Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.

Show Notes: Live Linking and Multi-Cert Mapping

Listen on Apple Podcasts
Listen on Google Podcasts

Quick Take

On this week’s episode of Compliance Unfiltered, we have the pleasure of welcoming TCT’s Head of Product, Jon Dotson, to the show. Jon unveils the latest exciting release of Live Linking between multiple certifications on TCT Portal.

Live Linking makes it easier than ever to work in multiple certifications. Eliminate duplicate work and streamline your compliance tasks more than ever. Jon walks you through exactly what Live Linking is, how it’s helpful and how it benefits both companies and Assessors, in a myriad of compliance situations.

Need custom certification to certification mapping? Jon breaks down how TCT Portal has you covered there too.

All this and more on this week’s episode of Compliance Unfiltered!

Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks

Read The Transcript

So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.

Now, here’s your host, Todd Coshow, with Adam Goslin.

Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow. Alongside a man who literally eats compliance for breakfast three times a week, at least. Adam Goslin, Adam, how the heck are you? I’m doing great, Todd. How are you? I can’t complain. It’s a good day, and we have a special guest. Yes, we do. We have a special guest. That’s right. I want to take the time to introduce to the folks, TCT’s Head of Product, Jon Dotson. Jon, thanks so much for joining us today. Yeah, thanks for having me. Absolutely.

Well, the purpose of our conversation today, Adam, is really to chat a little bit with Jon about some of the comings and going, some of the new things in the Total Compliance Tracking arena, specifically the newest release around live linking and cert mapping. So what are we talking about there? What are those things? Yeah, so the big part of this latest release that we just pushed out was really to focus on overall mappings between certifications, and the ability to have evidence shared across multiple frameworks. So, that was a really big push towards this latest release. And, there’s really two kinds of key features that you mentioned, we’ve got this live linking capability, and cert mapping. So live linking is the ability to tie multiple certifications together, and have the evidence automatically populate in the other destination certification based on the source. So, if you’re going through say PCI and HIPAA, for example, and you upload evidence into the PCI assessment, it will automatically populate in the corresponding controls within HIPAA that align to that specific requirement within PCI. And the type of data it brings over, is really all the evidence. So whether it’d be explanation type evidence, or whether it’s actually an attachment based evidence, it’s going to bring over both of those and automatically populate them in real time. So yeah, absolutely. And it really allows for the mapping of any standard cert, to another cert, and having that data pre-populate.

So what’s an example of that, Jon? Yeah, I mean, so as I mentioned, a perfect example is PCI to HIPAA. But, it could be NIST to ISO, c CMMC, PCI to CMMC, whatever it may be. I mean, really all the different types of certifications that are out there, we can support handling that certification mapping between both of those, and the live linking that goes along with it. It can even handle things like customized controls. So if you’re familiar with the SOC 2 framework, that actually has our personalized control capability, where you’re able to go in and create your own custom list of controls, where you can build in the mapping between those controls. And with just a standard framework like PCI, you can actually have that data live linked either from PCI to the SOC 2 assessment or vice versa.

Clearly that sounds like a benefit, but how specifically is live linking helpful? Yeah, live linking is helpful for any organization who has to undergo multiple frameworks. I mean, it essentially eliminates the duplication of efforts on their part, to have to upload the same set of evidence into multiple requirements, across those different frameworks.

Adam, what’s your thoughts? Well, one of the big challenges that organizations face, especially when you’re trying to approach, this universal approach to multiple frameworks, is you’ve got that possibility that your evidence kind of diverges, right? You start off with your central information security policy, and let’s pretend for the sake of this discussion, I’ve got PCI that’s mapping off to HIPAA, ISO, and SOC as an example. And so, we get through everything in PCI, thumbs high, everything’s good. Now all of a sudden we’re in and we’re working on the HIPAA track, or the ISO track, and we need to make a tweak to that information security policy. The part of the problem in the past was, that your evidence would effectively diverge. Someone goes in, tweaks that policy for whatever minor change they wanted to go make for ISO, and now all of a sudden, I’ve got two different versions of the policy. It starts to become a nightmare to deal with. So when you’ve got them all strung together like that, that eliminates that possibility of evidence divergence. And certainly, just like any multiple certification approach, you’ve got to spend the time to go in, get everything mapped together, that’s something that you would do upfront. Because all of this is automatically populating, I mean, it’s just an enormous time savings, over having to hold all of this together. I like using the expression human glue, but it beats trying to hold it together with blood, sweat, and tears, by some poor soul that has to sit in the middle of the storm, right? Trying to hold on to all the ends of these ropes, and hold it all together. Because it’s flowing through automatically, just a huge amount of time savings. Yeah, and I think that’s a great point Adam, is talking about that feeling of really grasping at the ends of kites trying to fly away in a storm.

