Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Managing Multiple Certifications Using Custom Requests Lists
Quick Take
In this episode of “Compliance Unfiltered”, the CU Guys dive into the complexities of managing multiple compliance certifications and custom request lists.
They explore the challenges faced by organizations of all sizes, from small businesses to international giants, in navigating the ever-evolving compliance landscape. With insights into the common pitfalls and practical advice on streamlining processes, this episode is a must-listen for anyone involved in compliance management.
Tune in to discover how to make your compliance journey less painful and more efficient.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the Bloody Mary. Your compliance hangover, Mr. Adam Goslin. How the heck are you, sir?
Uh, a very, a very rare repeat. I think we’ve heard this one before, so you’re slipping, Todd. You’re going to have to, uh, you have to sit and cook up some new ones, I think.
Well, if you would prefer the minuto to your compliance hangover, we can do that too.
Hahahahaha
Now you’re making me self-conscious.
I’m gonna have to go back and figure out where that was. It hasn’t been recently. I can tell you that, but…
It has been a minute or five, that’s for sure.
Oh, goodness. Well, Adam, today, we’re going to talk a little bit more about something that I think is near and dear to a lot of compliance folks heart.
And that is multiple certifications in the use of custom request lists. Now, there are a multitude of organizations that have amazingly complicated scenarios for compliance. So let’s talk about this a little bit more at a high level.
Yeah, I mean, I’ve been in this space for, you know, for a week or three, and it seems to be like a, you know, continuously getting amazed with, you know, with just how complicated some of the compliance scenarios can be, because, you know, you’ve got, even for small organizations, small and moderate-sized organizations, I mean, of course, if you’re going to, you know, just gigantic international behemoths and, you know, and whatnot, there’s various complications there, but even small to moderate-sized organizations, it’s amazing how quickly they can, you know, they can land into a situation where, you know, their compliance landscape just continues to kind of evolve and get more complicated. For a lot of organizations, it’s not like they, you know, oh my gosh, you know, somebody woke up on a miscellaneous Wednesday and just decided to turn the compliance program from zero to 100 on the dial, you know. In many cases, it starts off in a, you know, kind of a benign fashion, right? We’re going to start off, we’re going to get our, we’re going to get the bones of our compliance program up and off of the ground, and, you know, next thing, you know, you’ve got, you know, you’ve got new solutions, you’ve got new clients, you’ve got new, you know, kind of certs coming into the mix, you get acquired or acquire companies, you, I mean, it’s all sorts of things that kind of play into it, and each of these kind of layers of complication that start happening within the organization, they kind of pile up over the years, right? And all of a sudden, you’ve slowly been lulled from, you know, from, you know, hey, let’s start thinking about security and compliance to your security and compliance landscape is, you know, is just a shit show.
So it’s, you know, it is, it’s funny how those kind of subtle, you know, subtle changes over time, you know, kind of a mass up or amount up, you know. So certainly as we go through this topic, one of the things I’ve seen in this space where you’ve got organizations that do have astoundingly complicated, you know, compliance is because of the fact that it’s almost become a pain that they’re used to over time. You know, they tend to have this notion of we’re just going to do what we did last year because somehow we survived. And the piece that I would encourage to, you know, to companies and organizations, people that are, you know, working for organizations in this space, you don’t just accept the status quo. You know, it doesn’t have to be as painful as last year, you know, type of a thing. And there are ways certainly to make your world better, make the process easier, streamline, you know, your overall engagement and make it substantively less painful than last year. So, you know, just be open to, you know, be open to, you know, doing a kind of a level set and a reassessment of where you’re at. That’d be the biggest piece of advice that I would give folks, you know, as they’re kind of fearing or, you know, they got that pit in their stomach as they’re turning the corner back toward their annual cert run again, you know, it’s just it’s something that certainly with a little bit of pre-planning,
you can absolutely, you know, take steps to make it better.
Yeah, that makes a ton of sense. Now many of these organizations have been struggling with managing their complex compliance for a period of time, right? Like a lot longer than any of them dare to admit.
What implications does this have?
Well, most of the organizations, it depends on the organization, how long it’s been around and how long they’ve been doing security and compliance and what industry they’re in. Folks that have been dealing in the HIPAA space as an example, HIPAA’s been around for a year or three. And so they’ve had to find solutions for that far longer than, let’s say, people with PCI compliance and they’ve been dealing with it far longer than, let’s say, somebody that’s doing NISESF type of a deal. So depending on what industry you’re in, what search you’re dealing with, it all likelihood come together over time.
