Chances are, when your organization first started going up against a security and compliance standard, you had no clue how much of an investment it was going to be. Perhaps your organization was hoping you could take a check-the-box approach to compliance, but if you actually care about the security posture of our organization, you know that approach won’t make the grade. You can rest assured that your customers expect to see detailed proof that you are, indeed, taking security and compliance seriously.
If your organization fits into this category, then it’s time to take your compliance program to the next level. This is a major step for your organization, and you’ll need to be very strategic about covering all your bases. You’ll need to evaluate and address your people resources, your processes, and the adequacy of your existing technologies.
Let’s take a look at those three areas to help you build a stronger compliance program for your company.
Hire Right
One of the biggest mistakes I see organizations making when they get serious about compliance is hiring an Assessor straight out of the gate. They think an Assessor knows what they’re doing, so an Assessor will have all the answers to get the company’s act together.
That’s an unwise approach, because it isn’t an Assessor’s job to answer every possible question about compliance. An Assessor may be happy to charge a lot more to tell you what you need to do — but you’ll be having conversations with the person who is also charged with assessing your organization, and you’ll end up revealing a lot of dirty laundry through the process.
It’s a much safer option to have those dialogues with somebody who isn’t directly connected to the assessment process. Instead, hire a Consultant to get the expertise you need and the capability to have open discussion while keeping them internal.
Hiring a Compliance Consultant
Maybe your company is staring down compliance as a new initiative and you’re thinking, “Well, I’m pretty sure that one of the people in project management or IT can handle it.” I guarantee you eight ways from Sunday that the person you’re thinking of is absolutely not the right person to be doing it.
An effective compliance manager with the experience you need is a resource who would command hundreds of thousands of dollars a year. Anyone with less experience than that will most assuredly be in way over their head, and your brand-new compliance program would sink before it launches.
The skill set needed is both deep and broad, which is why the individual you nominate internally almost assuredly does not have the breadth of capability and experience needed to effectively run your compliance program.
Instead, your organization will benefit from leveraging a Compliance Consultant who can assist, answer questions, coordinate, and give you guidance for implementation. Hire somebody you can trust who has the level of expertise needed to truly hold the program together and get you from where you are to where you want to be in a reasonable time frame.
Who needs to be involved?
When you ramp up a security and compliance style engagement, all of your existing people, contractors, and vendors may play a part in the process. Part of the advantage of having a Consultant with expertise is their ability to evaluate the personnel, vendors, and contractors you currently have and figure out if you have the right mix to meet the standard.
A Compliance Consultant worth their salt won’t just walk in and tell you that you need to cut all of your current people and use their prescribed set of resources. They won’t try to sell you on a specific set of vendors to supplant your existing partners. If somebody walks in with that prescription, it should raise giant red flags.
Instead, your Consultant will likely see that most of the resources your organization currently relies on are valuable partners — they know you, and there’s a trust relationship. Whenever possible, look at your existing solutions and see how you can optimize them, and then consider solutions or approaches for filling any remaining gaps.
Your Consultant can also help you determine who needs to be on your compliance team. This team will include key personnel from various areas of your organization, including IT, HR, Legal, Operations, and more.
Use proven best practices
The other advantage to bringing in a Consultant with expertise is that they ought to be walking into the party with a whole bunch of tricks up their sleeve, such as starting-point policies for your organization — the overall information security policy, your acceptable use policy, and your incident response policy.
Anyone who has been in the compliance space for years has developed a proven tool set they can use on their engagements, and this will be a huge step up for you and your organization. You won’t have to try to figure out how to put it together, nor will you need to go online to some policy broker to get a watered-down version of what will “meet compliance” that isn’t suited to your company.
Use the Right Processes
Not only do you need the right people to elevate your compliance program, you also need the right processes in place. Without the right processes, your people won’t have the roadmap they need to succeed. Start by implementing these best practices for a stronger compliance program.
Don’t Sweat It! How to Master Your First Compliance Certification Project
Assess your situation
This is the first thing you need to do. If you don’t know what your current state is, you won’t understand what to optimize. Do not make the mistake of bypassing this fresh evaluation of state. I have seen very few companies assess their starting point accurately, in my years of experience.
Start by identifying all of the certifications that you need to be subject to. That list will come from several sources:
- Your customer requirements
- Any agreements your company has signed
- Any industry requirements
- Your legal team
- Your competitors — check their websites and see what they’re compliant with
This exercise will clarify everything you need to comply with at the end of the day, and it will give shape to the full scope of your compliance program.
