Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: A Proper Response to Incident Response
Quick Take
On this week’s episode of Compliance Unfiltered, Adam and Todd tackle the wide-reaching topic of Incident Response and how to properly approach it. As Incident Response is applicable across all certifications, the CU guys do a deep dive in to the ins and outs of Incident Response:
- What the requirements are
- How to effectively approach it
- What type of additional elements you need to set your organization up for success in the incident response arena
- Incident Response horror stories
All these topics and more on this week’s episode of Compliance Unfiltered!
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process.
Welcome to Compliance Unfiltered, a podcast dedicated to making compliance sucks less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow alongside a man who may know a thing or six about compliance, Adam Goslin. Adam, how the heck are you today?
You know, Todd, I’m doing finer than a frog’s hair today.
That’s hard to beat. That’s hard to beat.
Well, today, we’re going to have a conversation about a topic that’s pretty much on every business’s mind that wants to remain in business, right? And that’s something that is required for every certification standard. And that’s incident responses. And specifically like an incident response plan, I would imagine. Tell me more about this, Adam.
So for clarity, the notion of it being required for every, now, should every business be thinking about this and doing something with it and being prepared? Yeah, of course, but the interesting part is that it’s not required for every certification standard.
So there are some that kind of skirt the issue, but the interesting part is there’s elements. So like, as an example, in PCI, they’ve got coverage for incident response specifically. And yet there are ancillary coverages for other arenas of ways that you would recover from an incident. So it’s kind of like indirect, if you will. So things like backups and business continuity, speaking of which we’re gonna be talking about business continuity on the next one, but the entertaining part about PCI is that, the thing that they care about is the protection and security and appropriate handling of the card data and whether or not you can actually recover your business and can keep working and stay in business and whatnot, that’s secondary. As long as the stuff’s protected, then we’re good. So yeah, it’s kind of an interesting mix, but now PCI, as it relates to incident response, absolutely, it’s directly covered because they’re giving me organizations need to be prepared to deal with incidents, et cetera. But for across the various certifications and standards that are out there, and I mean, there’s new ones popping up all the time, there’s different flavors of coverage for different elements of kind of the incident response and business continuity arena.
Well, I mean, what’s typically required for incident response?
Well, you know, generally, organizations need to have policies, you know, kind of the starting point, right? You know, when your policy is governing how we’re gonna go handle incidents. Yeah, depending on which certifications are involved, you know, there’s various different requirements that come into play, actually, I’ll get to that in a second. But generally speaking, for an incident, you know, different organizations will take different approaches to their incident response. The most common of which is, you know, kind of almost categorizing the types of incidents. So, I don’t know, I’m gonna call it like, you know, nuclear, you know, the nuclear event, you know, kind of up at the top of the food chain, all the way down to, hey, this is interesting, we may wanna go look at it, and then various levels in between, you know, is kind of a typical approach, especially for, you know, for incident response. And yet, you know, some organizations make the choice just because of their business circumstances that they get a lot more specific, you know, how would I handle an incident of this type versus that, you know, this specific type versus that specific type, et cetera. So, you know, at bare minimum, categories of, you know, of kind of incident levels, generally how you would handle it, what would the process be, who would you involve, things along those lines, that’s a type of information you’re looking for in those policies.
Now, going back to where I was kind of going a minute ago, depending on which search that you’re involved with, they’re gonna have different, you know, different specific things that they need to have in that, you know, in that particular, you know, kind of incident response. So things like, hey, if you have some type of a data breach issue, then you’re gonna need to go notify this particular, you know, kind of government entity, or if you’re in the PCI space, you’re gonna need to notify the card brands, et cetera. So, you know, certainly the certifications will kind of come into play, you know, from that perspective. So that’s one thing to, you know, to kind of keep in mind.
As a part of an incident response, generally speaking, there are allocated team members that are kind of the point people. Obviously it depends on what type of a, you know, of an incident it is, will denote which incidents you’re, you know, you’re gonna go, you know, kind of have which people involved in. So if we’re at, you know, I described it earlier, you know, we’re at nuclear level, you know, well, then I’m pulling in legal and I’m pulling communications teams and, you know, and somebody to basically be on the phones and whatnot. If I’m down at the, you know, hey, this is interesting and I need to go take a look at it, I’m not gonna be dragging all those folks into it. I’m gonna, you know, take a subset of people depending on what type of an, of a investigation that needs to take place.
