In an ever-changing regulatory landscape, companies have to comply with a range of standards and regulations relating to data protection, IT security for information systems and employees, and product safety and reliability.
In addition to the potentially significant penalties for non-compliance,
an unaddressed security flaw or vulnerability can tarnish an organization's brand image.
So what is a compliance gap? How can gaps be managed effectively? What are the consequences of not managing gaps ? And what solutions can you put in place? Here's how.
What is a compliance deviation?
A compliance deviation is a situation where the rules defined by the IT security policy (ISSP) are not correctly applied. According to Baptiste David, PreSales and Delivery Manager at Tenacy: " A compliance deviation is characterized by a finding of non-compliance with an established politique ".
Most of the time, gaps are detected during external audits carried out by independent auditors. These auditors inspect, question and document the non-conformities they identify. To ensure that these gaps are taken into account, audits are carried out at regular intervals to monitor the company's corrective actions over time.
Whether technical or organizational in nature, every company is likely to generate gaps compliance issues. That's why it's essential to implement a proactive strategy to detect gaps , which can take many forms.
A technical gap generally refers to a vulnerability,a misconfiguration or a design error in the company's technical infrastructure.
Failure to apply a critical update or activate a security feature - the sources ofgaps can be numerous.
An organizational gap occurs when the security policies or procedures defined within an organization are not properly followed, implemented or documented.
A frequently observed case is that of a company that has established a cybersecurity awareness policy, obliging employees to follow an awareness-raising curriculum. However, during an audit, it may be found that this training has only been carried out once every two years, or that employee commitment to e-learning training is unsatisfactory. Whether minor or major, gaps organizational compliance issues need to be closely monitored.
What happens if the company doesn't manage gaps ?
The management of gaps is an obligation for all companies, whatever their sector of activity. It is an integral part of an IT security management system (ISMS), and involves not only identifying problems, but also implementing corrective measures to resolve them.
When a deviation is identified, whether it's a vulnerability, a non-conformity or any other malfunction, it's imperative to document it, monitor it, and ensure that appropriate action is taken to resolve it.
Beyond the cyber risk, the absence of a gaps management system can have damaging consequences for the company, such as loss of certification (ISO 27001, TISAX, etc.).
Increased attack surface
The absence of gaps management within a company increases cyber risk. According to Baptiste David: " In terms of risk management, failing to deal with a gap is tantamount toleaving a known hole open and widening the company's attack surface ". A mistake that can be heavily penalized in the event of compromise.
Failure to manage gaps exposes companies to potential sanctions from regulatory bodies.
These sanctions can take the form of significant fines, such as those imposed by authorities like the CNIL. In the context of the RGPD (General Data Protection Regulation), the manager can, moreover, be prosecuted under criminal law if negligence is manifest. A penalty that can range from two months to ten years' imprisonment (Article 131-4 of the Penal Code) associated or not with a fine of a minimum of 3750 euros.
In addition, and in order to make a lasting impression, the authorities may choose to adopt a "name and shame" approach, where they not only impose fines, but also publicize the company's violation, thereby discrediting the offending brand in the eyes of its customers and suppliers.
Rising cyber insurance costs
Insurance companies are increasingly attentive to risk management and the safety of their customers.
Organizations that neglect to manage gaps may face higher insurance premiums, as insurers consider them to present an increased level of risk.
What's more, if a company fails to take the necessary steps to correct identified gaps and vulnerabilities, insurers may refuse to cover incidents arising from an unresolved gap. The company will then have to bear the costs associated with the damage or disruption alone. A double penalty, as it were.
How can you manage gaps effectively?
The first step in managing gaps is to centralize them. In other words, when anyone identifies a deviation or anomaly, they must be able to report and document it. This centralized approach makes it easier to monitor and evaluate the progress of actions taken to resolve gaps.
The second step is to prioritize gaps. This involves determining which problems are the most critical and require remedial action.
During certification audits, auditors generally assign severity levels to the non-conformities they identify, classifying them as minor or major according to their impact on safety and compliance.
By prioritizing gaps according to importance, the company can focus on the most critical issues first, ensuring that the most serious problems are resolved quickly.
Accepting not to solve certain gaps, with a management of exemptions
Sometimes it's necessary to recognize that a problem exists and that it may be justified not to deal with it immediately.
It is not uncommon, for example, to see medical imaging machines (scanners, MRIs) using Windows operating systems that are no longer maintained. As the life cycle and amortization time of such equipment can reach several decades, hospitals and healthcare centers have to live with the situation and accept gaps by adding additional security measures around the offending equipment.
When you address a deviation, whether minor or major, you need to define a date by which it must be corrected or addressed. By setting a deadline for resolving the deviation, you establish a measure of accountability and follow-up.
If this objective is not met, it may signal a problem in understanding or implementing corrective measures. Fortunately, technical solutions are available to simplify this task.
How does the Tenacy platform help you manage gaps ?
The solution Tenacy offers a number of features for managing gaps compliance.
Centralization of different sources
The solution's interface centralizes all sources ofgaps compliance data, whether they come from annual audits, technical solutions, or connectors integrated into third-party platforms. This centralization provides a global view of all gaps encountered, eliminating the dispersal of information.
Precise monitoring of gaps
The Tenacy platform provides a detailed status report for each deviation. Instead of simply reporting a problem, the tool provides information such as the date the deviation was identified, the person who identified it, and the actions planned to correct it, all accompanied by comments from internal teams.
The Tenacy platform interface makes it easy to prioritize gaps. This task, which often falls to the CISO, enables the criticality of each deviation to be assessed according to its potential impact on the company. The Tenacy platform simplifies this process by standardizing criticality assessments, while allowing CISOs to add specific information.
Last but not least, the Tenacy platform offers an advanced reporting functionality that enables real-time visualization of the management status of gaps. This feature offers complete visibility on the progress of problem resolution. It also includes performance metrics, such as validity and percentage completion of planned actions.