Insights
J.S. Held Releases Insights on Risks & Opportunities Expected to Impact Organizations in 2025
Read MoreAnyone who is working toward or has already achieved some kind of certification will know that getting there is difficult, time- and resource-consuming, and requires buy-in and input at all levels, especially from those at the top.
It might be a legal requirement for an industry, such as HIPAA or PCI/DSS, or it might provide assurances to current and prospective clients, like many companies aiming for SOC 2 or ISO 27001.
Whether it's for the first time or in preparation for a future audit, it’s likely that in recent weeks, various control requirements that were thought to have been locked down would have been stretched to a breaking point.
Even the best-laid "stay at home" disaster recovery scenario may not have anticipated all the effects caused by so many partner businesses, third-party suppliers, and so on having to make similar drastic changes.
Let's consider a couple of common requirements where compliance might have gone slightly awry:
Additionally, and crucially, if these points have been covered, is it possible to produce evidence of how they were implemented and how they are configured and used to protect the environment and the data?
To be sure, nothing has stopped in the world of compliance. Controls must still be adhered to. Audits must still take place. In fact, because of the likelihood of compliance controls not being adhered to, organizations such as AICPA are pumping out information on how auditors can conduct effective remote audit.
As long as virtual meetings can still happen, it will still be necessary to gather the information and evidence needed according to the schedule.
There are many actions that need to be taken right now, especially if an audit is just around the corner:
This would be a challenging task at the best of times. Simply arranging a meeting of internal stakeholders who work in the same building can be quite difficult. When so many actions and people need to be coordinated in a short time, it may be necessary to have an additional level head to help coordinate the strategy, prepare the evidence and documentation, and bring the various stakeholders together. For a good resource to help better understand what might be involved, see the NIST cybersecurity requirements.
We are all in uncharted territory, but businesses must ensure that compliance is maintained. With a CISO on demand, it is possible to get the specialized talent and experience needed right now to navigate this most difficult of times. The regulatory process can be completed quickly and, of course, this means not having to employ a new member of staff with all the time and cost that entails.
We would like to thank Kevin Gorsline for providing insight and expertise that greatly assisted this research.
Kevin Gorsline is a Managing Director in J.S. Held's Global Investigations Practice who joined following J.S. Held's acquisition of TBG Security. For several years, Kevin served as the Chief Operating Officer and head of the Risk and Compliance practice at TBG Security, where he was responsible for providing the leadership, management, and vision necessary to ensure that the company had the proper operational controls, administrative and reporting procedures, and people systems in place to effectively grow the organization and to ensure financial strength and operating efficiency. His experience and leadership throughout his career have been focused on developing and delivering information security services and solutions, providing outstanding client service, and driving profitable revenue growth. Kevin brings established proficiency as an IT leader with extensive experience in risk and compliance services, applications development, and implementation projects both in the United States and abroad.
Kevin can be reached at [email protected] or +1 843 890 8596.
How data analytics, combined with other forensic accounting tools, can help investigators uncover Ponzi schemes and other frauds....
The consequences of greenhushing as they relate to litigation, reputational risks, and progress toward global sustainability goals....
This article examines how to limit the digital risk and liability while protecting data privacy and looks back at previous data privacy predictions....