Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: A How To Guide for Handling On-Site Audits/Assessments
Quick Take
On this week’s episode of Compliance Unfiltered, we discuss the ever-stressful on-site compliance audits and assessments. Just the thought of going through an audit can twist a compliance manager’s insides in knots. But you can enter your annual assessment with confidence rather than dread.
Adam calls on his decades of experience to help you understand how to successfully navigate from, “OMG it’s time for our compliance audit!” to “Phew, thank goodness, we made it!”
- What do you need to know and do in advance of the audit/assessment?
- What will your visiting Assessor need from you and the organization?
- How should you prep for your audit internally?
All this and more on this week’s episode of Compliance Unfiltered!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated. It’s so hard to keep organized and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now here’s your host, Todd Coshow with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside the man, the myth, the compliance gentleman himself, Adam Goslin. How are you good, sir?
I’m doing good, it’s always entertaining to see what you’re gonna come up with with the intro.
I like to keep you on your toes sir, keep you on your toes. So today we have the opportunity to kind of talk about something that well hasn’t really been as much of a focus over the last couple of years for some folks but as the world kind of cycles back to relative normal, Adam, onsite engagements and how to properly handle them and their assessment counterparts are massive, massive focal points going forward.
So let’s talk about that. What do you need to coordinate in advance to kind of, I don’t know, properly set yourself up for success when it comes to an onsite?
So the reality is, is when you’re heading toward the kind of the annual either, whether it’s your first kind of on, whether in actually in this day and age, whether it’s on site assessment, possibly a remote assessment, it really depends. But when you’re coordinating either your initial experience with an assessor, or this is your, whenever you’ve been doing this for six years, now you’re going to year seven, the success of that engagement starts long before you’re sitting down with the assessor. You’ve got to have effective communication with the assessment firm, the assessor that you’re actively working with, things like planning out the agenda. One of the things that a lot of folks look at, we’ll look at the assessment as, oh, well, we just go higher so-and-so, and then they show up and poof, off we go. Well, I’m a much bigger fan of close coordination with that assessor in advance. That way, you can coordinate with them on what evidence is it that’s gonna be acceptable for them, to make sure they’re up to speed on your business, certainly giving you direction and guidance as you’re going through that preparation activity, so that you make sure you’re on the same page with the assessor, so that hopefully, when you’re sitting down to actually engage in the assessment, they’re not surprised.
You’re not surprised. The assessors are an interesting bunch. They’re not real fond of surprises. And so the more that we can mitigate that, the greater that we can have them aligned with the target organization, the better for everybody, including the assessor, including the company going through it.
Yeah, I’m a big fan of planning your work and working your plan. That makes a lot of sense to me.
What is it that you really need to know about the assessor’s need so that you can properly anticipate?
Well, really every assessor, every assessment is different. Even, here’s the interesting part, when you’re dealing with a larger scale assessment firm, I mean, assessor A is gonna be completely different than B is gonna be different than C and whatnot. So certainly knowing your point of contact, knowing the company and their approach, that’s all gonna be important and helpful.
