My first experience with compliance was over a decade ago. My boss came by and dropped the PCI compliance requirements into my lap. Thus began 18 gut-wrenching months that culminated in an audit where I had to prove that we had done everything under the sun to meet compliance.
That experience was mind-numbingly painful. There weren’t a lot of compliance solutions back then, and only the big auditing firms had any deep knowledge about compliance. That meant I had to go through a lot of trial and error, and by the end of the audit I said to myself, “There’s got to be a better way to do this.”
Handpicked related content: How One Company Took the Stress out of Compliance Management
I didn’t want to see other people go through the same nine circles of hell that I’d just been through. That’s the reason I stepped into the security / compliance space, eventually designing the TCT Portal from the ground up. But there’s a lot more to TCT than our platform. When you work with us, you have access to an entire package that helps you get your arms around all of your compliance. We can handle almost every aspect for you and make the pain of compliance go away.
The TCT Total Package
We’ve seen security and compliance from every angle—as a company that’s applying to be certified, as a consultant, sitting alongside auditors assessing compliance, and doing quality assurance for a large international auditing firm. There’s no one more qualified to be your compliance sherpa every step of the way. Here’s what that looks like.
Assess the situation
The very first thing we do with you is figure out what you currently have in place against the compliance standards your organization is subject to—processes, tools, documentation, knowledge, the works. As part of that engagement, we’ll customize starting-point templates so you can gain ground quickly and efficiently. Or, we can update your existing policy and procedure documentation.
Think of it like an orienteering exercise. We know where we need to go, but first we need to figure out where we are. That way, we know which path is the best one to take.
Fill the gaps
Assessing the situation tells us where the gaps are. Now we can truly begin the consulting phase, in conjunction with TCT Portal. We’ll make assignments to key personnel throughout your organization and start gathering documentation for each of the requirements. Everything will go through TCT Portal and before long, you’ll start to close items out. That is a tremendous feeling, because now you can see you’re gaining real ground. It’s like stepping out onto the very first crest and looking down into the valley below, where you started.
During this phase, we’ll often discover that clients need to hire vendors such as hosting providers, auditors or other services required for compliance. We’ve been in the business long enough that we have already vetted a multitude of companies in the marketplace. We can bring vendors to the table who will fit the bill and won’t break the bank. If you have existing vendors that you trust, we can work with them too. In that case, our job will be to confirm they past muster for your compliance requirements.
Run the engagement
Once we’ve got the matrix of people and point solutions in place, we run through the requirements with a fine-toothed comb and review, validate and provide guidance for every piece of evidence. If you’re self-assessing, we’re basically your contracted internal auditor. If you’ll be audited by a third party, this is the dry run to prepare you for the audit. We’ll get you completely prepped and make sure everything is golden before you meet with the auditor, so there are no surprises.
This is a huge deal for our clients, because we’re not going to judge them and we’re easy to get along with. We’re on your side, so there’s no reason to be worried about what we’ll find. Clients often feel like they’ve got to do some clean-up before our engagement—it’s like cleaning up the house before the maid arrives. We’re going to find some problems. I’ve never had a client that had everything perfect—it just doesn’t happen. And that’s okay. Don’t worry about it—we’ll find issues, and we’ll address them together.
Meet with the auditor
We’ll be by your side (literally) during the audit. We can act as translator and assistant during the audit, so that things move smoothly and without incident.
Auditors love it when TCT is involved. Some auditing firms will even discount their rates when we’re involved, because everything is so well organized when they go onsite. The engagement goes smoothly for them, everything is ready to go and there are never any major surprises for the auditor.
Handpicked related content: What Does Your Compliance Auditor Expect from You?
Remediation
There will always be something an auditor finds that you’ll need to address. I honestly believe they don’t think they have done their job if they don’t find anything! After the audit, we’ll help you coordinate any remediation tasks, coordinate evidence back to the auditor and continue that cycle until you’ve achieved compliance. Then you can throw a party and celebrate as we take the next step to put you in position to plant that flag at the summit.
But that’s when the real work starts, because now you have to maintain your compliance long term.
Operational mode
Believe it or not, this is when the real work begins, and you’ve barely got a moment to catch your breath. But we won’t leave you hanging—we’re here for the long haul.
To stay compliant, there are activities you’ll need to do every day, every week, every month, every quarter, twice a year and annually. TCT Portal helps to facilitate everything you need to be doing, and when. Similarly, we’ll go in with you and review the evidence that’s being collected throughout the year.
Operational mode is critical. I used to walk into annual engagements and discover that clients weren’t prepared. They hadn’t been doing the activities they were supposed to do throughout the year, and they had to answer tough questions in front of an auditor as to why things weren’t buttoned up. It’s a nasty situation for everyone to be in. I didn’t want my clients to be in that position, and I didn’t want to get caught off-guard either.
So throughout the year, we’ll go in and vet the evidence to make sure you’re keeping on-track. This is critical for your executives’ peace of mind, because they will have empirical evidence that your company won’t be caught off-guard regarding compliance responsibilities. We’ll also check the evidence to see if we need to make any mid-cycle alterations to the way you’re doing things. This way, we can make course corrections early, and the auditor can see the security/compliance program improving.
Handpicked related content: Build a Winning Team for Compliance and Auditing
Rinse, repeat
As your next audit cycle approaches, we’ll help you prepare for the auditor and make sure everything is in order. As I said, we’re in this for the long haul, and we’ll always be at your side to eliminate the pain of compliance management.
TCT Is Your Compliance Sherpa
Compliance is like a black box for most people. It’s a mystery—something that has to be done, but no one really understands what’s going on behind the curtain. I built Total Compliance Tracking to pull back that curtain, bring clarity to compliance, and make the path easy to follow.
We’re a huge fan of mutually beneficial relationships. We try to embody being upstanding in everything we do. When we go to a client and say we’re on their side, we’re actually on their side. We’re in the trenches with them. If something goes Boom, we’re going to dive in and help out. It’s a true partnership. We don’t want to be a vendor, but a partner in the truest sense of the word.
Looking for a partner to guide you through the confusion of compliance? Let’s talk about what our services can do for you.
