Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Smarter Compliance for Higher Education
Quick Take
On this episode of Compliance Unfiltered, The CU Guys revisit the topic of Compliance Management in the Higher Education space. However, this time around the focus is on the granular nuts and bolts, as opposed to a mere broad overview.
Curious about spreadsheet struggles in Higher Ed? Wondering about evidence collection and communication strategies? Hoping to simply find a better way?
Well, you’re in luck! All these answers and more on this week’s Compliance Unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of compliance unfiltered. I’m Todd Coshow alongside the nitro shot to your compliance engine. Mr. Adam Goslin, how the heck are you, sir?
I’m doin’ good Todd, how about you?
Man, I can’t complain.I certainly cannot. Today, we’re gonna actually kind of continue on a topic we started chatting about a few weeks ago. We recently did a pod on the complexities of compliance in higher education. So today, we’ll actually get into the more granular view of the complexities of managing that compliance for higher education institutes. Now, when it comes to managing compliance at the higher ed level, what are some of the, I guess, reasons that their compliance struggle is real?
Well, when it comes to these higher education institutions, I like to refer to it as a unique hell that the compliance managers get the honor of dwelling in. You’ve got the college or university itself, as well as all of their vendors, independent sub-entities that are on campus, typically spanning multiple buildings, maybe even multiple campuses, and all said and done, you could have a couple hundred individual units that are contributing toward a single overall overarching PCI compliance engagement as an example. So, alternatively, you could have each of the individual merchants on campus that they need to ingest a certain portion of the requirements that flow down from the institution itself. So, the remainder being the things that they need to go fill in the blanks on. So, either way, the complexities of these engagements pretty much is generally unparalleled in the space, and you take that, you now have the additional complications of potentially having HIPAA impacts in addition to your PCI, maybe some NIST thrown in there, some ISO, and several other standards that the institution needs to be compliant with, and then with every additional certification they need to go through, the complexity just becomes mind-boggling, mind-boggling in terms of complexity.So, you couple that with the notion of we kind of entitle this as smarter compliance for higher education, because part of the problem is that many of these organizations are trying to do this stuff with spreadsheets and tracking their engagements through that, and a spreadsheet seems like a reasonable tool out of the gate for managing compliance. It’s something that’s familiar, it’s easy to use, you can share them with your team, they know how to use them, all that fun stuff, and all the information’s right there and all that fun stuff, but for simple projects, sure, go grab your Excel spreadsheet and have at it, but compliance management isn’t a simple project, and kind of what we were talking about before, especially in this space, is astoundingly complicated. So, the reality is that these organizations leveraging the sheets to manage their stuff, it is just an increase in wasted time, inefficiency, chaos, uncertainty, and really holding the organization back from just being overall more effective. Something, a platform, like a compliance automation system like the chaos, and bringing clarity, cutting wasted time by maybe hundreds, maybe thousands of hours across the entire engagement, depends how big it is, and the personnel are freed up to do something that’s a little more meaningful with their time, and to actually enjoy what they’re doing substantively more than they were otherwise. It’s really a choice that effectively sets members of the team up for the pain that they’re about to endure.
Well, talk to me about those obstacles, right? Like how does some institution struggle with managing compliance via spreadsheets?
