Companies often view the moment of getting compliant as their biggest hurdle. It’s not. While getting compliant is a huge accomplishment, you have only shown that you can do each requirement once. Now, you need to show that you can maintain that compliance. This ongoing maintenance, which TCT calls Operational Mode (the operationalizing of compliance requirements), is the last place the dragon of compliance chaos dwells. Slay the dragon here, and you’ve won the battle to gain control of your compliance management!
This is the eighth and final step in our series on taking control of compliance management in 2019. Just now joining the conversation? Check out the rest of the series:
- Survey the landscape of your compliance certification requirements
- Evaluate your vendors and auditors
- Build your budget
- Choose the best compliance tools
- Streamline compliance management
- Recruit your compliance team
- Train your people
- Automate ongoing compliance tasks (this post)
In your first year of getting serious with compliance, your goal is to show that you’re capable of being compliant. But compliance isn’t a one-and-done thing—you need to maintain compliance, year-round, from here on out. Today, we’ll walk you through it.
Maintaining Compliance All Year
If you don’t maintain compliance throughout the year, you’re putting your organization’s compliance at risk, along with your cyber liability insurance policies. More importantly, you’re putting the sensitive data of your customers—and potentially of their clients—at risk.
There are tasks that need to be done each day, each week, each month, each quarter, twice a year and annually. We call this ongoing maintenance Operational Mode. What does Operational Mode typically look like for your organization? Here’s a quick overview.
- Know the daily, weekly, monthly, quarterly, semi-annual and annual activities that you’re required to do. Each compliance standard spells it out in their requirements. Familiarize yourself with the cadence of responsibilities for each of your certifications.
- Assign responsibilities. Assign each task to a job position, not a specific person. If that person changes roles in the company, things could get confusing. Who does the task now? Does that person still do it, or do you find another person to take over? By assigning tasks to job positions, you always know who’s responsible.
- Adopt a system for tracking compliance management. You’ll need to store the evidence that you’re doing these periodic elements throughout the year. You can’t go to an auditor or a client nine months down the road and say, “Trust me, we did it.” You have to prove you’ve been doing it faithfully.
- Determine a method for checking progress. Just because you’ve got a system in place, that doesn’t mean it will be followed. Establish accountability for maintaining operational mode. However you do it, make it easy to quickly check the status of each task. You need to know with a glance if anything has fallen between the cracks.
Keep Improving Your Operational Mode
One of the biggest surprises to companies is how tough it is to pivot from trying to get compliant once, to building and running a well-oiled mechanism of activities that’s continuously running. These tasks need to be performed at different periods, by different people, across the course of the compliance period. It’s a big deal to bridge that gap.
Your first full year of maintaining compliance may be challenging as you organize and orchestrate those ongoing activities. But it gets easier each time you go through the cycle, because you’ll find a system that works for you. You’ll know what you’re doing, who’s doing it, when to do it and how to get it done. Eventually you’ll be humming along, making only minor tweaks here and there as you discover more room for improvement.
You will get there, and maintaining compliance will become easier—it’ll just take some time. The key is to be continually improving and rooting out the issues that trip you up. How do you find those issues? Here are some signs to look for.
Hunting for evidence
You should always know where your evidence is, even before you start looking for it. If you find yourself asking, “Where did I put that evidence from last year’s compliance track?” you’ve got some changes to make. It’s absolutely critical to know with confidence that your evidence is always in the right spot, and that you can retrieve it without any hunting. Otherwise, you’ll eventually lose important information that you rely on to prove compliance.
Misplaced evidence happens all the time when companies use manual methods, or a network drop or a shared location that everyone can get to. It’s easy to accidentally put files in the wrong spot. And it takes a lot of effort to manually establish your tracking folders and check each location to confirm the right stuff landed in the right place.
Multiple submission methods
How you receive documentation is as important as where you put it. If you have to switch between multiple channels to collect evidence—email, texting, network locations, file sharing drop sites, meeting minutes, phone calls, etc—you’ve got more room for improvement. Multiple delivery methods make it difficult to track your evidence, which means documentation can easily get lost.
Spending time managing status
How much time are you spending tracking down or managing the status of your operational compliance? You shouldn’t have to spend hours hunting things down, preparing for status meetings and determining status.
Turnover creates disruption
What happens to your operational mode if someone leaves the team? You shouldn’t lose historical knowledge and lessons learned when someone moves on. If you do, you’ve suddenly got the burden of piecing it back together, or relearning those same lessons from Square One.
Duplicating your effort
Do you have multiple tools and systems that do the same thing for managing and tracking compliance? I’ve seen a lot of companies with several compliance standards, two different assessors, and multiple tracking mechanisms. It increases the complexity of your work, and duplicates your time and effort on compliance tasks.
Using your assessor’s system
Assessment and auditing firms require you to go through their processes and systems to submit your evidence. What happens if you switch firms? If you can pick up the licensing for their system, that’s no big deal. But if you’re using their own proprietary system, you’re either locked into that auditor, or you lose that data repository when you switch assessors. You can request a data dump from them, but it will be ugly and fundamentally unusable, and you’ll lose the efficiency of having your own system when you need to start over.
This is YOUR data, which you’re SHARING with your vendor. The assessor isn’t your commander, and you don’t need to acquiesce to them. You’re the boss, you’re paying them, and it’s your data.
Automate Operational Mode
You can avoid every one of those issues altogether by using TCT Portal to automate Operational Mode for your compliance needs. TCT Portal spells out everything you need to do to keep on-track throughout your compliance cycle.
Periodic reminders are sent to the right people at the right time, so tasks are clear and manageable. This helps you to proactively alert team members of their responsibilities, confirm that tasks are getting done, and it helps you quickly get back on track, if needed.
TCT Portal shows the real-time status of your compliance management, so you always know the current state of your compliance at a glance.
The real magic comes about in the coming years, as your organization builds a repository of evidence over time. Many things change in an organization, including key staff who move on and changes to your assessment firm. With TCT Portal, all of your evidence in the coming audit cycle is easily referenceable from previous years—so you know exactly what was provided last time that passed muster for your assessor or auditor.
TCT Portal’s organizational power saves your team hundreds of hours they would otherwise waste attempting to manually gain control of compliance management.
Using TCT Portal with Assessors
More and more assessment firms are using TCT Portal as their primary tool of choice. When you engage with one of these firms, you never lose control of your data. If you switch assessment firms, you can easily pick up the licensing and retain all of your historical knowledge and documentation—without missing a beat.
Even if your current assessment firm doesn’t use TCT Portal, it can be an invaluable tool for your own internal operational excellence. Use the tool to prepare your evidence for auditing without the chaos. You’ll have confidence that everything has been robustly validated, vetted and organized. And you’ll save your company hundreds of frustrating man-hours and tens of thousands of dollars per year—even if your auditor isn’t using the tool.
There really is a better way to take control of all of your compliance information and slay the compliance dragon. TCT Portal keeps you on-track with compliance activities all year in an automated, coordinated manner.
See how easy compliance can be—schedule your live demo today.