Just because TCT operates in the security and compliance space, that doesn’t mean that we’re a secure or compliant company, ourselves. In fact, it’s possible to find assessors or auditors who have a suboptimal understanding of the certifications they evaluate for. So we appreciate it when new customers ask us about our own approach to security and compliance.
The way I see it, doing our due diligence isn’t optional. TCT has a responsibility to clients who entrust us with their sensitive information. And as an employer, I have people I need to protect — people who depend on paychecks, and various folks who TCT supports.
Find out how to audit your vendors for security and compliance
I can’t tell you how many organizations I’ve been exposed to over the years that didn’t take those responsibilities seriously. It’s like they wanted to do as little as possible. But at bare minimum, it’s an employer’s moral (and often legal) obligation to protect that information, and to take it seriously.
So we do. And here’s how we do it.
TCT’s Approach to Security and Compliance
Officially, TCT isn’t subject to many particular compliance standards. We fit into a strange spot where we help people gain PCI compliance, but we aren’t storing credit card data. Most of the data that we have in our systems falls into the realm of personally identifiable information (PII), intellectual property (IP) and sensitive internal information. There isn’t a lot that obligates TCT to any standards.
We’re free to decide on our own how to approach compliance. From Day One, it was up to TCT to determine what we would do and what standards — if any — we would comply with. We chose the most prescriptive standard that existed at the time: Payment Card Industry Data Security Standards (PCI DSS).
PCI DSS Standard
PCI DSS is a standard that’s specifically designated to the credit card industry. Within PCI, there are certain requirements that are very specific to the credit card industry itself — references to card data, cardholder data, and so forth. But PCI can be highly adaptable to other industries by mentally swapping out the credit-related terms for the term “Sensitive Data.” In our case, that includes PII, client data, and sensitive internal information. We didn’t opt to take a half-hearted approach to our security and compliance.
There are a lot of directional standards out there, such as HIPAA. They aren’t terribly specific about how data is protected — they give a lot of latitude for individual organizations to determine their own approach to identifying the controls used to meet the criteria. PCI, on the other hand, is highly prescriptive — it prescribes specific tasks that need to be done daily, weekly, monthly, quarterly, semi-annually and annually. Further, it prescribes what needs to be done to protect the Sensitive Data, providing all parties (TCT and others) with precise knowledge of what has been done.
For example, one daily task in PCI is to perform a daily log review. A weekly PCI task is to do file integrity monitoring. PCI provides built-in accountability for periodic tasks, so it’s always clear what you need to do and when you need to do it. Most importantly, with TCT Portal we store evidence that’s collected quarterly and used to support our annual assessment.
We chose to use the most prescriptive standard available, because we wanted to do our level best to protect our data, and the data of our customers and employees.
Annual Third-party Assessments
Not only does TCT leverage and use the PCI framework, we’ve also chosen to subject ourselves to a third-party qualified security assessor audit, which we go up against annually. This annual third-party audit creates outside accountability so that we can’t just say that we’re PCI-compliant. We have to prove it.
Occasionally we have clients that ask to see details about our own security and compliance practices. This annual assessment generates an Attestation of Compliance, a report that we can produce at a moment’s notice to show how we’re doing. We’re happy to share it with all of our customers.
It probably won’t surprise you to know that we also use TCT Portal to manage our own engagement. We leverage the compliance tracking system to handle nearly every aspect of compliance:
- Provisioning evidence
- Consolidating files into one spot
- Adding explanations and attaching evidence
- Managing workflow
- Collaborating with the assessor as they go through our annual review
In essence, we eat our own dog food.
TCT Portal is an all-in-one platform for organizing and managing all the moving parts of compliance management. The web-based application combines automation with deep compliance expertise to deliver a powerful tool for total control and ordered sanity. Truthfully, TCT Portal is the tool I wish I’d had when I was managing security and compliance engagements all those many years ago.
Even with our years of expertise, Total Compliance Tracking couldn’t manage our own compliance smoothly without TCT Portal.
Our Promise to You
TCT is a company that was built to do good in the world. We can’t do that if we aren’t honoring the most basic assumptions of security and compliance — that protecting other people’s information is simply the right thing to do.
Whether you’re a customer, employee, or vendor of TCT, you have our promise that we will always do our level best to protect your sensitive information through rigorous standards and best practices.
Looking to do business with a company like TCT? Let’s talk! Contact us today!