But allocating those team members upfront, as far as who’s the point people for responsibilities for certain portions of your incident response, that would be common. It’d be common to denote alerts that would be, you know, kind of generated and sent out, you know, to teams that are handling the incident response. Also, you know, documentation for each of the incidents. So, you know, as you, kind of as you declare an incident, if you will, you know, then the certain paperwork, like, you know, what is the incident? What’s the issue? What are we going and doing? Who was involved and, you know, what happened? And what did the investigation reveal? What things did we, what actions did we need to go take? You know, do, and then, you know, of course, a feedback loop for kind of continuous improvement.
Typically people refer to it as a, you know, a lesson learned section, but the intent, regardless of what you call it, is that you take that particular incident, what happened? Are there fixes and adjustments that we need to make? Whether those fixes and adjustments are a feedback loop that is a continuous improvement for your incident response plan, or do we need to, you know, kind of bolster our training for either the incident response team or for kind of frontline personnel within the organization. So, you know, that feedback loop is actually, it’s an important element of what happens because, you know, because that’s how you kind of make this plan better. You now are better prepared for something specifically the same happens. Well, now I know exactly what I need to go do. If it’s similar, well, now I’ve got at least a general roadmap, you know, that type of thing.
Well, are there additional elements that will, like, I don’t know, typically come into play, for instance, in response?
Yeah, I mean, there’s there’s additional elements kind of from the, you know, from the standard approach perspective. Um, you know, you’ve got, you’ve got things like, annual training. So, you know, training is a when you’re doing incident response, training is kind of a big part of it, because you have a whole point of, of, of having incident response and having an incident response team is being prepared to be able to handle the incident. So, um, you know, so you’ve got annual training for the incident response team, that needs to be needs to be done, it keeps the team on point, you know, they’re ready to rock, etc.
Um, you know, the other the other side of that is that, you know, is that, you know, from a training perspective, in some organizations, they’ll take the, they’ll take the notion of more tabletop style testing. So I’m going to make up a scenario, and then we’re going to kind of role play it out, is one approach. And in other cases, if, if the organization is, you know, kind of has incidents throughout their, their compliance period, for their particular certification, then maybe they use, you know, use those real world examples as exercising of their, you know, kind of of their annual training, it depends to on, you know, a lot of times on the assessor that’s involved. You know, some assessors are like, yep, that’s totally fine. You know, if you used a real world incident that, you know, kind of involve the right people, check the right boxes, it was complex enough, etc. Then I’ll take that as evidence. Other ones are like, I don’t care if you had 45 incidents this year, you know, we’re gonna, you know, did you do your tabletop exercise type of thing. So it really depends on the, really depends on the assessor involved. But, but, you know, I’ve seen a couple of different ways for the, you know, kind of for the handling of that, of the annual training. The, the other thing that typically comes into play, is an, sometimes an annual refresh of the incident response plan. So, you know, we were talking earlier about that, that feedback loop, right? I mean, that’s going to, you know, going to mean that you, through the period are making, you know, periodic tweaks, adjustments, updates to the incident response plan. You know, but, you know, you, you know, if you typically have people on there, you know, as far as who’s heading up, which of these, you know, different kind of critical functions of your incident response, well, I mean, people move departments and people change responsibilities, and they, you know, leave the company and, you know, blah, so, you know, it’s important to have your incident response plan, at least annually refreshed. I mean, my recommendation would be if you’re, if you have turnover with one of the people that’s involved in your incident response, then as part of your, you know, kind of off boarding of that particular individual, then at that time, go ahead and make the reallocation, make sure that the whoever’s, you know, replacing them is getting that training right away, you know, etc. Because again, the whole point is we’re ready to be able to, you know, go in, handle the you know, and handle the incidents, that list of, you know, folks that are the, you know, kind of the core participants in your incident response, that also denotes now, you know, who are the people that need to go ahead and get, you know, and get trained.
So, you know, that way, you know, what the list of people is that you that you need to be able to check the box to be able to show that yes, I’m doing, you know, I’m doing the, you know, the the annual training, training activity, if you will.