Asking them questions as you’re kind of going through that preparation process, when they get there, what are the things that they want available to them during the assessment? Who are the people that they want to talk to? What do they wanna talk to each of these people about? Certainly once you know what all they’re seeking and wanting, who all they’re gonna wanna talk to and the various discussion topics. In some cases, it’s discussion topics. They just, they have kind of interviewing requirements for kind of covering certain topics. And in other cases, more often with the more technical crew, they’re literally wanting to sit down and observe evidence and okay, let’s go log into this system and let’s go take a look at blah, blah, blah. So it’s good to gear up that interview list, their topics so that you can make sure they’ve got the coverage that they’re looking for and the combination of all of that stuff I just mentioned, that really allows us then to go into that notion of kind of locking in the schedule, right? When you’re on site and doing on sites, it’s a pretty hectic pace of trying to get through things in a thorough yet kind of scheduled process type of thing. So certainly getting that schedule locked in is important, not the least of which is you’ve got to coordinate with, let’s, I don’t know, let’s say they got eight people or 10 people or 12 people that they need to talk to. Well, now you’re coordinating with all of their schedules and who can do what and what order and the assessor may have a kind of preferred approach, which really is another element that comes into play, understanding what are the things that they mandate need to be in this order versus what are the things that I can kind of move around, gives the schedulers more flexibility as they’re going through it. And the other element too that kind of plays into this is during a typical onsite, there’s other considerations. Maybe this particular onsite is localized in one geographic area and yet there are two or three different locations that we’ve got to go get to. In other cases, it could be we need to kind of coordinate the quote onsite includes a headquarters in Delaware, a hosting facility in Arizona and another office that they happen to have in Seattle. So you’ve got a fair amount of things that may play in and really it just depends on the circumstances of the target organization that we’re in the process of kind of going to have that onsite experience with really is gonna drive the layers of complexity and whatnot.
Sure. I mean, I guess that makes a ton of sense. There’s going to be a certain amount of subjectivity there always is, but what kind of prep is needed internally in order to be successful.
Well, these are just kind of a couple suggestions, right? From things that, you know, things that I’ve run into, you know, experiences I’ve had, et cetera. So first and foremost is, we talked about that list of people they need to talk to, right? I need to talk to these 12 people. Well, for every single one of those 12 people have a backup that’s ready to go. That’s gonna be there at the scheduled time of when the primary person was gonna be there. Because, you know, when you’re talking about that many individuals, depending on where you’re at, it could be all sorts of things, right? There was a gigantic snowstorm. And so, you know, people aren’t able to get in the office or, you know, so-and-so, you know, so-and-so is ill or their child’s sick or whatever. So, you know, they got in an accident on the way into work, you know, who knows, right? So have backup people for your interview list. It will save a phenomenal amount of, you know, kind of rigmarole that you now have to kind of pull out at the last second.
The other thing is, you know, internally, once you’ve kind of got everything locked in, we know what the schedule is, we know who we need to participate and which sections and talking points, distribute that schedule, go through, have an internal meeting, walk it through with all of the people that are gonna be involved. Make sure that they feel comfortable. See if they’ve got any questions, you know? There are things that we can just do through that process to help go in and kind of prepare. I’d also recommend that each person or each team go through, review the submitted evidence. So, you know, if we’re sitting at the point where we’re about to sit down and have an assessment, well, in all likelihood, there’s been evidence that’s been, you know, flinging already. So, you know, let’s go through for each person, go through any of the submitted evidence, re-familiarize yourself. It might’ve been, it might’ve been a little while since they initially sent in, fill in the blank, but now they can go in and, you know, go in, look at it, you know, re-familiarize themselves because we want them to, you know, kind of be, you know, kind of have that feel of really having the finger on the pulse, being able to answer this assessor’s questions as you go through the process.
You know, the other element is kind of prepping the internal personnel. It’s funny for those that aren’t used to going, especially for those that aren’t really in the technical arena, maybe only get pulled in once a year to go through the, you know, the assessment process. It’s funny how freaked out people get by this process, you know, they’ll legit be completely out of their mind, concerned about, oh my gosh, I need to say this perfectly and I can’t screw this up. And, you know, at the end of the day, I mean, unless you’re dealing with just a, you know, kind of a real, a whole assessor, the reality is that they understand that people get nervous and talking to people and they don’t want to screw it up for the company and all that fun stuff.
So just tell the personnel, look, just relax, relax. It needs to be fine. You’re not going to jail over anything that comes up.
