Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Best Practices for Handling Compliance Obligations Related to Incident Response
Quick Take
Join Todd Coshow and Adam Goslin as they help listeners transform their compliance management during incident response chaos into a streamlined, proactive system.
Discover how intelligent automation and continuous evidence collection can enhance compliance readiness and reduce audit risks. Learn to shift from reactive, paper-based tracking to a strategic advantage, turning compliance into a competitive asset.
This episode of Compliance Unfiltered offers practical strategies for making compliance a strength, not a burden.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of compliance unfiltered. I’m Todd Coshow alongside the peanut butter and your compliance Reese’s, Mr. Adam Goslin. How the heck are you, sir?
I’m doing good today Todd, How about you?
Oh, all things considered, sir, I’m playing a little injured, but we’re going to make it through. I appreciate the time to get to chat with you about some new stuff.
Today, we’re going to talk about better ways to manage your compliance obligations as related to incident response. Now, for everybody at home, how does a typical organization track and manage their incident response today?
Well, I mean, it depends on the organization and they’re, you know, kind of the tooling that they’ve got, et cetera, you know, certainly some folks could be using some form of a system. But generally speaking, you know, a lot of incident response is kind of handled through, you know, handled through ticketing systems, you know, supported by a lot of, you know, manual tracking sheets and things along those lines.
So in some cases, it’s exclusively, you know, a manual process. So there’s a, you know, kind of a tracking sheet for the list of the incidents. For each of the incidents, you’ve got a, you know, a particular set of documentation that you have a form or a template that you go and you fill out for as you’re going through your incident response so that you make sure you’re filling out the right paperwork and all that fun stuff. But, you know, the vast majority of the time, it’s just a, you know, kind of manually managed, primarily sometimes there’s a little bit of systematic in the mix and far less frequently have I seen any form of real, you know, kind of a real systematic solution for it. It’s generally a manual process.
Well, how does, well, I guess how can technology and automated intelligence help an organization to step up their overall compliance program, including IR?
Well, when you’re going through compliance, there’s obviously between hundreds and thousands of things that need to get tracked, managed, and all of that fun stuff. So certainly for the uninitiated leveraging, tooling like the Total Compliance Tracking’s TCT portal is a far better way to organize your engagement.
Certainly the capabilities that exist within the compliance tooling will help with making sure that the organization is checking the various boxes that they’ve got. But in many cases, it’s funny for the folks that are whitewashing it, if you will, they have this notion of, oh, do we have incident response? Yep, check, move on, mentally move along, right? Similar notion where they go in and they do that with active antivirus. It was the one I love to throw around every now and then, it’s like, yeah, we got antivirus, sweep it under the rug, and meanwhile, there’s whatever, there’s dozens of line items that you need to validate, prove out, et cetera, against these various compliance topics. So especially for the folks that are kind of newer to the continuum, or maybe going through their, call it the annual compliance scramble, certainly they, it’s kind of like Groundhog Day and a lot of whitewashing that goes over it, and then all of a sudden they figure out, oh, well, these are all the things we really need to do. And unfortunately, there’s organizations that kind of find out those details too late, if you will, in the game, in that they are sitting there, sitting at their audit and realizing that the assessor’s asking for stuff that they hadn’t put together, organized and kind of contemplated prior to sitting right there in front of the assessor. So that makes things a little awkward.
No doubt. Now, what capabilities in the tooling should organizations be looking for?
Well, certainly, you know, with the different things that need to be done, and, you know, for anybody that, you know, that does something like leveraging the TCT portal, you know, we’ve got in there the capability. It’s kind of fun watching organizations go through, you know, kind of their year-over-year maturity improvements that they’ve got available to them as a result of the, you know, kind of tooling capability.
So, you know, one of the things that, you know, when an organization does their, I call it the annual compliance scramble, you know, it’s compliance season and everybody drops what they’re doing for a period of months and, you know, goes off into the cave. You know, when you’re doing it that way, most organizations, when they step into compliance tooling, typically just take their, you know, take their compliance scramble, you know, port that over and into their tooling and kind of suffer their way through their first year’s, you know, first year’s worth of engagement. But, you know, some of the capabilities that, you know, folks should be looking for is the ability to, we call it operationalizing compliance. So the ability to effectively take periodic, you know, evidence collection, spread that out across the course of the year. So one easy example in the case of incident response, you know, if your, you know, is a quarterly pulse check, hey, have you had any incidents over the, you know, over the prior quarter? You know, if so, then let’s go ahead and get, you know, get the evidence loaded up and into the system so that it’s near term, so that you’re able to take a look at it early in your compliance cycle, so you can get it loaded up for, you know, for your assessor’s review, et cetera. That’s one, you know, kind of one example. So a lot of times what I’ll see is that operational mode of compliance is certainly a capability that is important, spreading out those, you know, those periodic tasks. But the other piece is, is that if you do have a, if you do have like an operational mode compliance approach, usually what ends up happening is, is that I go from the annual scramble, I go into more of an operational compliance mode. It’s usually a rough, I’ll call it a rougher transition for the first time that they go through it, but kind of perfect it the following year. So now I’m in my third year, you know, type of a deal. But once I get past that, one of the capabilities that the organization should be looking for is the ability to kind of stage their annual compliance evidence and stage it up across the course of their compliance year, you know, type of a deal. So, you know, things like reminders for, you know, reminders for the team, hey, it’s time to go in and do your annual review of the, you know, of your incident response plan as an example.