Well, the biggest reason that these higher ed institutions need to get away from the spreadsheets is that spreadsheets can’t actively manage compliance. It’s literally impossible to use a spreadsheet and accurately capture the stuff that you need to get the true state of your compliance engagement at all times.You’re probably running PCI-DSS engagements on campus and the full breadth of PCI is hundreds of items and that’s for each one of your individual merchant accounts. If you’re tracking your engagements manually in spreadsheets, now you have to manually build out all the spreadsheets and manually assign all of the items and manually track the state of each and every single line item on there. You know, the fact of the matter is that any given item in a, we’ll call it a relatively straight forward workflow, you know, it would be, you know, the evidence provisioner flows to some form of an internal QA process, maybe they’ve got a consultant involved, that flows over to the assessor, that flows to assessor QA, that flows to complete. You know, so basically for each of the line items, there could be five potential different states for each of those, you know, hundreds of line items across hundreds of merchant accounts and, you know, so now you go in and you try to track the state of every line item just, just on the main engagement for the institution and that alone, it would, it would take hours to go through all the rows and figure out, do I have this, did I get this from so-and-so, have I checked all the spots and duh-duh-duh, you know, effectively by the time that you’ve started making the updates to the spreadsheet, it’s already outdated because me, somebody, somebody went in and made a, you know, made an update, sure is nuts right after you started, you know, type of a thing and so, you know, it gets really complicated. You know, you don’t know the true state of your compliance engagement because it’s, the ground is shifting under your feet, you know, as you’re going, you know, where if you’re using some type of an automated compliance management system, you know, the current state of all the line items are, they’re automatically updated in real time. As people are loading things up or reviewing them or sending back evidence, etcetera, you know, all I got to do is go in and hit the reload button on the, you know, on the dashboard and poof, you’re seeing live status, you know, across your engagement and you’re seeing that at a glance.So, you know, you think about it, you know, these hours that the poor souls have to manage these engagements are putting in before every single, you know, weekly meeting, you know, you look at the weekly meetings that would typically go on, right? I’ve got at least one, probably more internal meetings every week. I’ve got meetings with the assessor and so now I’m having to do one or more of these hours long updates multiple times a week, you know, and this goes on for weeks and weeks and weeks on end, you know, the, it’s just, it’s an astoundingly complicated way to go about doing it, especially when you’re, you know, when you’re driving the bus with a spreadsheet.
No doubt about it. Now, when leveraging a compliance management system, how is evidence submission made easier?
Well, when you’re leveraging a spread, I’ll go back to the spreadsheet-based system. So in that, you know, you’re always trying to herd the compliance cats. You know, you can do all the training you’d like, but reality is is that they’re sending in evidence through a myriad of different channels and you’re constantly having to check all these various places, right? You could have a designated drop zone, but the evidence provisioners are still gonna get inventive with, you know, sending you stuff. You know, they’re gonna send you things through email. Maybe it’s through Slack. Maybe it’s through SMS. You know, maybe it’s, you know, dropping off hard copies on your, dropping off hard copies on your desk, printouts and whatnot. Maybe it’s leaving voicemail messages, depositing things splashed all over the network, verbal updates as they’re passing you in the hallway. You know, maybe you’re sitting in another meeting with somebody and they’re like “Hey, by the way…”, you know, and pass updates that way too, and part of the problem is, is that many of these channels that they are opting to leverage, they’re not even secure. So, you know, you’ve told the evidence provisioners where and how and all that fun stuff for the evidence, but invariably you’re wasting countless hours manually tracking down stuff all over Hell’s Half Acre, you know, and all these ad hoc locations. And meanwhile, you know, just hoping that you didn’t miss a submission or inadvertently grabbed the wrong version of a particular piece of evidence or whatever. So it’s a continuous state of just nerve wracking hell that doesn’t get wrapped up until you put a bow around the entire freaking engagement.Where with something like the TCT portal, you’ve got one place, everybody can easily go in and access. You know, if it’s submitted through any other channel, you know, then the portal still reports that item as outstanding and continues to send the reminders to the person assigned until they’ve loaded up their evidence properly. You know, better yet, you know, what I would suggest to folks, do not accept the evidence unless they submit it securely through the TCT portal. And then as soon as they submit it, you see it, you’re able to, you know, leverage the power of that, you know, kind of live compliance management system. And so, you know, all of this hunting down of evidence, it’s that whole portion basically just drifts off, you know, and your evidence is really neatly organized in a single repository. And you don’t really need to do anything to go make it happen. It’s funny when I talk to folks that, you know, go ahead and make the kind of make the transition to, you know, leveraging a compliance management system, it’s almost like they don’t remember how much it sucked before, once they’re stepped into this arena, because it’s almost like a whole new world, you know.
Yeah, no doubt about it. One of the human’s greatest gifts is the ability to change their perception of a baseline. It’s funny how easy we adapt to new circumstances.Now, what about streamlining communication?