You know, the bottom line is that we’re just, we’re trying to get through a certification. This assessor’s here to do, you know, kind of do their job. You know, and the other element is for the employees, you know, remind them about certain things that have occurred throughout the year, right? Remind them that, hey, remember that email that gets sent out once a month or once a week or once a quarter with security reminders. Don’t forget that you get this, right? Don’t forget that you went to various forms of training. You went to your security awareness training whatever, let’s pretend it’s March right now. You don’t forget, you went, we did this annual security awareness training in July. Do you remember that? Okay, yeah, don’t forget. And we did training for the developers and we did training for incident response, you know, et cetera. There’s nothing worse than when you’re sitting down, the assessor’s doing the interview and whatnot. So why don’t you tell, why don’t you refresh me about what all you learned in your security awareness training and the person sitting there like a deer in the headlights going, ah, I don’t remember taking security awareness training. Are you, you know, the assessor’s trying to help them out, right? Are you sure? Are you sure you didn’t go to a class and talked about maybe this topic or that? No, I don’t remember anything about, you know, and sure enough, you have like a training sign off with their participation back, you know, whatever. 10 months ago, admittedly, but you know, they, they’ve completely blanked, right? These guys, these guys get busy. They’re, they’re in the middle of trying to make, you know, make magic happen day by day. They don’t remember the security awareness training they took 10 months ago.
So it’s a good idea to, you know, kind of go ahead, get them the reminders and whatnot, because that kind of helps with them. That helps with them not kind of stepping into it. Now, one other arena is certainly any core documentation, right? Oh, yeah, that makes sense. Your core policy, where are the core policies? You know, blah, blah, blah, blah, blah. So, you know, just reminding them about these various things, that in combination with, you know, kind of going over the talking points that the assessor provided, I’ve found that that tends to give them a fair amount of comfort and certainly makes the, you know, the onsite experiences go a lot smoother.
Okay, Adam, so the moment is here. The D-Day is upon us, the assessor arrives. What should you do once the assessor gets there?
Personally, I would recommend humming the Darth Vader theme as they walk in, that usually goes off well, and you’ll get a little bit of a smile. But no, the reality is, is that, you know, and it’s kind of like every, it’s hilarious to me sometimes, you know, people are like, we’re looking out, oh my gosh, is that the assessor? They’re getting out of the car. You know, whatever. It’s again, chill, relax, everything’s fine, everything’s gonna be fine, it’s gonna be okay.
You know, work on building camaraderie with the assessor, you know, yes, they’re here to do the assessment, but as long as you have the right assessor, you know, they’re also seeking your success. You know, they have a job to do, but genuinely they’re seeking you to go through a successful audit. No assessor walks in saying to themselves, oh boy, I really hope this goes to hell in a handbasket the first five minutes. You know, none of them want that, right? It’s not good for them. It’s not fun. It’s not good for the client. That’s not fun. You know, it’s out of risk. So they really are here to, you know, kind of help the help through the process, but they could do have a job to do. Give opportunities to the team to interact in a, you know, kind of a less, less stressful setting. So, you know, some things like group meals, right? Planning, you know, planning lunch on site. I can’t tell you how many engagements that I’ve seen in the schedule. And this was, this is kind of earlier on, I would see a lot of this and then I started to start steering clients differently. You know, be like, well, we need to, you know, we need to take the assessor out for a nice lunch and blah, blah, blah. Meanwhile, you know, you’re on the schedule, they allocate for an hour. It takes 20 minutes to drive to the place, let alone ordering, eating and getting back. Boom. You now drop two and a half hours. You’re an hour and a half behind on your schedule and everything’s just a crap show. So you know, instead, strong recommendation to plan lunches specifically on site, you know, order in whatever. Maybe you have two, three menus on hand, you know, ask the assessor what they prefer, and then basically have somebody go run around, you know, get the order from the assessor in the morning and then, you know, go hand it around to any of the other participants so we can just order lunch in. Because that way, we’re all sitting there, we’re chillaxing, we’re, you know, enjoying some food, maybe during that, you know, during that time period, you know, pick off some light topics that you can kind of talk through. But in the same sense, actually get to know these people, you know, Mr. and Mrs. assessor, where are you from? How long have you lived there? You know, tell me one cool thing that you do, you know, what you can do in your hometown, you know, etc.
