Compliance 12-14-2021

DigiCert’s Compliance Culture: A Proactive Approach

 

 

Stephen Davidson
Additional author credit: Brenda Bernal

Security is at the heart of everything that DigiCert does. Maintaining that security and trust requires a constant focus on standards and compliance, with the changing landscape of threats and risks facing DigiCert and our customers. At DigiCert, we maintain a strong compliance culture in our global operations.

As the world’s leading provider of TLS/SSL and PKI solutions, DigiCert is committed to fostering a strong compliance culture in everything we do. From the CEO down, our team understands that without a keen focus on standards and compliance, we are not putting our best forward on security and maintaining trust with our customers and partners. As our services are a big part of our customers’ security posture, we have a responsibility to be world-class in understanding the standards and risks in our business.

The combination of our size and scale requires us to be nimble and adept in the way that we sustain our compliance culture, with relevance to every team member. We strive to optimize our compliance with a proactive and evolving approach that will help us stay ahead of new threats and industry requirements.

Leadership

It starts at the top. DigiCert’s executive steering committee meets every few weeks specifically on the subject of compliance and risk management, to review the changing matrix of threats and risks facing the company and our customers.

The goal of this review is to always have a pulse on the changing landscape around standards, compliance and risks. We maintain a risk register derived from the efforts of our Product, Standards, and Compliance teams, ensuring that tasks receive the resources and prioritization towards resolution.

This living process is constantly being refined as DigiCert seeks to stay in front of developing issues affecting our sector or operations, and to avoid the never-ending “break/fix” dysfunction found in some organizations. We expect to further enhance our work in enterprise risk management in 2022.

Upfront on standards

One of the advantages for customers who with DigiCert is our ability to invest appropriately in standards and compliance. We are not just ticking the boxes, but rather helping to lead the way by investing the in development of the technical standards that shape our industry, as well as new approaches to ensure compliance with our obligations.

Many customers will be familiar with DigiCert’s long standing work with the CA/Browser Forum, leading working groups related to TLS, S/MIME and code-signing certificates. But our dedicated standards specialists are also involved in other important industry bodies setting the requirements for our sector such as the IETF (in areas such as LAMPS and (post quantum crypto) and the European Telecommunications Standards Institute, particularly in the Electronic Signatures and Infrastructures (ETSI ESI) area relevant to our Qualified Trust Service Provider operations. Other groups include ISO, ANSI (particularly the X9 financial services PKI group), the Zigbee Alliance and the AuthIndicators Working Group.

Investment in compliance

As would be expected of a global organization involved in every aspect of PKI, DigiCert has invested in appropriately staffing our Compliance and Audit teams, with specialists located in our offices around the world. However, what makes DigiCert different is not that we just meet our obligations, but that we go beyond by taking the next step to turn that compliance knowledge into new value and continuous improvement.

  • Audit automation – As a global organization involved in every aspect of PKI, DigiCert undertakes up to 25 different annual audits on our systems and operations against standards from groups including WebTrust, ETSI, ISO and other bodies. It is a considerable undertaking in its own right to manage so many audits, not to mention pass these audits successfully, but DigiCert is serious about developing and utilizing tools to make audits more efficient and more meaningful.

One example is our investment in audit management solutions, often referred to as GRC tools, to map our myriad security and technical requirements against our internal controls, and to maintain ownership/responsibility and evidence on an ongoing basis. Rather than having an annual snapshot of our compliance posture, these tools allow us to track compliance and risks on a continuous basis throughout the year.

  • Analytics – Many in our industry are familiar with the positive impact of automated tools like ZLint, which verifies compliance of TLS certificates against major standards. At our scale, DigiCert takes a data-driven approach towards compliance, developing capabilities that help our internal audit teams pinpoint areas of risk across our certificate-base, rather than just tick the box of a 3% sample. Areas of focus can include proactive scanning as new issues emerge.
  • Incident and compliance working groups – It doesn’t help to have a team of specialists isolated in an ivory tower. Even before the pandemic wave of standup calls, DigiCert built a discipline of focused sessions, bringing together our key personnel from different disciplines to focus on sharing information on a topic. Examples include our incident analysis calls, which focus on external disclosures (such as to Bugzilla) and their timely remediation, as well as our weekly Compliance Working Group, which brings together cross-functional team members including product managers to track the development of industry trends, standards and compliance requirements that should be reflected in our product and operations strategies.
  • Embedding in product development – Compliance is not a caboose. DigiCert ensures that our compliance specialists are involved before the product and service development train leaves the station. The goal is not only to ensure that our products meet the many technical standards that apply to their operation, but also that we build features such as linting, control linkages and specialist reporting into the product backbone that help us operate our compliance function in real time.

Coming together, this focus on compliance helps DigiCert leadership understand the risks facing our products, our customers and our partners, and to drive through positive actions to resolve any threats we identify with minimum negative impact on our customers. Our goal, amid our size and growth rate, is to maintain our leadership in security and compliance in our industry.

Compliance blog

Digital Compliance

UP NEXT
UP NEXT
PKI

3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories

07-03-2024

What is a CA’s Role in delivering digital trust?

11-27-2024

6 actionable ways to secure the IIoT at every stage

Tracking the progress toward post-quantum cryptography

The state of PQC since the publication of FIPS 203, 204 and 205