PM Process: Compliance
Compliance is an act of adherence to rules, regulations, environments, or even laws. When is product management so much involved in meeting compliance needs? Is it not the purview of the legal or engineering departments in the organization that drive the compliance needs? I guess most of you must be wondering the same. However, I have experienced compliance is a need that better be analyzed by product managers ahead of time before other parts of the organization invest any energy on it. In some businesses, compliance is the prime driver to the business and cannot be discounted. So your fundamental need to be in the market is decided by your ability to meet the compliance requirements.
Sources of Compliance
What may lead to a compliance need is scenario-centric. For example, if you were to provide a certificate-based authentication service in India you need to at least meet 2 fundamental needs required by the IT Act:
- You must be a certifying authority registered under the CCA
- You must be having a data center in India
Suppose you had your sales team engage with a large telecom company discussing providing user authentication service and she comes up with this large potential deal. Yet, when you analyze all the requirements, decide to do away with the proposal with serious concerns around managing the physical security of the data centers. The root CA keys are often managed in absolute secrecy with a handful of company executives in a high physical security controlled environment which with your size of investments is hard to manage. But, it is much better if the decision is taken at this point than engaging engineering for actually implementing a solution and later discovering the physical security limitations. If you were a foreign company, this may have meant establishing an Indian office or subsidiary which is not existing right now.
Interestingly, many compliance scenarios or needs are similar although every jurisdiction may have its ways of expressing it. If you are offering cloud-based services to US Federal Govt. you may need the FedRAMP compliance. The same services provided to the Australian Govt may require an IRAP assessment. While many controls are jurisdiction-specific you need to understand the need for these assessments.
- Both kinds require you are handling the data within the jurisdictional boundaries.
- You have followed the best practices in terms of the people managing such services who will maintain the data safe and can be brought under the legal framework with the slightest of a breach.
- All these compliance schemes understand there is no absolute security and there are only risk assessment and containment and mitigation as part of the process framework.
Although FedRAMP and IRAP are not the same, meeting the compliance needs of one framework helps to reutilize the same controls for another framework. If judiciously carried out, there can be significant cost savings in adopting the second framework.
Risk Assessment and Mitigation
Suppose you are providing a SaaS-based solution. You likely have data belonging to various customers on the same servers. Reusing the resources across tenants can improve the utilization of resources and thus reduce the cost of operations. This is a principle used by many SaaS-based solution providers. Now suppose there is a data breach due to a vulnerability in the system, it is possible data of multiple customers are exposed due to the same. If you have a customer who is worried about such scenarios, she can be provided dedicated servers at a premium price.
It’s also likely that a customer may feel vulnerable in the presence of a potential data breach in a shared system and request for doing vulnerability analysis on your production server several times a year just to be sure her data is in safe custody. Should you permit your customer to do so?
There is no difference between ethical vs. non-ethical hacking in terms of tools and procedures used. So technically, vulnerability analysis can break open your system and can expose your customers’ data. And on a shared server it may expose data of many other customers. If a customer needs to do a vulnerability analysis it must be on a staging or test server with simulated data with the same settings as your production server but never with live customer data. As a product manager of a security company sometimes customers have tried to be witty and have asked what if they did a vulnerability analysis on our production servers without reporting, our reply was our intrusion detection and prevention systems should automatically detect malicious activity and if need be we should use law enforcement agencies handle any such breach arising under the due course of law. The customer license mentioned such vulnerability analysis inappropriate conduct. What is your organization's policy on these?
However, the business needs to run under due trust. When you do not permit the customer to conduct direct risk assessment do you permit and alternate procedures to assess risk? SOC compliance is another way of establishing the customer data is secured under five well-defined trust services principles of security, availability, process integrity, confidentiality, and privacy. But SOC compliance can be an involved assessment and affect substantially your bottom lines. You could minimally conduct a vulnerability assessment and penetration testing (VAPT) of your services post every deployment by an accredited institution and share the reports with your customers ensuring all the major vulnerabilities are addressed. If process compliance is required, ISO-27001 certification for your organization may help you additionally establish your security practices are the best in class.
Staged Compliance Plan
You may not need the best-in-class compliance requirements on day one. You need to build the business and improve upon the practices to provide the options for compliance as your business grows and you are in a position to spend on the compliance requirements to support new business expansions. For SaaS-based systems this can be a possible staged compliance plan:
- Start with a good VAPT internal assessment
- Follow it up with an accredited institute conducting the same
- Try to obtain an ISO-27001 certification
- Try to obtain a SOC compliance audit for your cloud services
- If you need to have govt as your customer, think of expanding your compliance needs to enter into FedRAMP or IRAP like assessments based on the jurisdiction.
Most compliance certifications can be cascaded, having one compliance can help you get better controls over the other certification programs.
Business is full of compliance requirements. They are so common for the domain that you do not even question them any longer. They look like standard practices or norms of operations. For accounting books assets matching to liabilities. In banking financials the asset durations matching to liabilities durations. Sometimes they are even just practices followed over the years like not booking all of your e-team on the same flight. HIPAA compliance for all systems used in the healthcare domain. Ensuring the assets are underwritten for insurance or equities particularly when there is a possibility for the assets losing liquidity. Your customers asking for code escrow, asking you to buy business insurance if your deal is of a certain size. Even your investors funding various series of equities ensuring their money is protected against business risks. In short, compliance is used significantly to manage risks.
We spoke of cloud-based SaaS compliance requirements at length. However, it does not have to only that domain. I just discussed it as most product managers who operate in this space know the kind of compliance needs they are asked every time they meet a new customer or industry body. This behavior is quite natural for every other industry domain. Every industry poses a set of rules and regulations that one needs to comply with. As you get deeper into the domain to specific high-value and niche customer segments your compliance requirements will need to be different and maybe more stringent. It is important as a product manager you are aware of these ahead of the rest of the organization so that you can decide on your readiness to explore a new charter of your business. Do you have a list of compliance requirements for your line of business?