And then share things about your arena. I know, you know, through the years as I’ve had to go and travel, you know, to places all over the US, well, really, and all over the globe, you know, kind of doing this type of work, I find it as somebody kind of walking in, I find it really cool to be able to learn from them locally, you know, tell me something that is authentic about this area food wise, and let’s go try that, you know, type of thing, you know, it’s just for me, it’s fun, right.
And the assessors are in the same boat. I can’t tell you, especially around meals, this is another good kind of kind of pro tip is do yourself a favor, do not use chain restaurants when you go to, you know, go to take them out. Take some awesome place that’s local, and you know, go ahead and bring them there. That way, they can go to it to whatever they can go to a fill in the blank major chain restaurant anywhere in the United States, right. But they can only go to the mom and pop pizza shop while you know, that’s real and authentic while they happen to be in New York type of day. So you know, so it’s, you know, kind of that that approach, I would plan for at least one kind of executive level dinner. Keep in mind, some of the assessors, they aren’t interested in, you know, in kind of, you know, doing the after hours or evening meals and, you know, things along those lines, some of them not. But I would say I would say easily, easily 80 to 90 percent of them are totally fine with it and would enjoy it. And it is a good opportunity for the executives to get together with the assessor, get some one on one FaceTime, you know, ask any questions they may have in a, you know, in an environment where they don’t have, you know, the rest of the kind of their internal team sitting around type of thing. It’s a good opportunity for just some high level executive sharing of Q&A and answers and things along those lines.
So I hear you saying, Adam, that it’s important to be human throughout this process. Yeah, it’s cool.
Now, I guess the rubber meets the road here. And I know that this question is loaded before I ask it, but I’m going to do it anyway. How arduous, realistically, how arduous is an on-site assessment?
I’ll tell you what, honestly, when I used to do these, you know, kind of pre-COVID, when I was doing, I’m not kidding you, I would show up and I would literally have two red bulls a day type of thing, just sitting there and not, I’m not talking like a little, you know, a little teeny tiny kid, I’m talking like, red bulls, two of them, you know, it doesn’t matter whether it’s onsite or remote, the days during the physical, you know, physical or remote onsite, they’re arduous. You’ve got a lot of topics to get covered in a relatively brief period of time.
I was never a fan of the, as tough as it is, I was never a fan of the, you know, oh, we’re going to go ahead and do the assessment over the next 14 days type of thing, you know, let’s not mess around, everybody got things to do, right? So you know, I mean, typically, it would be unusual for me to have a kind of an onsite that would go, you know, kind of north of three days. Most of them, let’s call it a day and a half to a day and a half to two and a half would be would be generally the, you know, kind of a good approximation for a moderately sized organization. Obviously, if you’re, if you’re on a big engagement, yes, it can be longer. But for most of the organizations, that’d be about where it is. But they’re tough, man, you’re going topic to topic to topic, you’ve got to constantly be thinking about what it is you’re hearing, input you’re getting, kind of mentally comparing those to, you know, to other elements that, you know, that yet you heard in prior discussions and interviews, or evidence that you’ve already seen, etc. It’s just, it is just mind numbingly draining going through these things. So certainly planning planning breaks into into the schedule, a lot of people have this tendency to just go, Oh, well, you’re going to talk to Bob from eight to nine, you’re going to talk to Sally from nine to nine 30, and then you’re going to talk to Bill from nine 30 to 1045 and, you know, insight, boom, boom, boom, and it’s just it’s tough. Plan in, you know, plan in little gaps and breaks and blah, don’t don’t try to cram the whole thing into one day, I would much rather spread it out into a day and three quarters so we can kind of get breaks between topics, time to write notes, you know, give yourself some buffer time for the whole lunch thing, you know, etc.
So, you know, if you can kind of plan in a schedule, which is not frenetic, that’s going to go a long way, you know, and then keep paying attention to especially any of the deeply technical topics that you’ve got to go through. So most of the times when you’re going through, you’re kind of a full scale, you know, I call it full scale level one PCI style engagement, right? You have just ton of topics for networking and firewalls and, you know, security and security testing and central logging and file integrity monitoring. I mean, you have all these really technical elements you got to go get through, break apart those technical elements into more bite sized chunks, because that’s typically where a lot of the real heavy thought process needs to go.