That’s something that you should be able to go in, apply a particular date that works for your organization, customize it to, you know, customize it to your needs and your timing. But that’s also all capabilities that you’d want to see within the, you know, within the tooling that you’re, that you’re leveraging, because that will, you know, that will really, once they get through kind of two years operational mode, then stepping into that spread of the annual compliance elements out across the course of the year, that’s usually where I’ll see the compliance programs maturity, really kind of step in.
And then you’re really gaining, you know, some serious efficiencies, you know, on your program and kind of running it properly, if you will.
Now, what recommendations do you have for organizations surrounding their approach to incident documentation needed for their assessments?
Well, first and foremost, and I’m a huge proponent of this, is that for the organization itself, just make sure you’re on the same page with your assessor about exactly what you’re going to be provisioning. On the same page about the approach to the evidence.
So as an example, you know, are they wanting, you know, each quarter, are they just wanting the list of the incidents loaded up and then they want to select and from a sampling perspective, you know, these are the incidents we want to see the detailed paperwork on. I’d say it also depends too on, you know, on the organization proper. You know, one organization may have five incidents that they declare over the course of the year. Another organization could have 2,783 incidents that they declared over the course of the year. So the assessor’s take is going to be different based on the circumstances of the particular organization that they’re dealing with, but, you know, certainly knowing and understanding what it is that they’re seeking, you know, surrounding the evidence needs that they have, that’s absolutely a good idea for the organization to go through, is to kind of get that kumbaya moment in place with the assessor so that they can make sure that they’re kind of hitting the mark. Certainly if your assessor is willing to view and review the interim evidence that you’re putting together across the course of the year in that operational mode, you know, getting it in front of them soon, sooner, early in the process, that’ll also be something that will be helpful, you know, for the target organization just to make sure there aren’t any late breaking, you know, late breaking, you know, any late breaking surprises, if you will, where you’ve missed the mark in terms of the expectations of the assessor. Those are the types of things you don’t want to be finding out when you’re ostensibly headed toward the finish line, if you will.
Sure. Now, some organizations seem, I mean, understandably, but they seem very reticent to declare an incident because they view it as bad. What are your thoughts on that?
Well, there’s a couple of schools that I usually will school the organizations that I’m working with. Declaring an incident is not a bad thing. And in fact, you know what’s interesting insight that I’ve seen over the years is that when it comes to the assessors, many of them actually would prefer that the organization’s actually declaring incidents. Because there’s several things that happen as a result of not being afraid to declare incidents. Number one, the assessor can tell that, well, this company is actually exercising their incident response plan. You know, they are proving time and time again that they can kind of follow their plan. It allows the operational personnel to become more like a well-oiled machine in terms of just kind of knowing what we need to do. The minute that an incident’s declared, all of a sudden everybody knows exactly who’s doing what and what do we need to do and in what order and what are the steps and who’s carrying this ball, et cetera. It all tends to fall into place very smoothly in an organization that is actually declaring them.
The problem with the not declaring of incidents, okay, so we kept the record clean, right? Oh, we didn’t have anything that we believed needed to fall into the scale of an incident. So we’re awesome. Except for the fact that when they do have a problem, dude, it’s a mess, it’s an absolute mess. Because number one, the last time anybody looked at the incident response plan was when they did their brief annual review of it type of a deal. And other than that, the operational personnel really don’t have a track record of being able to follow it, certainly for that type of an organization. The other downside is they haven’t had any opportunity to make iterative improvements or adjustments to their incident response plan through the year with the exercising of it. So there’s a lot of benefits for the declaring of incidents. One thing that’s interesting, right? The vast majority of incident response plans will contain some form of like a severity level of the incident, right? I’ve got everything from at the very tippy top of the food chain, it’s all hell broke loose, and at the bottom of the food chain is this maybe something that’s interesting that we wanna go take a look at. And that’s common for folks when it comes to incident response plans. To that end, I really struggle to understand that logic of the organization that’s reticent to declare the incident because you’re telling me that not one thing happened in the last 365 days that was even interesting enough to do an investigation. It’s not plausible that that’s reality. And so it actually, despite the drive for that organization to try to, well, hey, we didn’t have any incidences and they pat themselves on the back, you’re actually shooting yourself on the foot because any assessor worth their salt walking in is basically gonna go, what do you mean you didn’t have an incident all year?
It actually gives them a negative connotation around the organization, how they go about kind of working their things and working through stuff. It just literally leaves the worst impression on the assessor as a result because it’s not normal that the organization would kind of be in that position.
So I love the notion of declaring incidents early often. There’s a lot of fringe benefit and direct benefit, quite frankly, for the organization that takes that type of an approach.
Well, what type of considerations do organizations need to account for when it comes to the decision to use an actual incident versus a tabletop?