And a lot of these organizations, they start with what they know, right? I’m going to find a homegrown way to go do this. And most people are usually used to Excel and kind of pinning together the semblance of organization through a myriad of astoundingly complicated Excel tracking sheets and a plethora of internal tracking mechanisms and whatnot. So that’s usually the way it starts. And the other piece that kind of changes over time is that these organizations, they end up finding more and more widely varied sources of evidence input that they need, people that they need to pull evidence from, systems that they need to gather things over, et cetera. So as they’ve been going, their internal homegrown approach to how they go ahead and do it just becomes continuously more complicated over that period of time. And it’s kind of like throwing the snowball off the edge of the hill and it’s picking up more and more dirts and sticks and twigs and leaves and it gets to the point where it’s able to take out trees and whatnot at some point in the game. So it gets exciting.
no doubt. What about, I guess the best way to ask this is, what are some of the factors about the company itself that add layers of complication?
Well, again, it depends on which style of organization we’re talking about, right? I’m just going to give you various examples of different companies and things that they may be dealing with in terms of layers of complication for their compliance, such as they have multiple physical locations where they have client or customer interaction. So I think, you know, like a retail style organization where they have, you know, they’ve got a corporate headquarters, but they’ve got a number of different retail, you know, customer facing retail locations that are, you know, that they’ve got that they’re responsible for. So that’s one scenario.
A second one is where they’ve got a multitude of different options that kind of cover the scope of their hosting. So corporate may have a corporate server room where, you know, some of the systems are sitting there. They may have one or more, you know, colo locations where they have physical equipment in at a, you know, kind of a hosting provider that they’ve got set up in, you know, Iraq in a colo style organization. They may have mid market, you know, mid market, virtual cloud providers that have points of presence in, you know, in various geographic locations. They may be using public cloud. So, you know, all of the various places that their sensitive data hosting systems, you know, sit, that’s another, you know, another portion of it, you know, corporate, corporate structure, just being simply spread out geographically or, you know, or any physical locations that are in scope for their engagement. So, you know, how the corporate office itself might have, you know, three different headquarters, you know, either spread all over the US or spread all over the world. You know, certainly there could be, you know, various offices in various countries. They could have personnel that are, you know, that are also spread out, whether it’s, you know, in different states or different, whether it’s different states or it’s different countries as well. So, you know, all of that, you know, the various people. And when I’m saying this, you know, what I’m really getting at, going under this guiding assumption that while it’s just the personnel of the organization that are provisioning, you know, provisioning evidence on the engagement, but it may be a series of contractors or source companies that they’ve got to collect, you know, stuff and information from layered on as well. You know, certainly the notion of having to manage or maintain various compliance standards, you know, we do, you know, certifications that they need to meet. So, we were talking earlier about how you’ve got an organization that decides to kind of step into the security and compliance space and whatever. I decided to go start with HIPAA and, you know, next thing, you know, oh, shoot, we’re taking credit cards. So, we got to go do PCI DSS as well. Okay. You go and you layer that on and then you get some big opportunity with a customer where they’re like, you must have SOC too.
Okay, great. Throw that on the pile and, you know, and, you know, then you get into ISO. And so, you know, all of those, every time that you’re either adding a standard or, you know, another realm of complication that, you know, that’s less talked about is what happened. Like, we recently went from, you know, PCI 321 to PCI 4, PCI 4 to PCI 401. Just waiting for the shoe to drop when it goes to whatever they’re going to move it to, PCI 4.1, you know, type of a thing. So, you know, but when you’re now dealing with 3, 4, 5, 6 different, you know, compliance standards that you’re, you know, that you’ve got in your toolbox, all of those now can be changing, morphing, modifying, where they’re merging requirements, adding new requirements, dropping requirements, et cetera. And it just adds layers of complication every single time that they change those.
