Typically, when people think of security, the first thing that comes to mind is the work done to protect IT systems from attacks. However, there is more than one side to security within an organization. Indeed, one side includes prioritizing security efforts such as creating a strong infrastructure and putting proper defenses in place.
Yet, that’s only part of it. The flipside is, even if you’re doing great work in security and have built a strong internal infrastructure, as part of the security role, security practices need to be communicated and demonstrated to key stakeholders like customers and regulators.
Conversations are Shifting – Customers Need Proof
We started to notice a trend in how conversations with our key stakeholders became more focused on what products and solutions meet certain compliance standards. Some global companies are required to comply with SOC 2, ISO 27001 or both; other standards are mandatory within specific industries, like HIPAA for the U.S. healthcare industry.
If a company transacts and manages payment card data, then they must take into account the Payment Card Industry Data Security Standard (PCI DSS). With so many industry standards, and customers asking for details, we realized that we needed to achieve and communicate compliance with these standards in a more streamlined way in order to more quickly provide the assurances our customers are requesting.
As we evaluated the “compliance soup” we asked ourselves which controls overlapped and how we could work with the various teams to manage compliance without duplicating effort. Our goal was to improve compliance processes and provide our customers with a clearer understanding of Adobe’s compliance with certain industry standards and regulations.
Standards Repeat Themselves – the Birth of CCF
We analyzed over 1,000 requirements from relevant cloud security standards and identified similarities. What we found is that many of the major standards have similar nuts and bolts, but are composed with slightly different wording.
For example, one control requirement may state: “Remove corporate network access after an employee leaves the company.” If you know this requirement is similar to another standard, you’ll be able to quickly check it off the list. We thought, if we do the work to obtain SOC 2 compliance and then need to turn around and conduct a separate project to obtain ISO 27001 compliance, this would likely mean repeating a massive amount of work. We asked ourselves, how can we make this process easier and more efficient?
We streamlined over 1,000 requirements down to 200 security controls, across 11 domains, ranging from asset management to incident response to security governance, and came up with the Adobe Common Controls Framework (CCF).
We found that there’s an alphabet soup of controls and standards that can be hard for organizations to keep up with. For instance, if PCI DSS comes out with a new update, we can look at the CCF and see that we’re already meeting, or close to meeting, that requirement based on our compliance with a different, existing standard. Similarly, if Adobe decides to sell into a new industry vertical, we can look to the CCF and evaluate what compliance with those new industry standards would really represent in terms of incremental work. This makes our lives easier when we can more nimbly react to what our customers need.
Open-Sourcing the CCF – Sharing the Framework with the Security Community
Recently, we published the CCF on our website as an open-source document. When we talk with our customers about how we put together the framework, it’s much easier to send them a link and point them to this framework to give them a chance to work with it themselves.
The purpose of open-sourcing the CCF was with the aspiration that it will help other organizations like it has helped us. For mature companies that may already have an internal framework or multiple frameworks in place, they can use the CCF to compare, learn and refine their frameworks.
For smaller companies that are just getting started, a framework like this can potentially save them an enormous amount of work, time and money by providing them a simple means of compliance measurement. The CCF is helping improve the quality of conversations we’re having with customers, but we also hope it will help the industry move more quickly to advance operational security and the way companies integrate industry standards into their own internal environments.
The Future of the CCF – Automate
After years of refining this framework with input from third-party auditors, internal stakeholders, security experts and customers, we are starting to automate the audit process. In the coming years, we envision a fully-automated compliance auditing system, which we estimate can help save a huge amount of time and money for Adobe and at the same time encourage our customers’ confidence.
The CCF has already helped us to make great strides in creating a more streamlined and efficient compliance framework, but we need to continue refining and improving the framework through internal audits and external assessments. With the CCF we have helped break down silos to increase internal efficiencies and better support our customers, increasing the value of our business in real, observable ways.