Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Streamlining Complex Compliance Engagements with Environment Splitting
Quick Take
On this episode of Compliance Unfiltered, The CU Crew delve into the innovative approach of environment splitting to streamline compliance processes.
Discover how this strategy not only enhances efficiency but also ensures adherence to regulatory standards. Join us as we explore real-world applications and expert insights that reveal the transformative power of environment splitting in today’s compliance landscape.
All this and more on this week’s compliance unfiltered!
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the sunshade to your compliance windshield. Mr. Adam Goslin, how the heck are you, sir?
I am doing just fantabulous Todd, how about yourself?
I cannot complain on this beautiful day. I cannot complain at all. Today, we’re going to talk about streamlining engagements with the use of environment splitting. Now, compliance engagements are deceptively complicated. At a high level, why is that?
Well, I mean, you know, for an organization that’s going up against a single certification or standard, you know, that’s complicated enough, you know, just depending on what you’re going up against. So is it PCI, are we going up against SOC 2, are we ISO 27001, are we doing NIST 853? You know, any one of these could be anywhere from hundreds to over a thousand, you know, moving parts and pieces. So, you know, just on a single engagement basis, you know, you’ve got that complication. You’ve also got, you know, a number, you have a number of internal teams, you know, a number of different groups of folks, you know, you’ve got your kind of networking gear heads, you’ve got your, you know, kind of firewall crew, I’ve got developers, I’ve got day-by-day IT folks, I’ve got, you know, the folks in the compliance department, HR, legal, and, and, and, and, and, and, and, so, you know, you put all of that, you know, all the various departments and people in there, you know, different, you know, the complexity that you’ve got on the engagements and yeah, they’re, they, they are deceptively complicated, that’s for sure.
So for the sake of this discussion, let’s pretend that my organization has 500 controls to monitor for our stance on security and compliance. How do internal complexities make that even more complicated?
Well, I mean, when you look at, you know, things like an, an atypical organization, and I’ll just go through some examples of things that will, you know, kind of throw in, throw in complications, right? Um, you know, you’ve got things like my organization happens to leverage multiple firewalls. I’ve got, you know, I’ve got Cisco devices and I have, uh, you know, uh, you know, watch guard, I have Fortinet and I have, you know, and I have Cisco, whatever it may be. So there could be, you know, one or more types of firewalls. There could be certainly a multitude of profiles of desktops, laptops within the environment. It could be, uh, you know, it could be operating systems for production servers. Maybe I’ve got windows boxes. I’ve got Linux boxes. I’ve got a mainframe, whatever it may be. Um, you know, you know, especially the larger the organization, um, you know, they may have multiple different solutions that are doing, uh, you know, centralized logging within the, uh, within the environment, um, you know, and, and kind of disparate logging solutions there, they could have, uh, multiple HRIS systems that are performing different functions for different portions of, you know, employee onboarding, onboarding, vetting, background checks, et cetera. So there’s, these are just some of the examples, uh, you know, on a, on an atypical engagement where my standardized list of like 500 controls I need to monitor now starts getting a lot more complicated because I’ve got all of these various kind of layers of complexity. I mean, you know, you go back to the, you know, kind of the old days, right? Um, and folks would have to try to remember, remember these complexities and make sure just literally using sheer human will, uh, to, to make sure that they’ve got all the right stuff, you know, attached before they’re, you know, before they’re launching things via kind of up the workflow or calling it done and things along those lines. So, you know, there’s a lot of factors that, you know, that will really make, you know, make that, that particular compliance engagement, you know, super complicated.
Of course, depending on mere mortals, to remember everything works flawlessly, right? I apologize if there’s sarcasm there tripping off of that.