So, you know, make those deeply technical topics, maybe an hour shot type of thing, put breaks in between, plan in, you know, things that you need to do regarding, you know, on onsite activities. So if you’ve got, you know, kind of multiple locations that we’ve got to go to, okay, well, and then, you know, hey, maybe, maybe first thing in the morning, you go ahead a technical topic, you get a little bit of a break, you know, then let’s go talk to HR. After that, let’s go and pop over to this other facility that we’ve got to go do physical security inspection on, come back to lunch, and then, you know, hit another technical topic, that type of thing, you know, but, you know, just kind of do that.
I would already mention the fact that, you know, those lunch times when you’ve got well, whether it’s breakfast or lunch, and that’s another element, I didn’t really hit in here, but, you know, doing like the whatever, bring in, bring in the bagels or donuts or, you know, whatever, you know, get get something there, you know, they’re on site for breakfast as well. So that said, you know, get those get those kind of light topics lined up and you can tackle those over, you know, over a bagel or over a sandwich or whatever it may be. And the other bonus is that gives you a nice, nice excuse for the folks that are actively on your team that are actively engaged in, in the process, that you can plan those kind of light, light topics and they get a, you know, they and they get some some food out of the deal to end up working out well.
Well, let’s give the folks out there some pro tips for kicking off and wrapping up meetings successfully.
Okay, so kickoff, I’ll start with, then I’ll move to the wrap-up. So during the kickoff, you kind of plan anybody that is going to be involved, whether they’re, you know, a phone conversation, whether it’s somebody that is going to be providing, you know, kind of a tour of a secondary facility. You don’t have to have everybody in the room, but open up a, open up a desk, if you’ve got two locations, I got to go to, and I know that, you know, Sarah’s at this one and Bob’s at that one, you know, have them dialed in the con call line, if there’s people driving in, at least they can kind of listen into what’s going on, but get everybody on your team involved with that kickoff meeting. That way we can go around, we can do things like team introductions, describe their role within the organization, what critical business processes are they responsible for, you know, that type of, you know, kind of the team introduction is helpful and helps to set the stage for, you know, for, for most organizations, regardless, if they, if they’ve been doing, you know, this engagement, if you’re on year five or six, you know, it doesn’t matter.
So, you know, when, when you, when you go into these on-sites, it’s good for the successor to get a business recap, you know, refresh my memory, you know, what is your organization? What do you do? Why are we here? You know, blah. And for the clients, you know, I’ve seen many of them kind of, you know, do the squinty eye because they’re like, dude, you’ve been, we’ve done this for like five years now, you know, what do I need to tell you what we do again? You know, keep in mind, it feels redundant to the people that are going through it for around five or six. But these assessors, you know, earlier that week, they were at another organization that they’ve been doing for eight years. And, you know, they did three on-sites the week before, and they did two on-sites the week before, you know, maybe they’re involved with, you know, 15, 20, 40, you know, different, you know, client engagement. So, you know, it’s a good opportunity for the assessor to hear everything fresh. The other piece that the folks going through it don’t, don’t realize is in their overview, oftentimes what I will see is I will see the notion of them bringing up things that are new. Because let’s say that I’m just going to use a January to December type timeframe. So, they wrapped up their last assessment cycle in December. And in the beginning of February, they made some type of a business change. Well, get back around to the following December one. It’s that’s old hat that happened so long ago. It’s part of the DNA now, right? And so to them, it’s nothing. But to the assessor, it’s new. And so it’s, again, an opportunity to number one, to kind of set the stage for the assessor, as well as for them to, you know, kind of identify things that may have altered or changed and whatnot. And think about it from that perspective, what stuff has gone away since our last go at this? What stuff is net new since our last go at this? That’s a type of information the assessor is going to want to know.