Write your policies and procedures
Next, curate all of the policies you already have in place, and identify the policies and procedures you still need to develop.
You can find off-the-shelf policies to get you started, but don’t try to use them as a plug-and-play solution. Every organization is different, and your policies need to reflect the unique aspects and scenarios of your company.
If you’ve hired a Consultant, they can help you navigate this process efficiently and expertly.
Generate technical documents
There are four cornerstones of technical documentation that you should focus on right out of the gate. You can work on the technical documents in parallel with the policies. Since the two sets usually use different resources, you can save time by attacking both sides at once.
- Network Diagram — diagram showing where everything on the network is physically located and logically connected.
- Data Flow Diagram — shows where information is coming from, where it’s going to, what those flows contain, and how they’re moving (i.e., how they’re secured).
- Firewall Rules — which must be documented outside of the firewall. Follow best practices for establishing these rules.
- Hardware and Software Inventory — including every device and every software application within the organization, even if it isn’t currently in use.
These four elements will give you a clear picture of the scope of your compliance program.
Schedule status update meetings
No one likes status meetings, but in this case weekly pulse checks are critical to the success of your compliance program. They ensure that nothing falls through the cracks as you get closer to the annual audit with your Assessor. The last audit experience you want is to discover in front of your Assessor that you don’t have all your ducks in a row.
Your weekly status meetings should cover:
- Who’s doing what
- Which tasks are outstanding
- What roadblocks are getting in the way
- What’s overdue
- Who needs a kick in the pants
If you’re using an automated compliance management system, you can be in and out of your status meetings in just 15 minutes.
Adopt the Right Compliance Technology
Take a look at the compliance technology solutions that are already in place for your compliance program. Identify any technology holes, and make a plan to cover those gaps.
The technology you use is critical to running a successful compliance program — especially if you care about keeping your operational costs as low as possible.
Many companies make uninformed decisions about the right tools for managing compliance. They adopt tools based on up-front costs without understanding the downstream operational and personnel costs that come with inefficient and insufficient compliance management software.
Here’s a quick overview of your typical technology options.
Manual spreadsheets
Plenty of organizations try using spreadsheets to track and manage compliance, but I’ve never heard anyone say it’s worked out well for them. Spreadsheets are an attractive option if you’re looking for something cheap and familiar, but there’s literally no other reason to use them.
Spreadsheets are a pain to use, they aren’t secure, their cells can become easily corrupted, they suck at supporting multiple personnel making simultaneous updates and data entry errors are prolific. In addition, the manual nature of spreadsheets slows engagements down enough to increase overtime significantly.
There’s no upside to using spreadsheets, unless you’re a fan of lighting a match to money.
Homegrown automation systems
Some organizations get tired of using their spreadsheet system and opt to build their own automation tool for managing compliance. In-house development avoids purchasing costs and automation makes the work more efficient.
However, you’re also looking at ongoing support and the need to update the system whenever a compliance standard is revised. There’s also bug fixes, additional requests for new features, and technical support.
When these needs get in the way of your developers’ core operational business responsibilities, the compliance tech gets pushed to the back burner. It isn’t long before your in-house system is more hindrance than help and the compliance team ends up begging for resources on a regular basis.
Assessor’s software
Your Assessor may have a proprietary compliance management system they’ve developed and make available to you at “little to no extra cost.” However, you should be aware of the drawbacks.
If your information is in their proprietary system, you don’t have control over your own data and it’s under their jurisdiction. Switching vendors becomes difficult, because you can’t easily give your new Auditor the files your current Assessor is keeping.
A better option
The automation in TCT Portal keeps you on track and gives you all the tools you need to simplify and standardize your entire compliance process. With TCT Portal, you’ll:
- Reduce compliance management time by as much as 65 percent.
- Recover tens of thousands of dollars in wasted operational costs.
- Eliminate bottlenecks and painful manual processes.
- Elevate the effectiveness of your compliance program.
- Enter your annual assessments with confidence.
TCT Portal is designed to make your compliance management more efficient, more effective and less costly. That’s why we priced TCT Portal so affordably — the decision should be an absolute no-brainer for every business.
TCT Portal vs. Spreadsheets: Which Stacks Up Better?
Don’t Try to Go It Alone
If you’re ready to get serious about your company’s compliance program, you’ll need to address people, processes, and technology. All three areas are critical to running a successful security and compliance program.
It’s a ton of work to take on by yourself, but you don’t have to do it alone. TCT can connect you to the resources you need for a next-level compliance program that operates effectively. Contact us today to get started on the right foot.
Get your personalized demo
See what TCT Portal can do for your organization