Uh, yeah, it pretty much turns into a shit show when you’re, when you’re depending on the human. So, you know, let’s, let’s pretend for the sake of this discussion that, you know, let’s say that I have five different pieces of evidence for a particular requirement and you’ve got, um, and you’ve got five different people provisioning that evidence due to complexities internally. You know, the first person, you know, the first person on this particular requirement, they go in, they attach their stuff. They’re like, I’m done. So they match the complete button. Meanwhile, it yanks the item out of all the other four’s hands, pushes it up the workflow. The other four, you know, are sitting there, you know, not attaching their stuff. It went up to your assessor, you know, let’s say, um, you know, type of a deal. And, you know, now I’ve got, now I’m basically, I’m, I’ve got dysfunction within the engagement. I’ve got the assessor reviewing something, expecting five different things, only having one, you know, it, you know, it could be, it could be a whole myriad of different things.It could be, you know, five different pieces of evidence based on those complexities. It could be that I needed to grab evidence across the multiple, uh, across the multiple operating systems. So let’s say I’m grabbing config information, you know, from the, you know, from the windows based systems within my environment, but then I didn’t bother to go grab the Linux, you know, the Linux side of it. Meanwhile, everybody on the freaking engagement is trying to desperately to remember, you know, what all is it? Do I need to attach to this item again? You know, how many different ways do I have to split this item apart or sheer it apart? So I make sure I get all of the various iterations of evidence that I need in order to be able to properly call this done. You got the poor assessor that’s basically inheriting left, right, and sideways, inheriting just garbage after garbage after garbage, you know? So, you know, there’s a, there’s a lot of dysfunction that starts to happen on these engagement. And, and one of the, one of the biggest problems is just the sheer loss of calendar time.You know, this item now is marked, is marked off as completed, but I only have one fifth of the things attached to it. Um, now, you know, however many days or weeks it takes for the assessor to get around to reviewing this item to realize I only have one of five things I need, you know, meanwhile, the other people think that they’re all done. They’ve forgotten about this item. Now, all of a sudden, a week, 10 days, two weeks later, the items now pop back into the, you know, into the mix, right? Now the person that went in and did that, did it the first time, they actually attached their evidence. The other four did it. They’re like, what the hell? Why is this thing back there? They go in, they look, nope, my stuff’s attached. They hit the complete button again. You know, you just, you can literally just, it’s like watching the circus, you know, in full effect.
And, you know, it’s just, it’s just an f-ing nightmare. It, it causes an astounding amount of dysfunction on engagements.
Now it sounds that way. So how can the TCT portal provide streamlining on a single yet complicated engagement?
So in the TCT portal, so as an example, right now I’m just going to stick with an easy example. Let’s say that I’m gathering operating system evidence, I need to grab it from Windows, I need to grab it from Linux, and whatever. For the sake of this discussion, it’s requirement 3.7 type of a deal. Within the TCT portal, we have a capability, it’s called environment splitting. It’s just a term we happen to use for it, but long story short, it’s taking the requirement and splitting it along a particular line. So if I need to split it by operating system, then I can go and configure in there. I want to split it by operating system. By the way, we’ve got Windows and we have Linux, and then I can go through and I can go to every single requirement that needs those splits. I can configure them all up to split across Windows and Linux so that now that 3.7 item is now segregated into two pieces, three technically from the systems perspective. The very top item is used for any reporting things along those lines, but underneath the report level item, you now have a bucket specifically for Windows and another bucket specifically for Linux. That way, when the Linux team goes in, does all of their stuff, attaches their evidence, and moves it up, now the Windows item is still sitting there with the Windows team. The other inference there is that now I can assign all the Linux items to the Linux person. I can now, as I’m going in, I talked earlier about how anywhere I’d have to gather up that evidence on the operating system level, I basically have to hope that the Linux person didn’t shove it up when the Windows person didn’t do their thing, or that the Windows person remembers not to shove it up when the Linux person hasn’t done their thing. Meanwhile, nobody can tell who the hell actually needs to do what on the engagement. Once I’ve split these item, assign them the right people, those two elements can move separately through the workflow. I can log into the live dashboard, and I can see precisely who has and hasn’t done things. It’s identified as being in the right or the wrong hands. When the person receiving the evidence, they now know, hey, for this particular requirement, I’m looking at the Linux side of this discussion. Is that done? Yes. No. Do I need anything else? All of these splits now can move separately, assign them to either the individuals or the right groups of people that are responsible for that technology, et cetera, and now everything is segregated apart. Now, Brandon, we talked earlier, hey, let’s say I had 500 moving pieces and parts initially. Well, let’s say with all of the various splits that I need to do, that 500, it sounds like it’s complicating it, you know, because now my total number is going to move from 500. Once I do all the splits, let’s split across all the various things I need to split. Now, let’s say I end up at 850, right? Well, the difference is, yes, from a numerical perspective, I went from 500 to 850.
But what you did is you moved from 500 shared things with a whole bunch of dysfunction to 850 specifically assigned to the right people on the right things as they should be, et cetera, with nobody stepping on toes. So at the end of the day, you can now set the team loose and they can go through with their individual assignments, clear their items, push them up the workflow. People receiving it know exactly what they’re looking for and attempting to see. Oh, I think it’s definitely easier for everybody on the engagement to, you know, go ahead and get through process their items, et cetera. One thing that I wanted to kind of add to that is Once I’ve gone through and I’ve, I, and I have, um, once I’ve gone through and I have allocated the splits, if you will, on this year’s track. So let’s say I swung up and split up my 2025 track, right? We’ve that’s now wrapped my 850 items are now wrapped up. Now I’m going to move over to 2026. When we, when TCT assists the client with going and configuring their 2026 track, we, they can say, Hey, I want to maintain the same splits as I had from last year, uh, you know, type of a deal. We can mirror the splits off your 2025 over to 2026, all of that investment, blood, sweat, tears, who should be on what and all that fun stuff. That’s all preserved. Now my swing up my 2026, bam, I got my 50. I’m ready to rock. And even if whatever, let’s say two or three people on the team, you know, either pass the responsibilities to somebody else or left the company, whatever. Now I can just go through the existing, you know, the existing assignments on the track and quickly swap out Mary for Brett, Fred with, uh, you know, Angela, you know, et cetera, and go through very quickly and realign the assignments on my new 2026 track, preserving all of the hard work that I’ve done year over year. Um, it, it, it saves them just an absolute crap ton of time, pain, uh, you know, all, all of that fun stuff and, and, and quite frankly, dysfunction on the engagement.