All right. It’s about that time, Adam. Give them to me. Give me some of the best incident response horror stories you have here.
Oh, gosh, let me think. Well, I mean, honestly, whenever I think of the realm of incident response and business continuity, the very first thing that kind of comes into my mind is back when 9-11 happened, right? They had pictures of downtown New York with you know, with, you know, basically sensitive financial firm documentation effectively splayed all over the road, you know, because of the fact that, gee, I don’t know, everything that was in the building just got blown into the street, right? You know, yeah, pretty extreme, you know, pretty extreme, you know, example of an incident. But for whatever reason, every time that this comes up, that’s the first thing that I, you know, kind of, you know, go into, you know, goes into my head.
But the, you know, another one is, you know, is that there was a, yeah, like an SSL cert style organization that, you know, they got hit with a, you know, they got hit with a technology or vulnerability issue. And, you know, which obviously that would have normally declared an incident for them, you know, but they got hit with an issue and poof, they’re out of business within three months. I mean, that particular organization was literally multi-million dollar business that went from viable to gone in three months, both for the fact that they had an incident, you know what I mean?
You know, the bottom line, the bottom line of the incident arena, a lot of people, you know, a lot of people kind of take this, you know, I’ve seen it fairly prevalent within, you know, within organizations. Yeah, yeah, yeah. Oh, god, it’s time for the incident training again. You know, that type of thing. And, you know, at the end of the day, the more prepared that you are, then the easier it is to just walk in, everybody’s in lockstep, people are doing what they need to, etc. You know, they’re just, they’re hitting the ground running, you know, about the last thing, about the last freaking thing that you want when you’re dealing with, you know, fit, just hit the shan.
And, you know, I’ve got, now I got a gigantic problem, and I just got yanked out of every other meeting I’m in to go handle, whatever, just hit, just hit that fan. You know, the, what do you want to be doing? Do you want to, you know, basically, you know, call in the troops, y’all huddle, everybody knows their roles, and they’re hitting, and they’re banging? Or do we want to be sitting there having a conversation of, well, who does this? And is it, is this Bob or is this Mary? You know, who do we call for yada, yada, yada? You know what I mean? Like, you don’t want to be sitting there having those conversations as the fit is literally smashing into the shan. You know, you want to be able to go fix things, solve problems, make the bad man stop. You know what I mean? I mean, it’s just, you know, that’s kind of the way that you want to, that you want to go, go get into it.
And, you know, a lot of folks will kind of brush off the, you know, the notion of that training. And yet, when I, when I, when I’m having conversations with organizations that did have some type of a, of a significant problem, that’s the moment at which they say, you know what, I’m so glad that we, you know, did what we did. I’m so glad that we exercised this plan. I’m so glad that we kept it up to date. I’m so glad that everybody knew what they needed to do, because that made a gigantic difference in our capability to be prepared to go in, get this handled.
And at the end of the day, the more prepared that the organization is to kind of go walk into, you know, go walk into the handling of that incident, the more prepared they are, then the faster it gets fixed, the more, the more you have the capability to mitigate the potential impact. I’m not saying you can avoid it, in some cases you can, but, you know, at least it’s not going to be as bad as it was. If it takes you three days to figure out what to do versus fixing it by noon, you know, type of thing on the same day, then, you know, then the ripple impacts are going to be substantively less. Your clients aren’t as concerned, your vendors aren’t as concerned, et cetera. So, you know, whenever somebody has, especially some type of big, you know, big headliner style incident, it really shakes the confidence of, you know, of folks out there. I mean, you know, the one thing that I, you know, that I’ll say to organizations is I’ll say, look, you know, you go talk to anybody, go talk to anybody that’s in sales, right? And, you know, you go ask when you say, how easy is it to go ahead and, you know, close the sale, if you will. And they’ll tell you that it’s challenging. And, you know, because, I mean, you just don’t have the, you know, this isn’t some never ending fairy tale of dollars that go flowing into organizations magically. It takes blood and sweat and tears, you know? Well, I mean, just imagine how much more it was going to suck to try to do that job when, you know, when, you know, every time that a potential prospect is going into Google, your organization, all they’re seeing is this, you know, battalion list of, you know, kind of headlines that, you know, talking about the issue that you just had. So the better you can prepare for it, the more that you can mitigate it, you know, all the way around, the better off the, you know, the overall organization is as a result.