You know, for a lot of organizations, they basically have, you know, let’s use the example I was just talking about. I went in and I decided to go down the route of the route of HIPAA. So, I picked, you know, mid-market, a mid-market provider that can give me the sign of the cross on a HIPAA style engagement. And then all of a sudden, you know, you go, oh crap, we’re taking credit cards. So, now we have to go ahead and layer PCI. Well, the mid-market assessor you had for the HIPAA stuff, they’re not a QSA. So, nope, now I’ve got to go ahead and I’m going to throw a second assessor into the mix. And so, you go and you pick out a QSA. Now, I’ve layered in my PCI, et cetera. And I go over to SOC 2 and, oh, guess what? The organization that you’re doing the HIPAA through, they’re not a QSA, nor can they sign off on a SOC 2 engagement. The person that you’ve got, the company that you’ve got as a QSA, they’re not, they can’t sign off on a SOC 2. So, now I need to add a third one into the mix. And I actually, I had one organization that I was working with that literally needed to modify, morph and change, you know, kind of the structure of their assessment firms because of different competing needs for, you know, for compliance standards and search they need to go up against over time and, you know, attempting to try to validate that. But, you know, all of those arenas just add layer after layer after layer of complication, you know, into the overall compliance program for these organizations. I’m sure there’s more stuff I can, you know, pull out the hat, but, you know, that’s good enough for demonstrated purposes.
Some of these companies, Adam, have attempted to solve the problem themselves from a variety of different ways, but basically by consolidating a tracking system of some sort. Tell us more on that.
Sure, so the more complicated that your compliance landscape looks like, the more apt you are to try to make it easier. And so many of these organizations with complicated compliance scenarios will move into a mode where instead of having to connect the same document, I’m just going to use an overall information security policy as a real good example. So instead of them grabbing their information security policy and on a full-blown PCI rock attaching that to 120 or 150 different items, instead they go with this request list approach, which is I’m going to ask for the overall information security policy once, and then I know that I can use it to support these 120, 150 different requirements around my PCI engagement.
Similarly, as you start to do the, okay, now I’m folding in my HIPAA, now I’m folding in my SOC, et cetera, you have a similar notion where you’re basically capable of do a request once use many approach. So when it gets to folding in the multiple compliance standards notion, I mean, certainly if I were to take kind of a full-scale broad scope PCI rock that takes a scope of sensitive data, not card data, and then try to bounce that up against either SOC 2 or ISO 27001, the level of crossover is astronomically high. So you’ve got, it’s 80, 85, 90% as I’m kind of comparing these. Now granted there are certain things that you need to do to be able to meet the criteria for SOC or to meet the requirements for ISO 27001, which once I’ve consolidated that all in, it’s still the same piece of evidence that I’m using in a myriad of places across my various compliance standards.
So, you know, you’ve got that in play, you know, this whole kind of mix of trying to make your world easier with the request list style approach, that now gets further complicated when you’ve got multiple assessors. So we were talking earlier about the organization that had at one point in the game, at one point in the game, I think you had three different assessment firms that they had going. And so now I’m trying to coordinate getting all the right evidence over to assessor one, assessor two, and assessor three, it’s challenging, you know, but, you know, so far we’ve been talking about this in terms of, you know, the internal organization and them trying to, you know, trying to manage their data and information for their engagements internally.
And on the other end of the spectrum, we’ve talked about their various assessment firms that need access to the net results of all the things they’ve gathered, but it leaves out some players in the, you know, kind of in the space, if you will, because you also need to now think about, okay, so now I’ve got organizations that have a security compliance consultant that assists them and helps them with, you know, with orchestrating, gathering, garnering, doing sanity checks and, you know, and whatnot, whether it’s a consultant or it’s a workflow step where you’ve got an internal assessor that would, you know, kind of come into play, you basically have now control owners provisioning evidence,
maybe they’ve got their managers reviewing the efficacy of the evidence that they pulled together flowing over to either, you know, an internal audit style function or a third part, sometimes a third party consultant, you know, and whatnot. So, you know, you’ve got in that then flowing over to the assessor.
So, you know, I’ve not only got the baseline complications, I not only have the complications around the assessors, but I also have workflow complications. How do I want to migrate or move my stuff through? So, you know, there’s a lot of, you know, there’s a kind of a lot of pieces, if you will, this puzzle of the complexity for some of these organizations and their, you know, kind of structure for their compliance program.
So how can we solve this problem better? And like what option should these organizations be considering?
