If You’re Hunting Down Evidence Every Year, You’re Doing Compliance Wrong

Let’s be honest. Managing compliance sucks. In the days before TCT, I would spend the final two months of the compliance cycle grinding out 100-hour weeks. And every year, I dreaded the thought of doing it all over again. Truly dreaded it.

I wasn’t alone. Almost every client I talk to has a similar story. “I was leaving the house at 9 am and getting home at 1 or 2 in the morning, five to six days a week,” said Jamie Hefty, CIO at Phoenix Financial. “It went on for about 60 days.”

Read Phoenix Financial’s compliance story

The annual compliance cycle is like Groundhog Day, always starting from Square One again. It’s the same painful process of gathering evidence and badgering people in ten different departments. You think that you have everything you need to make the Assessor happy, only to find out half the files you provided didn’t pass muster.

And every year, it’s the same thing all over again. Only in some cases, it’s worse.

You’d think things would get easier each time, as you begin to build a herd knowledge of how compliance is done and what evidence gets the Assessor’s gold star. But veterans move on, or key people go on family leave. Turnover keeps you from gaining any meaningful traction from year to year.

Related: Your First Compliance Audit: Will You Crush It or Get Crushed?

Stop Starting from Square One

The key to avoiding the Groundhog Day effect in managing annual compliance is to keep track of the documentation that passed muster with the Assessor the year before. If you know everything that got approved last time, you can just follow your lessons learned from last year, grab fresh evidence and resubmit it, without the trial and error of the previous cycle.

Keep track of that evidence with an organized repository that’s dedicated to nothing but compliance management. When it’s time to submit documentation, you can go into the repository and easily refer to the previous year’s evidence. Refresh or validate the evidence from the prior cycle and get it submitted, knowing your Assessor will be satisfied with it. You’ll save hundreds of man-hours and who knows how many ulcers.

Here are some key tips for an effective repository:

  • Establish — and enforce! — one submission method, into one central location. Don’t accept any evidence that comes to you any other way. Make your team members follow the process.
  • Store all of your evidence in one place. It should be easy to access and readily searchable.
  • Make sure every filename makes sense (not something like DCX030220021.jpg).
  • Tag each file with all of the compliance requirements it fulfills, so that you don’t have multiple instances of the same file to keep track of.
  • Don’t use the Assessor’s system to store and organize your evidence. You aren’t in control of that system, and you shouldn’t rely on someone else taking care of your evidence — otherwise you’re right back to Groundhog Day if you ever change Assessors! This is YOUR data, YOU control it!

Even as I write this, I realize the absurdity of this concept. A typical PCI-DSS engagement has thousands of pieces of evidence, across multiple departments and several vendors. The sheer effort to create a streamlined repository of evidence that’s continually maintained is just as enormous as the work you’re putting into compliance today. There’s no way to organize all that yourself.

But what if there were a compliance management system that did the organizing for you?

No More Heavy Lifting

TCT Portal keeps you organized, makes sense of compliance, and turns a titanically chaotic engagement into bite-size to-dos.

Everything related to compliance is done through TCT Portal. EVERYTHING. Every piece of information, every communication, every status update or question you need to ask a team member, every submission to your assessor, and their responses on evidence quality — it all goes through TCT Portal.

Why? Because TCT Portal stores that information, organizes it, and makes it easy to review for the future. Now you have a traceable history of everything that happened, what decisions were made and why, and — most important — what evidence the Assessor accepted.

Next year, you’ll have immediate access to that same information.

  • You don’t have a dozen places to go hunting for last year’s evidence.
  • You don’t have to probe your foggy memory to reconstruct the compendium of documents you submitted.
  • You don’t have to worry about remembering to properly name the image files people text to you.
  • You don’t have to badger your staff and vendors for thousands of items.
  • You don’t need to attempt to recreate the wheel when personnel from last year are no longer involved in the compliance efforts, whether due to turnover or position changes.

You can simply submit the right evidence to your Assessor the first time, confident that it will pass muster.

And when new staff join your team, you can assign them responsibilities and they won’t be in over their head. Even though these people are brand-new to compliance, they can go into TCT Portal and see immediately how things worked the prior year, what the Assessor was looking for, and what evidence was accepted.

Put Groundhog Day in Your Rearview Mirror

No more Groundhog Day. Instead, you’re cruising through compliance at a whole new level, and even your new team members are saving time.

TCT clients save hundreds of man-hours on this capability alone. Not to mention the pressure relief and peace of mind that TCT Portal provides.

Imagine starting your next round of compliance without that feeling of dread and low-level panic. Imagine cruising through evidence submission and finding time to keep up with your day-to-day work. TCT Portal can make compliance not suck.

Ready for a personalized demo?

TCT Portal

Get your
personalized demo

See what TCT Portal can do for your organization

Show Me