Yeah, no doubt. Now, to that end, there are far more complicated engagements out there. Give us some additional examples of engagements that would benefit from using the TCT portal.
Well, I mean, you know, we’ve been so far, we’ve literally been talking about a single cert that got split, right? We talked about whatever we happened to pick for our, you know, for our standard certification was 500 items that ballooned to 850 with all the splits. Well, now we can go and layer on additional complexities on an engagement such as what happens when I have multiple certifications, I need to go up against our standards, right? I need to go up against PCI, I need to go up against ISO, and I need to go up against CIS, whatever, you know.So you’ve got engagements where you have multiple certifications, you know, whatnot. The TCT portal, we have the capability to map from one standard to the other, mirroring and mapping, you know, evidence off of kind of your main cert to the secondary certs, allowing all the evidence to flow through. Again, game changer, you know, you’ve got, let’s say I’ve got an engagement where I’ve got multiple locations that I need to collect evidence from. I happen to have, you know, three or four different, you know, different hosting facilities where I need to gather evidence from. I’ve got a colo location, I’ve got a corporate HQ server room, we’ve got things on Azure and we’ve got things on AWS. Well, you know, now we could go through and collect up from the various, you know, various locations. Maybe it’s a hosting organization that’s got physical, actual physical on-prem facilities that they need to gather up physical evidence from to support their certification. It doesn’t matter what it is you need to split, how you need to split it, you know, you’ve got the capability to do that systematically from within the system.You know, you’ve got other instances where you’ve got, you know, an environment where you have kind of a corporate entity and they’ve got subsidiaries where corporate is going to handle the high end policy management, you know, HR tasks, incident response and things along those lines. And then each of the individual subsidiaries has responsibilities for the more boots on the ground, gearhead technical requirements. So what we can do is we can set it up. So that corporate, all the things that corporate is covering, those will flow down to the subsidiaries and each of the subsidiaries can basically fill in the blanks with the evidence that they need to be able to support their particular engagement and go and basically do segregated reporting for each of the subsidiaries.That’s one model that will work. But in the same sense, we’ve got other clients where they’ve got a plethora of these subsidiaries where their engagement style. I like to call it like one engagement to rule them all type of thing, you know, take a page or lower the rings. So, you know, they have this one engagement to rule them all. So what happens is these subsidiaries provision their requisite evidence and that flows up to the one main corporate placeholder and all of that flows.
Everything that I’ve been talking about, it’s all capable of being fully automated from within the TCT portal. So it’s it is a game changer, but a lot of organizations kind of they don’t they they haven’t had the experience of being capable of leveraging, you know, that functionality, you know, in a streamlined fashion on their compliance engagement. So it’s it’s pretty big deal.
No doubt about it. Parting shots and thoughts for the folks this week, Adam.
Well, if you, if you can’t tell by the kind of tone, ten or all that fun stuff, um, you know, I, I really, I encourage organizations, you know, there’s not, there, there’s nothing in this world that drives me more crazy than wasting time, wasting needless time, you know, on engagements and, you know, trust me, I, I wrote, you know, I basically conceived of and, and built the TCT portal over a decade ago, um, you know, because of the fact that I had lived the hell of trying to manage engagements with manual or semi-manual processes and procedures, that’s literally was the reason why, yeah, the TCT portal was born. So, uh, you know, I’m not a giant fan of wasting my time. I certainly am not a fan of anybody else wasting theirs. So, you know, if you haven’t had the opportunity to, to, to really kind of explore with all of these various, you know, splitting functionalities, et cetera, um, you know, if you’re already a TCT, a TCT client, um, you know, go have a conversation with support, they can gladly show you how, how some of the, the functionality works, functions, ways to be able to streamline your engagements. Um, TCT on several engagements has, uh, has the capability to, you know, kind of do a partnering, uh, a partnering style approach where, you know, our team is meeting with your team on a regular basis to, uh, continuously improve, uh, the, the streamlining handling, uh, configuration of your engagement or engagements. Um, so we’ve got that capability as well. And if you’re brand new, uh, you know, to the, to the TCT world, or you better yet, you know, somebody that is struggling with managing their compliance, uh, throw them a lifeline, uh, tell them about TCT, send them over the wall. I’m pretty sure that, uh, that they’ll be glad that you did. And I know that we will as well.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