And I’m curious, what types of compliance situations would people find benefit in this? Yeah, I mean, I can see this being beneficial for really any organization that has to go up against multiple frameworks. As I mentioned, I mean, it doesn’t matter whether they’re doing PCI, HIPAA, SOC, ISO, or CMMC, any of these organizations who have to undergo multiple of these frameworks, will have the ability to map between those controls in the TCT portal. Having that data be automatically populated is going to be massive.

Adam, you’ve got any thoughts on that? Yeah, the reality is that for the most part, you think about the organization, and Jon, you were talking about a variety of standards. I mean, for many organizations, their initial kind of, we’ll call it trip into the compliance arena, is because of one client, or maybe because of their requirements as an organization they need to go up against PCI. And then all of a sudden, fast forward six months, years, whatever, and some new client comes along and says, oh, I need you to be filling the blank complaint. And so, a lot of these organizations are seeing layering of various certifications coming at them. But, in many cases, organizations have some pretty specific needs. Think about an organization that has a series of subsidiaries that they either have to report on different compliance standards, or they’re sharing information from headquarters down to those subsidiaries, that type of a model would certainly benefit, if it’s a corporate and franchise style model, where the franchisees effectively are inheriting certain controls from corporate headquarters. That’s another example. And then, organizations that need to share compliance evidence between various internal entities, maybe they’ve got a need to be able to report separately on PCI, for this internal sub entity, versus this sub internal sub entity. Now, you can go ahead and map, you have a mirror between those as well. So, there’s a number of different compliance situations where that benefit is seen. Sure.

Well, I guess that kind of leads me to my next question. Which is, what is customizable certification mapping? Well, since every circumstance is different, right? Every circumstance for a company is different. It’s based on several things, the company that’s going through the assessment, which certifications they have involved, and the business circumstances. We were talking about several examples a minute ago about business circumstances of the organization that’s going through the compliance. What does that structure look like with vendors involved? Every single one of these companies is going to come up against a unique set of circumstances, and have their own way of being able to do mappings. So what we wanted to be able to facilitate, I’ll let Jon kind of explain it a little bit more here in a second. But, we wanted the TCT clients to basically have control of the mappings that they had with their particular certification.

So Jon, why don’t you continue carrying the ball? Yeah, I mean, within the TCT Portal, we have a bunch of mappings that already exist. We go through, we take a look at the different standards, and we go ahead and take various requirements that align, and map them together so that they can share evidence across those various certifications. So, this customizable mapping just kind of goes above that, and it allows the user to be able to see what existing TCT mappings are there. And then from that, they can go ahead and choose to customize them, where they have the ability to go ahead and add additional mapping. So if there’s some additional requirements that they believe align and share evidence, they can go ahead and create those, or they can take a look and say, I don’t necessarily agree, or I don’t feel this particular item should share evidence between the two different certifications, they can remove it. So, it really gives them the ability to add, remove, or align with those specific different business needs that Adam was talking about. Well, how helpful Jon. Yeah, I mean it really allows the organization, to really specifically tailor their instance, to specifically tailor the mappings, to align with what exactly they need to do and how they need to do it. So, it’s really great from that standpoint.

Any additional thoughts? Yeah, reality is, it gives the organization full control of the way that data is flowing through. They get to take advantage of what exists already, but they’re not stuck with it, they’ve got full control of the way their data is flowing through their various standards and certifications within the portal. And, that really allows them to set up Their specific instance in the way that makes sense both to the organization going through it, as well as their assessors. Jon, tell me a little bit more about the assessor capabilities. From the assessor side of things, if they’re going through and setting up those customizable mappings, they’re able to do that on a templatized level. So I mean, they really can go into their template, create and customize those mappings right there and then. Moving forward, on every single one of their assessments, they’re able to apply that template and have those corresponding mappings already built out. So, it allows them to just have one spot to manage their mappings, and they’re able to share it out amongst all of their clients that happen to leverage that particular template.

What are some of the situationally applicable examples of that, Jon? Yeah, I mean, one thing that’s extremely nice is, as we were talking earlier about live linking, that real-time sharing of the data, not having to sit there and import it via the tool, having it just automatically populate, that is entirely based on that customizable cert-to-cert mapping. So, the moment that an organization goes and creates, or either ads or removes from, say, the TCT-defined mapping, those items will automatically either disappear if they’ve removed it, or if they choose to add, suddenly that information will automatically populate on that other certification. So, it really allows them to see almost instantly as they’re changing and seeing the data populate appropriately. And, it really gives them full control over all the different circumstances of their company, whatever it may be, whatever business needs arise, they’re able to really have full control over that information.

