Tom Cornelius, Senior Partner
Given the significant changes in the statutory and regulatory side of cybersecurity and privacy compliance, enterprises are under increased scrutiny from both clients and partners to demonstrate secure practices. These factors, combined with a lack of appropriate staff to identify and document an organization’s legal, regulatory and contractual practices, represent a legal and financial exposure since documentation is a core component to statutory, regulatory and contractual compliance. To this extent, the quote, “Nothing exists unless it is documented,” accurately implies the value proposition offered by ComplianceForge, an Oregon-based firm that specializes in cybersecurity and privacy documentation. With the firm’s core focus and expertise in professionally-written cybersecurity & privacy documentation, ComplianceForge enables businesses to get and stay compliant with their obligations. “We deliver innovative, best-in-class cybersecurity and privacy compliance documentation that addresses multiple statutory, regulatory, and contractual requirements,” says Tom Cornelius, senior partner of ComplianceForge. He adds, “A holistic risk management approach ushers a well-thought and long-term design to reducing risk.” This goes far beyond having tools for point-in-time risk assessments, BIAs, DPIAs, and vulnerability scanning. Cornelius also points out, “Without understanding the complete picture of risk, an organization is just chasing its own tail.” The reason for this is without clearly understanding requirements; it is easy for an organization to waste time and resources on initiatives that matter little to creating a secure organization.
ComplianceForge had ascertained that amidst the ever-evolving threats affecting enterprises’ ecosystem—both internally and externally—most organizations do not find cybersecurity and privacy documentation as a proactive security measure.
This common mindset considers documentation as a passive line of defense that offers minimal protection to their organization, often as an afterthought effort to appease compliance efforts. The recent five billion dollar fine imposed on Facebook by the Federal Trade Commission (FTC), exemplifies that a failure to take documentation seriously exposes organizations to a significant amount of risk. As a business accelerator, ComplianceForge provides customized documentation templates to meet its clients’ cybersecurity and privacy documentation needs and help those clients save both time and money. The firm’s innovative solutions enable clients to refrain from hiring consultants for in-house documentation. In a bid to transpire this, ComplianceForge published the Hierarchical Cybersecurity Governance Framework (HCGF), an industry-best structure for cybersecurity documentation. With its comprehensive view toward necessary documentation components, it helps users demonstrate evidence of due diligence and due care. The HCGF also addresses interconnectivity of policies, control objectives, standards, guidelines, controls, risks, procedures, and metrics. The firm incorporates the HCGF into their documentation process to help companies manage their requirements, therefore helping reduce risk.
To provide organizations with necessary cybersecurity and privacy controls that enable them to stay secure and compliant, ComplianceForge works closely with the Secure Controls Framework (SCF), which fits into the HCGF model. ComplianceForge’s solutions also provide clients with turnkey documentation, by which organizations can have 1-1 mapped policies, standards, control objectives, guidelines, procedures, and metrics, in addition to their controls.
Equipped with such a suite of robust offerings, ComplianceForge has successfully redefined the cybersecurity documentation process. To align well with the future needs, ComplianceForge is planning to offer mapped risks and threats that support the SCF’s controls, which are in tune with the SCF’s Security & Privacy Capability Maturity Model (SP-CMM). This helps organizations to understand the associated risks for control/ standard deficiency, as well as what threats target each control. “We keep on innovating and molding ourselves according to the ever-evolving needs in the space,” concludes Cornelius.