How about the wrap up? Yeah, on the wrap up side. It’s a good opportunity to basically to regroup with the team again. So we talked about kind of getting everybody in and involved in the upfront. I’ve seen regroups work a couple of different ways. In some cases, the client really wants it to be kind of like a core group or a subset of the people that were involved. In other cases, which I would encourage as long as they’re cool with it, get everybody involved. Everybody wants to know how did it go?
What things popped up, et cetera. So things that you typically cover in that kind of wrap up or regroup meeting at the backend of an assessment is covering things like, hey, how did it go? What were any critical findings that the assessor kind of uncovered? Certainly if you’ve got all the players sitting right there, then that’s an opportunity for some open dialogue. Maybe the assessor, and I’ve seen this happen, maybe the assessor just interpreted something they heard or saw incorrectly. So it’s an opportunity for the team to kind of come together and to give updates or additional details to the assessor that will help them with their understanding. Going over kind of any findings and improvements that may be needed to be made. In some cases, when the assessor sees stuff that, they’re like, well, this really needs to be better. It really falls into two categories. The first category is, this isn’t gonna cut the mustard. And the second category is, you guys are doing okay, but you could do this far better and here’s why. You know, kind of a opportunity for improvement type of thing, but it’s not anything that would kind of screw the overall assessment, if you will. But in the same sense, use the opportunity of the wrap up and do this on both sides, right? For the organization going through it, what things do you feel went well and what did, for the assessor, ask them, what do you think went well and where do we need to make improvements? You’ve got to learn from these opportunities. You want next year to be smoother. You want next year to be better. So take the opportunity while it’s fresh in everybody’s brain and go ahead and go through that. The other important element, and a lot of the assessors have seen this mantra of they come in, I’ve done the assessment and I need to go off into my cave and I’m gonna go ahead and some weeks later, we are going to spit out this report of things that need done and blah. Well, you can sit around and you can wait weeks for the after action report from the assessor or when you’re in the wrap up, you can get gleams of what are things that we need to start working on? What can we be doing in the interim? I mean, nobody wants to wait weeks for the, wait weeks for the freaking report to come out so we can actually start doing things. It’s a lot better to be able to get a leg up on that so that you can just go for it.
Sure, or any additional kind of final recommendations for the folks out there?
Sure. Uh, kind of small pool of them actually. So, and these are just oddball elements, right?
Is that like a kiddie pool?
Yeah, exactly. Except don’t put your cats in it. So transportation, making sure that if you’ve got multiple physical locations, or if you’re going out to any events or dinners or make sure you got transportation to be able to get the right count of people between the various facilities I’ve experienced and, you know, a couple of occasions, you know, kind of challenges with being able to get all the all the appropriate participants between all the different places they’ve got to get to. So make sure you’ve kind of accounted for transportation appropriately.
Evidence prep, you know, certainly one of the most important elements about an on site, you want to make certain that everything that you’ve got, you’ve got everything organized at your fingertips. Um, you know, there’s nothing that’s going to make an assessor more concerned than getting the wrong evidence, you know, it kind of I’m going to scenario game it for you, right? Hey, you know, hey, Bob, I need to I need to get a copy of your, you know, of your evidence from blood to blood firewall. And of course, the person, you know, Bob comes back and says, here we go. And then the the assessor looking at they’re like, this doesn’t even look like a screenshot from a firewall or his firewall. This is a different fire. What firewall is this, you know, goes back to Bob, you know, hey, and starts asking questions and follow. Oh, gosh, you know what, no, that’s just ignore that. That’s just that’s a don’t you worry about that device. It’s there is a wrong one. Here, here, this is what you were looking for.
Don’t worry about that
Yeah, yeah, the whole you know, I’m going to stab my fingers over here and wave my hand over here type of that doesn’t work with the assessor. So you know, you start giving them kind of sniffs of, you know, oh, you know, what, what you have other firewalls that I didn’t know about what are those doing? And right, you want to make sure that you’ve kind of got everything lock stock barrel organized, you don’t want to be scrambling to find evidence that you know, that’s that’s not cool.
