In an ever-changing regulatory landscape, companies have to comply with a whole range of standards and regulations relating to data protection, IS and employee security, or the operation of their products.
Beyond the penalties for non-compliance - which can be significant -,
a security breach or unaddressed vulnerability can seriously damage an organization's brand image.
Managing gaps compliance is therefore a key issue, and one that raises a number of questions.
- What is a compliance deviation?
- What happens if they're not properly managed?
- What solutions can your company implement?
Before answering, let's start at the beginning.
What is a compliance deviation?
A compliance deviation is a situation where the rules defined by the information system security policy (ISSP) are not correctly applied. According to Baptiste David, PreSales and Delivery Manager at Tenacy, "a compliance deviation is characterized by a finding of non-compliance with regard to an established politique ".
Most of the time, gaps are detected duringexternal audits carried out by independent auditors. These auditors inspect, question and document the non-conformities they identify. Audits are carried out at regular intervals to ensure that gaps has been taken into account, and to monitor the company's corrective actions over time.
Every company is likely to generate gaps compliance issues, whether of a technical or organizational nature. That's why it's essential to implement a proactive strategy to detect these gaps, which can take many forms.
Technical deviation
A technical gap generally refers to a vulnerability, misconfiguration or design error in the company's technical infrastructure.
Non-application of a critical update, non-activation of a security feature... The sources ofgaps can be numerous.
Organizational gap
An organizational gap occurs when the security policies or procedures defined within an organization are not properly followed, implemented or documented.
A frequently observed case is that of a company that has established a cybersecurity awareness policy, obliging employees to follow an awareness-raising curriculum. However, during an audit, it may be found that this training has only been carried out once every two years, or that employee commitment to e-learning training is unsatisfactory. Whether minor or major, gaps organizational compliance must be closely monitored.
What happens if the company does not process these gaps ?
The management of gaps compliance issues is an obligation for all companies, whatever their sector of activity. It is an integral part of an IT security management system (ISMS), and involves more than simply identifying problems: it also requires corrective measures to be put in place to resolve them.
When a gap is identified - whether it's a vulnerability, a non-conformity or any other malfunction - it's imperative to document it, track it, and ensure that appropriate action is taken to resolve it.
Beyond the cyber risk, the absence of a gaps management system can have damaging consequences for the company, such as the loss of certification(ISO 27001, TISAX...).
Increased attack surface
Failure to manage gaps compliance within a company increases cyber risk. For Baptiste David, "in terms of risk management, failing to address a gap is tantamount toleaving a known hole open and widening the company's attack surface ". A mistake that can be heavily penalized in the event of compromise.
Legislative sanction
Leaving gaps compliance issues unaddressed exposes companies to potential sanctions from regulatory bodies.
These sanctions can take the form of significantfines, such as those imposed by authorities like the CNIL: under the RGPD (General Data Protection Regulation), a manager can be prosecuted under criminal law if negligence is manifest. The penalty can range from two months to ten years' imprisonment (Article 131-4 of the French Penal Code), combined or not with a fine of a minimum of 3,750 euros.
In addition, and with the aim of making a lasting impression, the authorities may choose to adopt a "name and shame" approach. name and shame ". This involves publicizing the company's violation, thereby discrediting the offending brand in the eyes of its customers and suppliers.
Rising cyber insurance costs
Insurance companies are increasingly focused on risk management and customer security. As a result, organizations that neglect to manage gaps compliance can face higher insurance premiums, as insurers consider them to present an increased level of risk.
What's more, if a company fails to take the necessary steps to correct identified gaps and vulnerabilities, insurers may refuse to cover incidents arising from an unresolved gap. The company will then have to bear the costs associated with the damage or disruption alone. A double penalty, as it were.
4 tips for managing your gaps compliance
#1 Centralize gaps
The first step in managing gaps compliance is to centralize it. In other words, when a user identifies a deviation or anomaly, he or she must be able to report and document it quickly. This centralized approach makes it easier to monitor and evaluate the actions taken to resolve gaps.
#2 Prioritize gaps
The second step is to prioritize gaps compliance issues. This involves determining which problems are the most critical and require remedial action.
During certification audits, auditors typically assign severity levels to the non-conformities they identify, classifying them as "minor" or "major" according to their impact on safety and compliance. By prioritizing gaps according to importance, the company can focus on the most critical issues first, ensuring that the most serious problems are resolved quickly.
#3 Accept that you will not be able to resolve certain gaps issues, with a management of exemptions
Sometimes it's necessary to recognize that a problem exists and that it may be justified not to deal with it immediately. This is known as exemptions compliance.
It is not uncommon, for example, to see medical imaging machines (scanners, MRIs) using Windows operating systems that are no longer maintained. As the life cycle and amortization time of such equipment can reach several decades, hospitals and healthcare centers have to make do and accept gaps - while adding additional security measures around the offending equipment.
#4 Set your goals
When you address a compliance deviation, whether minor or major, you need to define a date by which it must be corrected or addressed. By setting a target date for resolving the deviation, you establish a measure of accountability and follow-up.
If this objective is not achieved, this may indicate a problem in understanding or implementing corrective measures. Fortunately, there are technical solutions to simplify this task!
4 good reasons to manage your gaps compliance with tenacy
The solution Tenacy offers a number of features for managing gaps compliance.
#1 Centralizing different sources
The solution's interface centralizes all sources ofgaps compliance data, whether they come from annual audits, technical solutions, or connectors integrated into third-party platforms. This centralization provides a global view of all gaps encountered, eliminating the dispersal of information.
#2 Precise monitoring of gaps compliance
The Tenacy platform enables you to track the progress of each deviation in detail. Instead of simply reporting a problem, the tool provides information such as :
- the difference recognition date ;
- the person who identified it ;
- actions planned to correct it...
... all accompanied by comments from our in-house teams.
#3 Simplified prioritization
The Tenacy interface makes it easy to prioritize gaps compliance issues. This task, which often falls to the CISO, enables the criticality of each deviation to be assessed according to itspotential impact on the company. The Tenacy platform simplifies this process by standardizing criticality assessments, while allowing CISOs to add specific information.
#4 Real-time reporting
Tenacy offers advanced reporting functionality, which enables you to view the status of gaps compliance management in real time. This gives you complete visibility of the progress of problem resolution, along with performance metrics such as validity and percentage completion of planned actions.