And Jon, the additional thing is, I’ve been really excited about this capability coming into the portal, because of the fact that we serve folks that are going through compliance. We’re serving consultants, and folks that play in the compliance prep arena. Helping companies get to a point where they’re ready to go through their compliance assessments. I’ve been really excited about this capability for live linking, as well as standardized cert to cert mapping, because it’s going to really allow those service providers that leverage the portal, as well as the assessors that leverage the portal, to increase their standardization of their engagements, they’ll be able to templatize everything, they’ll be able to have different templates for different business circumstances. So, it’s really, really cool being able to see the material benefits for the assessors and service providers, being able to use these features and functions.

And one other thing that I was going to mention as well, Todd, is that, for those that haven’t had the opportunity to work with us. It’s one of the things that really kind of sets us apart from a lot of players in the space. We genuinely, truly care about the experience that anyone that’s using the TCT Portal is going through. So, often we will take in requests for enhancements, requests for additional features, or requests for additional functions. And, as long as it’s good for the TCT Portal and the overall client base, then Jon will go ahead and add that item to the list, and we’ll let them know when it gets there. We’ve actually had a good number of requests for greater capabilities for cert-to-cert interplay, as well as the templatization and customization of the mappings between certs. So, it’s really cool seeing this coming into fruition, if you will.

Adam, that’s a really interesting point you raised. Jon, I wanted to ask you the question, since we have you. What is it like for a TCT client who has a suggestion? How do they make those to you? What is your feedback like to them? How does that process go from, hey, this would be nice to have, to hey, this is part of our functional release this month? Yeah. Like Adam said. Simply just send over an email to our to our standard portal support, or directly to me, just saying hey, this is something that I feel would be beneficial for the portal. Or hey, does the portal do this? truth be told probably about 75% of the time we’re getting these requests from existing clients who are using the tool, and saying, hey, it’d be really nice if the portal does the following. A lot of the time, we already have that capability, or another user has brought it up in the past and we’ve already handled it. But for those cases where it’s something new, we sit there, we evaluate it to determine if that’s something we feel could be useful to the tool overall. From there, we’ll get it in our development queue, and we’ll go ahead and process that through our development lifecycle. I mean, I think Adam talked about it, but roughly, I’d say close to 90% of every functional release that we have from the TCT Portal nowadays, is something that is client requested. And on top of that, we just continue to keep them up to date as to where it is. So I’ll be regularly reaching out, saying hey, it looks like it’s gonna be in this upcoming release, we’re working on it now. And even if I have specific questions or feedback, I’ll go ahead and reach back out to them and ask them specific questions that may be necessary. We appreciate the collaborative effort of our clients, when it comes to building a new functionality into the tool. We work pretty regularly with them, to ensure whatever the new functionality we’re implementing, is going to actually meet the business needs of the client. So, we regularly keep them engaged throughout the process.

Well, Jon I wanted to ask you what type of feedback do you usually get from the clients? like someone who’s requested a functionality? And then when are you actually able to deliver it to them? What is that conversation like? I mean, it’s a pretty good conversation. That’s really why I do what I do. That gives me the satisfaction, just being able to see something conceptualized. From, being able take it through, do what we do, meet their need, and come back to them and let them know, hey this is completed. They’re obviously super ecstatic. And as I continue to work with them, they’re pretty much informed throughout the process, knowing that this is coming. But, it’s always super cool when you can actually roll this out to them, and allow them to see this functionality, and just hear the relief that they get. Because most of these requests that these people are making, are related to things that are going to save them time throughout their day. So, it’s always good when you can implement a new piece of functionality that’s going to save them time, and make sure that they can use their time efficiently. That’s the entire purpose of the portal. So being able to do that is pretty awesome, and having those conversations is great.

The one thing I was going to throw into the mix, and Jon, really to you and the team that does the support for the TCT Portal. I mean, one comment that I’ll get routinely is just how impressed these organizations that work with the TCT Portal are in the quality of the interchange, the reaction times, the openness to provide assistance, answer questions, do so expediently. It’s a constant accolade that the team gets. You guys keep doing what you do, and keep being awesome. Thank you. Certainly.

So Jon, that leads me to my last question here. We’ve talked a lot about this live linking functionality. When does this major, major release hit the TCT Portal? Well, it’s already out there, Todd. It’s already been released. We’ve already deployed it to quite a few of our existing clients as well. So it’s already gone off well, and anyone can take advantage of it, which is great. Yeah, and for the listener, I knew that it was already out. I was just being a little cheeky. Sorry. That said, Jon, I can’t thank you enough for your time today. We greatly appreciate it. Thank you for sharing the new functionality that’s coming out, and we look forward to having you back on Compliance Unfiltered, when opportunities arise. Thanks again. Agreed. Yeah, thank you. Thank you for having me. Cheers. Take care.

Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.

KEEP READING...

You may also like