Um, you know, go into the agenda. Um, you know, it’s one thing to go and put the agenda together. And it’s another to kind of think through those agenda items, and make sure, excuse me, make sure that you have enough time allocated for the topics at hand.
Certainly, if you’re walking into it for the first, you know, kind of your first go with fill in the blank assessor, you don’t, you don’t have any idea, are we going to be on the right track, the wrong track, you know, who knows so use that first, you’ll kind of shot at we made an agenda.
Now let’s see how it works.
Let’s go ahead and analyze oh well the whatever the the firewall section was scheduled for 45 minutes but it took two hours okay noted um you know type of thing so you know use the the areas where you went over on to make adjustments you know but in the same sense if you know you have a like a list of topics then like there’s no way we’re going to cover this in an hour well then just make that make it an hour and a half um you know do it right out of the gate it’s always better to have fluff time than it is to be running you know kind of running up against it if you will um so you know it’s a lot more uh it’s a lot more efficient while you’re on site to clear everything if you think about it you know if i go through my you know my years were you know whatever my annual assessment etc but we have topics that bled long we got topics that we didn’t get through you know we got through our whole you know time on site and now the assessor has to hop planes get back you know what um you know my next week or week and a half is just is just a bloodbath so um you know we’ll go ahead and schedule you know schedule some additional time you know two weeks out well now you’ve lost two calendar weeks you know maybe with the number of topics you’ve got in the coordination you’re competing now with their existing schedule to try to get through things so you know doing and often they’re doing things in little teeny tiny chunks so you’re far better off to have tons more time than you need and get through everything than you know to basically leave a basket of you know a basket of things to kind of come back to um you know the last element and this seems you know just it seems like kind of common sense you know type of thing but you know the the one recommendation that i would give to an organization is just be honest you know um you know i’ve i’ve seen i’ve seen some that tried to do the kind of the tap dance i don’t want to call it dishonesty or partial honesty whatever the bottom line is is that you know if your organization is struggling with elements of uh you know of the assessment um if you if you maybe partially have it deployed but not completely you know it is far better far better certainly as you’re doing the kind of the planning for the onsite and the planning for your annual assessment right certainly the plan that planning time with the assessor lining things up getting their inputs what should we do you know the assessors love helping companies get headed in the right direction and get everything buttoned up right it’s a lot better to go to that assessor and present the current state and ask them for help ask them for guidance ask them for what what are my options what things do i need to do blah blah blah if you think about it differently that makes the assessor number one feel like they’re getting the real story number two uh not you know digging deeper and deeper because of the fact that they’ve seen kind of holes in the story um you know three part they’re part of the process part of the solution and best yet if your assessor’s the one that’s saying oh you should do blah blah blah well guess what if you go do blah blah blah then the assessor told you to do it right they’re not they’re not going to flip hats and and go back on it and and all that fun stuff it’s a lot better to make them part of the solution than to make you part of the problem um you know you don’t want to be found out if they they trip across the whole the example i was giving you before about how bob ended up showing the wrong firewall you know wrong screenshot the wrong firewall or whatever and they meanwhile they never said anything the assessor about said firewall and you know maybe they had their you know had their crap together on these 18 firewalls but these three over here not so much you know and oops bob screwed up right you don’t want the assessor tripping over stuff like that you know so it’s a hell of a lot better to just be open be honest make them part of the solution because if you if they get a sniff of something’s awry oh they they trust me they’ve seen everything they’ve seen everything from every client i’ve seen assessors just go absolute dig into you know whatever it is and they’re going to want to get to the absolute bottom of this mystery and so yeah it’s just it’s not it’s not a good it’s not a good event uh and i’m a much better bigger fan of having the assessor happy uh pleased uh no surprises everything goes smooth that makes for a far better experience from the annual assessment
And that, sir, is why you are who you are.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