Well, I mean, first and foremost, make sure that you’re, that you’re leveraging a quality compliance management system that can handle all of this tremendous complexity, you know, period, but you also want, you want a system which will, what I hate is I hate it when people are basically forced to fit the, how they want to do things into a particular tool. What you want is you want a tool that can modify more and be customized for the circumstances in, you know, in your particular case, at the end of the day, the vast majority of organizations do thing, they may call things different words. They may articulate it a different fashion, but at the end of the day, you know, there are certain core elements of functionality that are common across the vast majority of people that are in this arena. So, you know, you want to be able to get a tool that you can customize up to be able to have it fit how you do, you know, what you want to run your engagement, not being forced it, you know, kind of forcing yourself into completely gutting your existing process to be able to use a tool that would be, you know, that would certainly be great grit in the gear. So, yeah, definitely you want to take a look for a, for, for a good compliance management system.
Um, the other piece is making sure that you’re, you know, that you’re mapping all your data flows, um, you know, across these various realms of complication and, and doing so intelligently. Um, you know, we want to, we want to be able to maximize the efficiency of the program, uh, we want to be able to, you know, serve the correct information to the correct, you know, players in the, you know, in the data flow, um, that find themselves, you know, kind of down the line from the, you know, kind of the data flow of information, such as the assessor. So, you know, it’s kind of a fine balance of, uh, of being able to take, um, you know, take, take the folks that need to provision the evidence, do so in a, in a clean and consolidated fashion, uh, and then, uh, and then being able to kind of route that through the various approvals and then map that out against the, you know, kind of the end consumer, if you will, of the, of the generated evidence being the various assessors for the various, you know, targets standards or certifications that you’ve got, uh, you know, certainly, uh, you know, certainly you want to be able to, uh, to, to do all of that, um, you know, assisting with boiling it down to that kind of consolidated request list and whatnot. It’s actually a pretty big, uh, project, uh, to be able to, to go and get through. Um, you know, I’m actually, I’m, I’m working with one, you know, one huge organization that has a lot of complication and whatnot and kind of helping them, you know, with, you know, walking through their, their process and, and, and how that data flow should be in, uh, should be configured and set up and, and whatnot,
and man, it’s, uh, it takes a minute to go through and make that investment so that you can integrate it into making things better. Um, you know, in, in the last thing I wanted to, you know, kind of go through is that, you know, we talked earlier about the fact that, you know, you, you do want a system that can, you know, that can, um, it’s capable of integrating the way you want to be able to approach your approach, your engagement.
That’s a big deal because now you’re not having to sit there and got and retrain folks that have been doing this for years, uh, you know, on, uh, you know, on the, the general approach to how they do what they do. Uh, the tooling may be different, you know, the way that they provide the information may be different, but, um, that’s an, that’s an arena where, um, you know, if you’ve got that capability, it’s certainly going to make things a hell of a lot easier on your internal team, uh, as you’re, as you’re going about kind of overhauling the, you know, the internal system.
That makes a lot of sense. What additional factors increase the complexity for some organizations, such as the ones that we’ve been talking about?
Well, you know, if you think about it, right, I mean, we were talking earlier about various scenarios that layer over complexity. So I’ll kind of go one more deeper on the levels of pain, if you will. You know, in some cases, you’ve got a corporate organization that has subsidiaries. So let’s call for the sake of this discussion. Let’s call it a, you know, kind of a retail of, you know, fast food chain would be a decent example. Excuse me. So you’ve got corporate, if you will, where they’re doing gathering evidence, et cetera, and taking on certain responsibilities for the overall program, but you now have these various subsidiaries. In some of these cases with these style organizations, it’s not a simple, oh, I’ve got subsidiaries, but some contingent of the subsidiaries are corporate locations. Some of the subsidiaries are franchise locations. So you’ve got a lot of complexity there, and depending on the target organization itself, you’ve got a situation where corporate is, you know, each of the individual, you know, subsidiary locations, each of them has to provision reporting independently because of the way that they’re structured.
