Adobe CCF has helped us achieve several security compliance goals and meet regulatory requirements across various products and solutions. In addition, we have also achieved SOX 404 compliance across our financial functions to further support our governance efforts. In order to achieve this and to scale the security controls across business units at Adobe, we required the adaptable foundation that a solid centralized security governance framework can help provide. Over the past few years we have made significant investments in this area by centralizing our security governance processes, tools, and technologies. Part of this effort includes establishing a driver/subscriber model for scalable services. A “driver” is responsible for developing a security service which will address a CCF control requirement. This can then by consumed by business unit “subscribers” to help meet compliance requirements through integration with the central process. Examples of such useful processes are:
- Centralized logging & alerting: Adobe makes use of SIEM solutions that let you investigate, troubleshoot, monitor, alert, and report on what’s happening in our technology infrastructure
- Centralized policy, security & standards initiative: An initiative to scale Adobe-wide Security Policies and Standards for compliance efforts, best practices and Adobe specific requirements. Policies and standards can now be easily found in one place and readily communicated to employees.
- ASAP (Adobe Self-Assessment Program): In order to help ensure CCF controls are consistently applied, service teams are expected to certify the operating effectiveness of these controls on a quarterly basis by way of automated self-assessment questionnaires. The teams are also expected to monitor the landscape of risk and compliance functions for their organization. This program is driven through an enterprise GRC solution
- Availability Monitoring: The availability of key customer facing services is monitored by a control NOC (Network Operations Center) team
In addition to the above, Adobe has implemented governance best practices from ISO 27001 (Information Security Management System) at the corporate level to help support our security program. All of the above control and compliance processes have been designed and implemented in a way that strives to cause minimal impact to the product and engineering teams. We follow an integrated audit approach for security compliance initiatives so that the evidence to support audit testing has to be provided one time and we can take advantage of any overlaps that exist between external audit engagements. Centralized processes and increased automation also help to reduce friction between teams, improve overall communication and response, and help ensure Adobe remains adaptable to changes in compliance standards and regulations.
Sr. IT Risk Analyst