers Zylker - Health and Zylker - Media, which create platforms for healthcare and content creation purposes, respectively. These platforms have the same structure as Zylker - Think, with the development, marketing, and support teams working together.

The same set of activities is done by multiple teams and they all make an effort to stay compliant. Yet there will always be variations. If the same process is repeated, does it not make sense that it should be repeated in a consistent manner across all teams?

Not only will this make compliance easier, but it will also make the processes easier for your employees. They can, with conviction, focus on doing their processes well if they know that they are doing them right.

The same set of activities repeated across different teams can be grouped into business functions and standardized to achieve a set of activities. The set of activities teams perform every day will now simply be another instance of these business functions.

Typical business functions in any organization will include:

• Product management
• Engineering/production
• Infrastructure
• Sales and marketing
• Governance, regulations, and control
• Human resources
• Finance
• Research and development

This is by no means the only method of defining business functions. Depending on the nature of your organization, you can have more:

• A software company may choose to split infrastructure into separate business functions like IT and network operations.
• An automobile company may choose to split production into manufacturing and assembly.
• A media company may choose to handle public relations and sentiments as a separate business function.
• A healthcare organization may choose to have governance and legal counsel as separate business functions.

However, the concept of standardization remains the same:

Group similar activities, standardize them, and make every process of your company an instance of this standard.

Zylker decides to make development a business function with the following set of standard activities:

1. Understand feature requirements from the product management and sales teams
2. Define software and hardware components, and interfaces among them, based on:
• Platform requirements
• Security: Integrity, confidentiality, and availability
• Privacy: Purpose limitation, data minimization, and storage limitation
3. Understand the risks of components and interfaces, including that of third-party software library and services, and implement appropriate controls (threat modeling)
4. Define entities and relationships, and create an entity relationship (ER) diagram
5. Define tables and relationships in a data dictionary
6. Define the flow of data across components (product IAR)
7. Code using the development environment
• Understand vulnerabilities and apply appropriate controls
• Check in the code at the repository
• Understand and fix check-in warnings and errors
8. Review the code against the functional and non-functional requirements
9. Define test cases (unit testing)
• Test functionalities
• Test misuse and abuse cases
• Test performance and scalability testing
10. Review test case coverage and validate functionalities (QA)
11. Deploy build in local staging
• Request and obtain machines from the infrastructure teams
• Register the product in the product register
• Deploy build
• Perform data migrations if required
• Perform integration testing
• Obtain QA validation and confirmation that no existing functionalities have broken
12. Fix security and code-level threats, and address vulnerabilities in logging, data validation, session management, and encryption
13. Deploy build
• Request and obtain machines from the infrastructure teams
• Modify configurations to suit the production environment
• Perform data migrations if required
• Deploy build in pre-production setup
• Test core functionalities
• Deploy build in production
• Perform integration testing
• Obtain QA validation and confirmation that no existing functionalities have broken
14. Educate the support, sales, and marketing teams, as well as other interested parties
15. Monitor and improve product features based on usage, performance, and errors, and raise change requests

All three Zylker teams—Think, Health, and Media—will follow the same set of activities for development but with different instances. Each standard activity's instance (in Health and Media) will have its own RACI. Each standard activity will be supported by a robust framework that provides the required impetus for compliance.

Standard activities under business functions, repeated throughout the company as instances, will lead to compliance.

Guidance and evaluation

The biggest advantage of standardization is the ease with which guidance can happen later. When all instances of an activity adopt a unified procedure and follow a consistent system of metrics for evaluation, it makes it easier for the SPA team to ease the company’s compliance journey.

The guidance and evaluation will be based on one question:

Where does the activity tree stop branching?

In other words, for those activities that cannot be further broken down into subactivities, there should be a procedure to guide the activity and a system of metrics to evaluate the activities.

A procedure should contain:

• Review, approval, and revision controls.
• A sequence of steps to be followed, described in simple language that anybody can understand.
• Roles and responsibilities for those steps since the RACI can't go beyond this activity.
• Prerequisites like documents or checklists.
• Exceptions that may occur and instructions for how to handle them.
• Screenshots to simplify understanding.
• References and relevant links.

Metrics for monitoring and measurement should be based on:

• What will be checked to ensure that the process is followed?
• Which parameters will be considered to ensure that constant progress is seen from the procedure being followed?

A framework for you

The 3P framework gives you a very high-level view of compliance. It is still the best and most practical way to create your own compliance framework. However, to make sense of all the instruments and ideas spoken about in this book, you may need a more elaborate framework.

A framework, for all its varied eloquent definitions, is simply a glorified table. Sticking to this simplistic version, consider the diagram below, where each block is a column and each row will be an activity (preferably, a standardized activity).

Using the framework

Every product your company creates, every service it provides, and every operation it undertakes will be an instance of this framework. This framework ensures that each project your organization undertakes will be compliant because a compliant framework drives the activities in that project.

This framework will also form the basis of your core compliance requirements. Here's how you can use this framework:

• A list of consolidated activities will help you frame your organization’s records of processing activities, which is a crucial requirement of the GDPR.
• A list of deliverables will help you form the product registry. This will help you during ISO audits, where you can consolidate and prepare evidence based on the product being audited.
• Mapping your asset with your RACI matrix will help you in asset management and ownership.
• The mapping of deliverables with the IAR will form a crucial part of your process documents during any audit.
• A map of risk vs. control will form your risk registry. This can also help you treat the risks according to their weight based on any standard (say, NIST).
• A list of applicable standards and control codes will help you form the statement of applicability required for any audit.
• A list of policy statements will help you create policies for your company and publish them in your portal.

This is only a limited use for the framework. Based on the nature of your organization, this framework can be used in numerous beneficial ways.

Scope: This framework can be applied to any organization, non-IT ones as well—from a digital marketing firm to a manufacturing company that produces gear boxes for automobiles. The concepts of accountability, asset management, risk assessment, and a framework-based approach will remain the same.

Recap

Conclusion—but is it, really?

Compliance is not what you do but how you do it. It is the most reliable way to assert that your actions towards your goals are working. Without this assertion, the effectiveness and efficiency of your processes can very well be categorized as imagination.

You may ask, "If I create this framework and maintain it, am I done with compliance for good?"

The answer is a big no! However, this framework will ensure that you are in the perfect position to become compliant with any regulation or standard. These methods, while helping you improve your process, will create a platform that will ensure that compliance with anything is never again a burden in your organization.