That’s a good shout. Any remaining pro tips for the folks on the incident response front, Adam?
Well, uh, there’s a couple of things that, you know, that folks will, excuse me, uh, there’s a couple of things that folks will. You know, kind of not really think about, almost until it’s too late.
And so I like to give them the tips up front because it really helps. You know, one kind of sleeping giant, if you will, is your legal team or your legal department. Now, depending on the, I’ve seen all sorts of flavors of this, okay? I’ve seen organizations that have kind of brought on and hired this gigantic 1000 plus people, legal firms, where they have all of the appropriate knowledge and capability to be able to pull together whatever you need from a legal perspective, right? But in the same sense, I’ve seen other organizations where it was a self-started business where they didn’t have a lot of kind of money to go in, pull in the 1000 person law firm and the lawyer for the, that’s doing the business contracts, et cetera, it happens to be so-and-so, somebody so-and-so knows, or it was a referral from yada-yada, it’s a single practitioner and whatnot. And while they may be really good with doing the, doing the kind of the business and legal agreement side, it takes a completely different set of skills to have legal representation when you’ve had an incident, depending on what it is, you know? Especially if it’s in the technology space, one of the big problems I’ve seen is that the legal representation is awesome for the business side of the world, but they don’t have a clue about what’s going on in technology. And so that gap ends up biting companies big time.
So if your organization is using the, whatever, the single practitioner, the friend of the family, even if it’s a moderate sized law firm, I mean, you know, you can have law firms of, you know, whatever, you know, 50 plus lawyers at the law firm, but nobody specializes in, you know, nobody specializes in technology. And so if your problem is, is, hey, we’ve had some form of a data breach, you know, type of thing, that specialized knowledge in the legal space. And so I would strongly recommend as organizations are going in, kind of getting their arms around their incident response plan anew, what they can do is go in and kind of role play with your, with whoever your legal representation is. Do you have experience in the technology space? Do you have experience with data breaches? You know, if all of a sudden we get hit with, you know, some type of a data breach style issue and I call you, then what’s going to happen? Do you have that skillset right now at your fingertips? You already know it? Okay, if you don’t, then what’s our game plan, you know? Do you have a partner firm that you, you know, that you, that you would go ahead and work with, et cetera? You may be surprised at the answers that you get when you start asking those questions.
So again, you don’t want the incident to happen and then people figuring out what to do. So go down that path, go down that path up front.
The other side, the other element of legal is the legal department, there’s several roles, right? They can, you know, they’ll need to give representation in the technology side, but in the same sense, you know, in a lot of cases, what I’ll see is the lead, the person that does the legal representation, you got to be a pretty big company to just have a lawyer on retainer and or have your own legal, you know, on staff type of thing or, you know, constantly every agreement we have, we send a legal, you know, for review. There’s a chunk of businesses that are big enough that that’s what they’ll do. There’s a lot of businesses out there that they’re not big enough to be able to warrant having a full-time lawyer on staff or to have a law firm on retainer where they had every single contract to. So as a result, if you think about it, what typically happens is the law firm will go ahead and put together, okay, you know, we’re going to give you your template for your agreements. And as long as you don’t need to paint outside the lines, whatever it may be, you know, then here you can go ahead and use this. And so they don’t actually see every single agreement. Well, you know, and then as the business is going through generating these agreements, there’s little tweaks that they’ll go make to this one. Yeah, that’s fine. I don’t need to send this to legal. We’re just going to go ahead and sign up for, you know, this and that and the other thing, et cetera. So with the fact that the legal team is not in the loop with exactly what you’re contractually bound to, well, how are they going to be able to give you the recommendations and guidance and blah for what do we need to go do with this, right?