Well, when it comes to streamlining communication, the compliance is confusing. It’s really easy to forget, you know, how to go in and perform various tasks. Folks invariably, they’ve got questions about requirements or questions about how they need to submit it. Constantly coming to the, you know, point people for clarity. Even if it was the same person that was submitting evidence last year, they don’t remember what they used or where they got it from or what screenshot did they go grab or what configuration file did they provide. You know, and when you’re using a spreadsheet tracking system, you’re just getting inundated with all of these questions from all directions, right? You get emails and text messages and voicemails and, you know, in the hallway, all that fun stuff. And you’re manually fielding all of these various questions.Where when you’re using a compliance management system, you know, people can ask questions through the system. They can associate the questions with their own line items. They can tag the person that needs to answer the question. The system can automatically notify the person in the workflow that the question has been sent to, you know, the state of those line items. When I go in and I articulate my question and I move it up to the next step in the workflow, the system also automatically notes that, oh, by the way, you know, if this thing was going from, you know, if Wilma had a question about, you know, this particular item and send it up to Fred, the system will show, hey, Fred’s the one that went ahead and, you know, did this, you know, did this particular, had this particular question. It’ll show clearly whose hands it’s in, you know, and whatnot. The other piece that I’ll kind of highlight here is that it’s human nature, right? When I’ve got a status meeting about what’s happening, you know, with the compliance engagement, instead of asking the question, like, let’s say your weekly meetings on Monday. Well, if they come up, if they go in and start doing their work on Tuesday, have a question, what do they do? Dollars to donuts, they’re sitting there until next week, Monday, when they can sit in the compliance meeting and ask their question. And meanwhile, you know, you’ve now lost six calendar days of otherwise forward momentum. And so with the capability to go in, ask the question, appropriately attribute this item to the next person in the workflow, if they can go and do that on Tuesday, guess what? Maybe they get their answer on Tuesday afternoon and they can keep it moving. You know, it’s just, it is so much more efficient to be able to go through that process where you’re leveraging the power of the system of hands.
Hmm, makes a ton of sense. You know, one of the things that really bugs folks is getting ready for compliance status meetings right back in the day, really sucked. Tell us more.
Yeah, I mean, the status meetings, here’s the cloud’s parting moment, right? The status meetings, oh, they are so much shorter when you’re using a compliance management system. They’re made shorter because of the benefits of the platform.When you’re using the spreadsheet, it’s human nature, right? We’ve got our meeting, our internal meeting, and it’s on Wednesday. Let’s say, usually what I would do is I would schedule those meetings for early afternoon back in the day. Why? Well, because I needed from 8 till noon just to go in and try to figure out where is everything before I’m going and getting on that call. Well, human nature is, oh, geez, darn it, I’ve got this meeting coming and I know I told Adam last week that I would get most of my stuff done. So, what happens when your meeting now is at 2 p.m. on that Wednesday? Well, they’ll go jump in at 9.30, 10 o’clock, 10.30, and they’ll just start wing flinging stuff. It’s astounding how in the couple of hours before a compliance meeting, in the couple hours before the compliance status meeting, about 80% of all activity happens in the couple hours before the status meeting. It’s crazy. You know, and so, you know, the practitioners that are listening, they’re all chuckling because they know damn well it’s true, and, you know, the reality is that, you know, you got to go through every single item and you’re trying to figure out the statuses. Maybe I covered Mary’s stuff between 8 and 8.30 this morning and then Mary went in madly winging and flinging at 10.30, you know, before the 2 o’clock call. Well, I go in and I show up to the meeting, I’m like, okay, Mary, where’s your stuff? And, you know, blah, you said you were going to get some stuff done, and, of course, she then gets indignant about the fact that, oh, no, everything’s in your hands, you know, type of a thing. Well, meanwhile, they were working on it just in the hours before the meeting, but you updated it earlier. So, it’s just a giant waste of time, pain in the ass. There’s no other way to go about doing it. And, you know, you figure this stuff happens just on a normal engagement. Can you imagine, like, go back to the complexities we were talking about earlier, you know, with the higher education institutions, it’s literally untenable. So, you know, where you’ve got a compliance management system literally handing you live updates, blah, blah, blah. The best part, oh, my God, the best part is I go to walk into the status meeting and instead of being on the backs of multiple, probably three or four hours on an engagement like this of just simply trying to get my arms around where we at, I can go and log in five minutes before the meeting, hit the reload button on the dashboard, and I am ready to hit the ground running. I didn’t have to blow all of this time trying to go get ready. Even if they’re making last second, you know, updates or whatnot in 30 seconds before your meeting, all you do is hit the reload button on the dashboard and you’re seeing it.