So what you have is you’ve got corporate provisioning, gathering, garnering evidence, flowing that down to the subsidiaries with the capability for every subsidiary to be able to then fill in the blanks with their own evidence and then generate reporting, which is an amalgamation of both the corporate level as well as the evidence from the subsidiary themselves. You know, in another case, just to turn this completely on its ear, you’ve got this battalion of subsidiaries, which for the organization, the way that they operate is, I gather up some evidence from all of the subsidiaries and I have it all flow together for one, you know, whatever, one rock to rule them all if they’re doing PCI, right? You know, where all the evidence across dozens to hundreds of independent locations are all flowing together into a single, you know, corporate report, you know, a lot of the time, kind of the driving factor. for that decision by company is whether or not the subsidiaries are required to do that separate reporting. But you’ve got two very, very different scenarios for those style organizations. Oftentimes you’ve got organizations taking an approach of just automagically doing whatever I did last year and not realizing how much more effectively they could manage their engagement by giving it a whirl with that quality compliance management tool and taking that opportunity to offload things that are generally a complete waste of time on their engagement. I mean, one of the things that I continuously harp on whenever I’m talking to folks about the benefits of taking a fresh look at your overall program is things like, if you’re using a quality compliance management tool, now when I used to go through and prepare for my out of the gate, when I start my compliance engagement, I have like one compliance meeting a week internally.
Maybe I have one assessor meeting every couple of weeks. Well, as you start to kind of ratchet up the pain levels, get a little closer to the end of the cycle, et cetera, your one internal meeting a week turns into two internal meetings a week. Your two internal meetings a week turn into three internal meetings a week. Your once every two weeks with the assessor turns into once a week with the assessor turns into twice a week with the assessor.
So before every single one of these meetings, every single one, I know as I’m saying this that there’s people listening this are just chuckling. Before every single effing meeting, some poor soul has to sit there and basically figure out where’s all my stuff at, right? And depending on the complexity of what they’re dealing with, this could be two hours. This could be four hours of preparation before that meeting, just to try to figure out where’s all my shit at. And it is literally one of the single dumbest waste of time that I’ve seen on engagements. And so it’s things like that that kind of play into it. The other side of that coin, the people that are chuckling are the ones that know that I’m right because they sat and spent the two to four hours before each effing meeting, trying to figure out where all my crap’s at. And meanwhile, no offense to the, I call them the uppity ups in the organization, but somebody in the C level just goes breezing by this poor soul’s desk on a miscellaneous Wednesday afternoon. Hey, where are we at? Well, I can’t just answer the damn question. Now I got a fourth opportunity that week to try to figure out where all my shit’s at. I mean, that’s just one arena where you’ve got lift that ends up happening when you take a fresh look at it and really open your eyes. The other piece that I would say is that the leadership in these organizations, I mean, it’s real easy to go swing by and you know that Fred or Betty is going to go do whatever they did last year, magically everything just comes together and they don’t have any idea what dimensions of pain those poor people have gone through to be able to make it from the start of their compliance extravaganza to we’re done. There’s lots of sleepless nights, there’s a lot of long days, there’s a lot of extra weekends, blood, sweat, tears, stress, you know, all that fun stuff that happens between those two points. And the uppity ups within the organization generally are oblivious to what the hell’s going on. So I’d encourage both the folks that are frontline on this stuff, speak up, display as you can, display to your levels of management what you’re going through and how you want to try to make it easier. And similarly, for the members of leadership, I would very, very strongly encourage you, do yourself a favor, do your team a favor, start asking questions, ask them to show you how they’re doing, what they’re doing, ask them about what they’re typically doing in a given day, in a given week, you know, especially, you know, see if you can get that input from them as they’re right in the thick of trying to,
you know, trying to get everything wrapped up. You may be very amazed at where people are just absolutely annihilating time.
Parting shots and thoughts for the folks this week, Adam.
Well, I kind of hit it out of the gate, you know, when I when I said, you know, I cannot encourage organizations enough, you know, if you’ve got complicated compliance or your compliance is just a gigantic pain in the ass or it’s taking you more time than you know that it should, you know, and whatnot. Just do, do yourself a favor, do your organization a favor, you know, get the eyeballs open, take the opportunity to see a better way of going about doing your compliance, you know, a lot of times for the folks that are eyeball deep in this stuff, you know, it feels like it’s not attainable to get good to actually migrate this to something that’s better.
You know, a lot of the, a lot of the time, you know, the folks within the organization, it’s just, it’s a pain that they’re used to is kind of the symptom here, but I really feel sorry for these folks that don’t don’t take that opportunity to make those improvements to their stance because there is a tremendous amount of pain on these engagements that can actually be relieved.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
