How to build a compliance program with ease

The implimentation of a compliance program requires organizations to adopt processes that help comply with regulatory and legal requirements. GitLab makes it easy to wrestle the "compliance beast" but to understand what that really means it helps to take a look at this very complex and challenging area.

An effective compliance program: lots of moving parts

Compliance processes are often costly, manual and cumbersome to implement and maintain. Even organizations that are advanced in compliance maturity still maintain compliance processes within spreadsheets, file storage systems (such as Google Drives or Dropbox) and emails, making wading through the documentation required to prove compliance extremely painful.

Further compounding this pain is the number of third party applications an organization uses to operate its business. The use of these tools and services add complexity because they’re all subject to the underlying policies and procedures the company has established. This means auditing not just your own organization’s processes, but those of your vendors.

However, compliance is essential. With regulatory scrutiny being high, increasing cyber security breaches and the high costs of non compliance manifesting in the form of revenue loss, business disruptions, fines, damage to brand image, impacted stock prices and so on - the need for compliance is not lost on organizations. In fact, non compliance penalties can be much lower when an organization can demonstrate the presence of an effective compliance program.

Why is achieving an effective compliance program so difficult?

In spite of organizations acknowledging the importance of compliance, achieving an effective compliance program seems elusive.

Currently, there is a lot of administrative overhead associated with compliance. The task that gives most compliance professionals a headache is finding the documentation or evidence they need. With most organizations still using a combination of spreadsheets, drives and emails to manage their compliance programs and the added complexity of demonstrating compliance within their third-party tools or services, it is increasingly difficult for compliance teams to scale.

It can be even more daunting trying to keep track of the growing regulatory compliance requirements and internal controls to manage these requirements. In the cases where organizations have introduced additional Governance, Risk and Compliance (GRC) tools within their organizations, these tools are not integrated into their development and operational tools - thereby creating yet another compliance silo.

Development and operations teams perceive compliance-related activities as slowing down their velocity, creating an inherent friction with the compliance teams, thereby making compliance processes even slower and less effective.

Building your compliance program

Any well defined compliance program requires internal controls that allow:

1. Defining rules and policies aligned with your organizational or regulatory/legal requirements
2. Generating and maintaining the evidence of policy adherence
3. Enforcing the defined rules and policies
4. Demonstrating compliance with easy-to-access and readable reports and evidence artifacts
5. Ongoing risk assessments to detect and mitigate gaps in compliance

Any compliance program that does not bring together all of these controls incurs the administrative overhead of maintenance. Organizations often run the risk of overspending on a disparate set of tools, creating data silos resulting in them being no better than when they started their compliance process.

GitLab makes compliance easy

Being a single application where developers, security and operations professionals congregate, GitLab is well positioned to automate your compliance processes to answer questions that may arise from your auditors or leadership teams.

1. With granular user roles and permissions, GitLab allows you to enforce segregation of duties. You can easily define your organization’s policies regarding credentials, security scanning, and rules for approvers. Granular permission control also allows you to enforce approvers for determining what goes into production
2. With application security being part of the pipeline, GitLab helps you to automate your information security compliance requirements
3. GitLab helps you define custom projects (such as HIPAA, SOX etc) to track adherence to various different compliance frameworks in a single place. Within the projects, GitLab issues and merge requests are also the central places to collaborate, maintain documents, track chain of custody and overrides, without maintaining these on disparate tools. Additionally, you can define a common set of policies to be applied to a set of projects labeled with a specific compliance framework (such as HIPAA, SOX etc)
4. You can meet the traceability requirements for audits - such as user actions, permission changes, approval changes, logins, password changes and so on via Audit Events
5. GitLab also provides a consolidated view of various compliance signals such as merge request approvals in the compliance dashboard. Going forward, this compliance dashboard aims to provide compliance insights in a consolidated view with all relevant signals such as segregation of duties, framework compliance, license compliance, pipeline and MR results. The compliance dashboard will continue to evolve to include more data to save compliance professionals time when managing their GitLab compliance posture.

Learn more about our Compliance Solution here.

What’s next

Our vision for Compliance Management is strong. Watch Matt Gonzales, Senior Product Manager for the compliance group, talk about our vision.

Consider joining the Compliance Special Interest Group to help shape our direction for compliance management within GitLab.

Read more about compliance and GitLab:

Compliance-as-code explained

How we chose our compliance framework

Tracking agreements in GitLab just got easier

Cover image by joaosilas on Unsplash