So there’s an element where you’ve got to kind of play that middle ground of, you know, do we want to blow a whole bunch of money on having legal sitting around and looking at all of our, you know, whatever 500 agreements we’ve got? Yeah, there’s a middle point between that and on the other end of the spectrum, them, you know, not knowing anything when you walk in. Again, you want everybody ready to be able to go hit the ground running. You know, the final element, you know, in the legal arena is there are oftentimes, you know, little clauses that get folded into the agreements, right? So you’re doing business with this big gigantic firm and as part of your, you know, whatever purchase order sign off, then you need to also agree that you’re gonna abide by our standard PO, you know, terms. And meanwhile on the PO terms for this big gigantic company, they say, oh, and by the way, if you have some form of an incident, then here is where you need to go ahead and provide notification to. Well, if you don’t have all of that buttoned up and whatnot, then, you know, you could be sending your alerts to your primary point of contact. Meanwhile, you’re legally obligated to send a submission in to their, you know, form that you’ve signed off and agreed to go do. Meanwhile, you haven’t done it. Well, depending on what, you know, depending on what just happened and what hit the fan, you know, you’re now in violation of your legal agreement.
You’re opening your company up to, you know, that organization coming back at you. Well, why in the heck did you send this to your point of contact only and why didn’t you follow your legal responsibility? So, you know, those are just some of the, you know, some of these, the arenas in the legal realm. You know, certainly depending on what type of an incident happens, what, you know, what the implications are.
So let’s pretend for the sake of this discussion. The organization has had some form of a data breach. You are a SaaS, you know, a software as a service, SaaS-based provider where you’ve got basically an internet site and you’re serving customers all over the United States. Well, the data breach happened. We happen to have exposed 25,000 records. You know, a lot of people sit there and go, oh, okay, you know, the way they think about it is, well, okay, if we had this issue with these 25,000 records, you know, well, we’ll just go ahead and see, we’re gonna need to send communication to these 25, you know, 25,000 people. Except for the fact that that communication is made markedly more challenging because of a couple of different wrinkles that come into play. Number one is today, each of the, you know, different states have different rules and regulations for, what do you need to notify them about? What do you need to say in your notification? You know, what do you need to tell them? What contents required to be in that communication? And it’s different for this state versus that state versus the other state. And so, you know, organizations not thinking this through in advance, they’ll just go out and just send notifications. Well, you know, now I got real, in the reality, I gotta go in and I gotta look, let me take a look at these 25,000 records. Let me figure out what states are these people in? Because it doesn’t matter that I, well, I host my stuff in Iowa. You know, it matters where are these people from? Are they from California, Arkansas, Michigan, New York? You know, what states are involved in this communication because their records got breached. And so, you know, you’ve got that wrinkle, which is the kind of the state level requirements for how does this communication need to be handled. But then you’ve also got the additional wrinkle of depending on which clients got breached. Remember, we were talking a minute ago about legal really understanding, you know, what stuff did the organization sign up for in terms of the legal responsibilities? Well, you also can have clauses in there for, hey, if this goes sideways, then this is what you’re gonna need to do for your communication. So you’ve not only got the state rules and regulations, but let’s say that 25,000, you know, record issue that Chris crossed over, you know, 27 different customers. Well, guess what? You gotta go look at the, you know, look at all your agreements and your legal and blah and figure out, you know, do any of these clients have additional requirements that you’re also gonna need to layer in?
The communications arena for, you know, for kind of data style breaches, it’s an area that, you know, that folks, you know, a lot of folks don’t really think through in advance that causes really a lot of problems. And there’s organizations out there that literally focus on, hey, we just, you know, we’ll help you with the communications because it’s actually really complicated and more complicated than, you know, than a lot of people think.
It sounds that way. And certainly in the notion of kind of the anticipation of, you know, potential needs for the organization, you know, in order to do that, I mean, for some organizations that have an assessor that says, yeah, you’ve exercised your incident response appropriately and, you know, and so we’re gonna use that for your testing, you know, that’s good. But, you know, I would recommend to organizations, do something that’s outside the box. I mean, if your drum beat of incidents is relegated to relatively minor things that, you know, that are easy to go ahead and do, you know, don’t whitewash the whole notion of the tabletop exercise. You know, challenge the organization a little bit, you know, to go out and think of a scenario that they haven’t, you know, kind of haven’t had to deal with, you know, and whatnot, you know, because as you do that, as you do that to, you know, it gives everybody a chance to kind of think things through. You’re gonna trip across things as you go through that hypothetical, you know, well, first couple of times you do tabletop exercises and it feels a little awkward, right? Because most of the people that are involved in this, they’re not actors and whatnot, that’s not their core profession. And in effect, we’re asking them to act this out, right? You know, but walking through, you know, walking through to, you know, walking through that process really helps, really helps to go ahead and you know let make people think about these scenarios and what would I do you know and what happens if and who am I going to call and how are we going to handle this yeah what happens when our phone tree lights up like a Christmas tree because boom something just hit the news you know what I mean um you know thinking that stuff through in advance really really really freaking helps you know helps organizations because it’s a big deal especially if if you you know if you’re only dealing with you know kind of little little and little and minor stuff
That makes sense.