So, it is literally taking an activity that I used to evaporate hours that I can quite literally get my hands around it in seconds to minutes, you know, type of a thing right before the meeting. It is a huge change.And so, going full circle, I said at the beginning of this that the use of the compliance management system just slashes the time of the actual meetings. I used to schedule meetings back in the day. Oh, God, I’d schedule them for, in some case, depending on where we were at in the grand scheme of things, but no less than an hour and it usually went over. But at certain points, I’d go two or two and a half hours long on these status meetings. Dude, they’re a lot, they’re a lot way down. For most organizations, you can typically clear a status meeting in about 30 minutes, just because now we’re not talking about, you know, where do things sit? We’re just, we’re answering questions, right? I’m answering people’s questions on there and giving them direction. Hey, where’s your stuff? When are you going to have it done? You know, and I’m just getting right to the meat and potatoes that on a typical meeting, I wouldn’t see that until, I don’t know, two thirds to three quarters of the way through the meeting before I could even get to anything meaningful. You know, so it is literally a way that institutions have the capability. I mean, if time’s money, you are saving, no joke, tens of thousands of dollars, hundreds of hours, just with this simple, one simple feature of a quality compliance management system.
Hmm. What type of benefits are realized by the institution in terms of clear access to the evidence supplied for their prior years?
Well it’s one of the joys of leveraging the system. A typical engagement, what happens? The last weeks of your annual compliance engagement, they are an absolute hellscape. Long hours, often evenings, weekends. It goes for weeks and weeks and weeks on end. It’s normally winging, flinging, etc. You don’t have a lot of people end up running out of time. Just to be able to update their tracking sheets. They’re more in a mode of I’m just trying to get it done. They transition from trying to stay organized to trying to keep up type of a thing. And so what ends up happening at the back end of those engagements when you’re using spreadsheets is that your spreadsheet lands up in some absolutely dysfunctional state. You’ve got compliance evidence all over the place. The compliance folk are pulling evidence from wherever it sits and jamming it over to the assessor and whatnot. And the end of the engagement from an organizational perspective, it’s a freaking train wreck. Most will just go, thank god that’s done, walk away, wipe their brow and hit the reset button so that they can go and do the same thing next year.But the problem is that, that means you don’t have any solid repository to be able to refer to. What were the things we needed in that network diagram again? What was the eighth submission to the assessor? And what was it that worked for them? No clue. Absolutely none. So when you go over to a systematic compliance management system approach, you literally end up with this single organized historical repository with all of the evidence from last year. If you have a question about how things were done last time, you can easily refer to it. It’s especially helpful when you’ve got turnover within of the evidence submitters and they have a clear repository to be able to go in and look at last year’s information and evidence. So it makes a really big difference when you’re able to be able to go back in and look at that from the prior year.
Hmm, that makes a ton of sense. How can the institutions gain control of their data flow and make things easier on the participants?
Well, you know, when you’re going in and you’re covering most of the compliance requirements on the compliance engagement, you know, the individual functional entities, they’ve got a handful of line items they’re responsible for, depending on the compliance approach. Like I was saying earlier, you know, either the institutional items are flowing down to hundreds of sub-entities or all the sub-entities are rolling up toward the institution. You know, and so the institution’s either generating one compliance report to rule them all or living a death of a thousand needles, being required to generate hundreds of reports across all of the various merchant accounts. But either way, the managing of that data flow, it is a big, big task.When you’re using, you know, an automated system like TCD Portal, you can let the system do all of the heavy lifting. You know, TCT Portal’s got a capability for a document request list that eliminates a whole bunch of work and simplifies comprehension. That document request list will ask each of the sub-entities, you know, for their pieces of evidence they need to provide in language and using terminology they understand, and they only need to submit their evidence once, and the system will automatically populate it to the, you know, destination line items where it’s needed. And so, you know, in one shot, you can, you know, go and make one attachment and maybe tens to hundreds of line items are instantly populated. So you know, the functionality also works for across more than one compliance track. So even though the institution’s subject to multiple certifications or standards, the evidence provisioners can submit that evidence once. The TCT Portal will not only populate it everywhere for PCI, but also where it needs to go for HIPAA or for NIST or, you know, whatever other, or ISO, whatever other standards it is that the institution is subject to. You know, and so instead of looking, you know, through every requirement of every certification line by line, you know, using that document request list and being able to go item by item mapping it where it needs to go, it’s basically supply it once and, you know, for the evidence provisioner, supply it once and then move on, you know, to the, you know, to the next item that they’ve got and let the system do all the heavy lifting.