Well, you know, we kind of go to those, those two styles of organization, and certainly one could use a tabletop at any point in the game, but for the organization that is regularly declaring incidents, they’re declaring incidents, they’re working them through, they’re making sure everything’s buttoned up, they’re, you know, they’re, they’re, you know, double checking all the paperwork, et cetera, and they’re, they’re just, they’re, it’s part of their DNA, right? And so using the actual incident, and this is, and this is really where part of the conversation, you know, harkening back to the topic we were talking about earlier about part of the conversation with your assessor is be especially being on the same page about given our approach to the declaration of incidents, you know, can we use, you know, one of our incidents as, you know, as an example of our having, you know, kind of exercised the, the incident response plan and perform training, because a lot of times, so I’d say more often than not, the assessors are supportive of the notion of leveraging, you know, leveraging a live incident, if you will, to double in as the, you know, kind of as the training exercise for the annual training for, for incident response.
And typically what I’ll see out of the, you know, sometimes the assessors will just say, yeah, yeah, you can use an existing incident as a, as a training exercise. In other cases, I’d say maybe in half, about half the time, the assessor actually wants to, I don’t want to pick the, the quote declared incident that was, hey, I found something that’s interesting. We might want to go in, look at, I went, you know, Bob went in and looked at it, determined it was a nothing burger. And so we all went back to sleep. That’s not the incident that the, you know, that the assessor is going to want to leverage as a true exercising, you know, if you will, what they will be looking for is they’ll be looking for an incident with, you know, a larger impact that included more people within the organization to, you know, to, to go about tracking and managing, you know, managing that particular incident, because it now means that I’ve got all the right players and, you know, everybody was engaged in this. I can show broad scope, broad scope coverage of, you know, training activities across all the various departments. So it’s just good to, to be able to do that. Now in, you know, there’s nothing stopping the organization that uses actual incidents as a, you know, when it comes to training, there’s nothing stopping them from doing a tabletop. But on that other end of the spectrum, we were talking about where you’ve got an organization that’s reticent to declare an incident. They literally don’t have any choice. They don’t have an incident that was declared that they can go use for, you know, the training activity.
And so they actually need to, they need to go in and do, do a tabletop. Basically, for those that are kind of not familiar with the, you know, with the term, a tabletop exercise would be one where you basically pulled together all the parties that would participate in the incident response and you run through a scenario. Usually there’s a facilitator involved that’s kind of walking you through, through whatever, whatever you’re kind of made up incident that there is and the team will spend time, you know, kind of walking that through. Now where I’ve seen it done well, no joke, a tabletop exercise.
I don’t know. It’s like a, it’s like a three hour commitment, right? You know, you, you’re running through all these different portions of the, you know, of the scenario and watching the team collaborating and working things through and, you know, things along those lines. The tabletop does have some material benefits in that. It does give the team an opportunity to exercise the incident response plan, to read the incident response plan and figure out whether or not there’s, you know, changes or modifications needed based on the results of the tabletop, etc. But it’s, it’s, I’ll tell you what, it’s not quite the same using a tabletop exercise as it is, hey, this is, this is real world. I think in a lot of ways, those that don’t declare the incidents, they’re almost kind of hobbling themselves, if you will, in terms of they, they’re not getting the exposure of their personnel to their incident response plan and being able to kind of gain all the material benefits that, you know, that kind of come, you know, come across it. You know, give me one. I think I already, I think I already kind of killed the, uh, kill, killed that one. So yeah, I, I think we’re, uh, I think we’re in pretty, pretty good shape there. The, the, you know, again, I, I would strongly encourage the organizations to, you know, go in and, you know, go in and exercise that, that incident plan. Don’t be afraid to declare them. There’s always things that are going on in a, in a technology based environment, uh, which should be eligible for, for running through incident response.
parting shots and thoughts for the folks this week, Adam.
Well, a couple of different things. We’ve talked about a lot of covered a good amount in a fair amount of depth. But, you know, the one thing that we didn’t do, we didn’t touch on this. We were kind of talking this through making sure that your incident paperwork is getting filled out correctly. I’ve had more than, more than a handful of occasions where, you know, you kind of, you know, the, the, uh, either the crew has lined up particular incidents or the, uh, assessor went in and did some sampling work to, to cherry pick out, uh, particular incidents, uh, you know, et cetera. And only to find out that, Oh, well we forgot, you know, so-and-so forgot to sign off or this thing is blank or whatever it may be.
So as part of your internal kind of incident procedure, make sure that somebody is kind of collecting up the final documentation, running it through an internal QA process. Uh, that way we can make sure that all of the potentially sampled incidents, um, have their paperwork filled out properly. They have all the right sign offs. We filled in all the right boxes. We’ve, uh, included all of the elements that are required, uh, based on the security and compliance standards that our organization runs up against. You just making sure your dot and I’s cross and T’s, et cetera. Um, that way you can rest assured as you’re walking into your, your annual assessment at the end of your annual assessment cycle, that you’re not going to have any, uh, ugly surprises that, uh, jump up to, to bite you in the arse.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