So that said, the other arena, I got a couple more here kind of for tips. So the next one is, it’s funny how organizations kind of approach the notion of incident response. For many organizations, they seem to be afraid to declare an incident. They’re like, if we declared an incident, then that’s a bad mark. And it’s an X on our record, and it’s a bad thing. And I’m like, I would tell them the polar opposite, which is, don’t be scared to declare incidents. Don’t be scared to declare the freaking incident, even if it’s a, you know, whatever. We talked about the nuclear through, you know, hey, I want to go look at this, right? So let’s just call it for the sake of the discussion. Level one is nuclear, and level four is, you know, something suspicious happened. So don’t be afraid to start declaring those level fours. Declare them as an incident. Exercise your plan. It kind of, you know, it keeps everything moving. It keeps everything in motion. It keeps everybody ready. It keeps them on their toes. The machine is oiled. You’re ready to rock, you know, all that fun stuff. You know, I’ve seen these organizations, they’re like, oh my gosh, I just, only thing I want to do is I want to get to my annual blog and I want to be able to tell the assessor, you know, oh, we had no incidents this year, you know, and whenever I see that, you know, wherever I see that response, like, come on, there’s no freaking way. There’s no way that you didn’t have anything happen all year long that you could have declared as an incident. It’s impossible. So, you know, don’t be scared to do that because it’s actually really good to go through and declare those incidents and make the team, you know, kind of, you know, work through that issue, you know, and whatnot.
And finally, you know, I typically recommend for organizations that are, you know, that are kind of starting off, right, you know, we’re new to this space and we’re just starting into it. And, or they’ve never taken it really seriously, right? You know, the incident, you know, for some organizations, their incident response plan was generated eight years ago. You know, they basically pull it off of the shelf. I’m going to give you the visual here. They pull it off of the shelf that somebody’s like blows over, it’s all the dust off of the top. They scratch out the date. They put the they put today’s date on there and then it goes back onto the shelf again. You know, so if that’s the case, I don’t know what to tell you, but, you know, unless you spend an inordinate amount of time thinking about everything in advance and nothing in the technology world has changed in the last eight years, then you probably want to brush it up anyway. So if you’re brand new to the space or you didn’t really take it seriously and, you know, you guys be honest with yourselves, you know, then I would recommend organizations kind of go through and do that scenario game, declare your incidents, you know, et cetera.
Do that quarterly for about a year or two. You know, just let your incident response plan mature. You’ll let it season.
You know, you’ll be surprised at the things you didn’t think about, especially when you, when people get a little more comfortable with playing the scenario games and whatnot, you actually be surprised because by the time you get through probably two or three of these, you get to like in around four with, you know, with the, you know, playing the scenario game, you’d be shocked how into it. So these people are going to get, you know, and it’s actually, it’s kind of fun to see that, you know, that they’re getting into it, they’re taking it seriously. And the way that I look at it is when they get into that mode, they’re legitimately doing things that are going to have, you know, intrinsic benefit to the company. You know, this exercise is one where it helps to proactively protect the organization by, by having that readiness, you know, you know, there. And so I love it when I, you know, when you get the, get the opportunity to have people like really digging it, getting into it, you know, and, and really making those improvements because the quarterly kind of lessons learned from the exercise, folding back into maturing the plan, maturing your training programs and things like that. It’s, it’s awesome. It’s really awesome. And the, and the organization will be a lot better for it when all is said and done.
That makes a ton of sense, Adam. And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin, hope we helped to get you fired up to make your compliance suck less.