What struggles come about with spreadsheets as it relates to version control issues? Because this can be a real honey.
Your motion alerts are in full effect too, I hear.
Yes indeed, yes indeed.
So when it comes to version control, part of it is that if you’re sharing that spreadsheet with sub-entities on campus so that they can enter in all their information right into it, you’re going to have all sorts of version control complexities to deal with. Maybe you’re sending copies of the spreadsheet and then you’ve got to take their inputs, reincorporate them back into your master. If you’ve got multiple people with access to the same sheet, well then now I’m dealing with people blasting each other’s updates and writing over what somebody else did. Even if it’s a sheet where you’ve got the capability for the multiple people to be in there, it still doesn’t stop them from stomping on one another in terms of updates to the sheet. When you go to a compliance management system, every single person can work simultaneously on the platform without interfering of, you know, interference of stepping on each other’s toes. You know, each person can only work on their assigned stuff. And so all of your data is protected. Version control happens seamlessly. You’re not worrying about mis-entered information and things going in the wrong cell or, you know, possibly somebody blasting somebody else’s work. It’s kind of night and day from that perspective.It makes everything a hell of a lot easier.
How does security play into decision to move toward a robust compliance management system?
Well, you know, first there’s, you know, spreadsheet security, right? And I mean, spreadsheet security doesn’t exactly cut it. You know, over the years, you know, Excel’s made improvements in its security, but it doesn’t measure up to enterprise-grade security and compliance standards. You know, when you’re dealing with data that’s as sensitive as, you know, volume scans, pen-testing, network diagrams, internal inventory, spreadsheets, you know, spreadsheets aren’t cutting it.You know, when you’re using a quality compliance management system like TCT Portal, you know, it’s designed to manage compliance for any certification. You know, the platform’s built to meet rigorous security standards, you know, out there in the marketplace. You know, and it’s all maintained through, you know, through the tooling itself. I mean, you’ve got an entire new world of enterprise-grade security to protect, you know, the status information, the evidence, sensitive data, you know, that you’re supplying as evidence to support, you know, your assessments, you know, all being handled from within the system. It is, it’s just night and day when it comes to the, you know, comes to the notion of the security, you know, relative security. I mean, one of the things that I would say is that, you know, we talked earlier about the kind of the spread, if you will, of, you know, the compliance information that occurs on these engagements. You know, the more that you have your team trained, they’re used to using the singular system that you get them, you know, kind of moving over into this new world, the better and tighter your security, ultimate security ends up becoming because now I don’t have, you know, bits of sensitive information sprinkled across a whole, you know, a whole plethora of different access channels, storage locations, and like I said before, many of which, you know, many of the choices that are made are insecure channels. So, you know, it really does, it can only increase or improve the state of security of the institution as a result.
Yeah, that makes sense. Parting shots and thoughts for the folks this week.
Well, I mean, as you as you may have kind of gleaned, if you will, you know, there there there are higher education institutions that are kind of addicted to their to their compliance tracking spreadsheets. But, you know, they as much as they struggle with these things, they do have a hard time kind of letting go. You know, one of the things that I’ve seen out of out of organizations over the years is it’s almost like a familiarity, right? This is how we were doing it before and it’s everything’s within my control and, you know, things along those lines. And they really struggle to kind of take that step.But I’m going to tell you what, you know, using something like TCT portal, it makes it real easy to kick that spreadsheet habit. You know, the managing compliance complexity, especially of the nature that we’re talking about with these higher ed institutions, you know, it is so much easier when you’ve got, you know, one secure, convenient, automated place to go in and manage it all. You know, I encourage folks get out a spreadsheet health and and start making your compliance management suck less with the TCT portal, because I can’t tell you how many organizations that I’ve worked with over the years that it’s funny. Many of them will many of them will enter the enter begrudgingly, shall we say, you know, they’re they’re they’re they’re they almost feel like they almost feel like I got to do this or in some cases it’s it’s even my boss is making me do this, you know, type type of thing. And and so they walk in with some measure of pessimism and reticence. Right. But I’ll tell you what, you get these folks, you know, a year down the road, especially two years down the road when they could see the benefit of that last like clean repository from last year. Dude, all all of the all of the nay saying all of the heel digging in, you know, etcetera, it just evaporates. They literally don’t have any choice. It’s so much better.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
