TCT Portal or Spreadsheets? Smarter Compliance for Higher Education

Managing compliance at higher education institutions is a unique hell that compliance managers dwell in. You have the college or university itself, as well as all the vendors and independent sub-entities on campus (and across multiple buildings and even campuses). All said and done, you could have a couple hundred individual units contributing to a single PCI DSS compliance engagement. 

Alternatively, you could have each individual merchant on campus that needs to ingest certain requirements from the institution, with the remainder the responsibility of each merchant. Either way, the complexity of these engagements has a strong propensity to be unparalleled.

But, of course, there’s also HIPAA and NIST and ISO and potentially several other compliance standards your institution needs to be compliant with. With every additional certification, the complexity becomes mind bogglingly insane.

Related: How Higher Education Institutions Can Streamline Compliance Management

That pain is only made worse by a reliance on spreadsheets to track and manage your compliance engagements. Spreadsheets can seem like a reasonable tool for managing compliance — they’re familiar, easy to use, and you can share them with your team as needed. All the information is right there in front of you in one place. And for simple projects, that makes a lot of sense. But compliance management isn’t a simple project.

The fact is, your reliance on spreadsheets is increasing your wasted time, creating inefficiencies, introducing chaos and uncertainty, and holding you back from greater effectiveness.

On the other hand, an automation platform like TCT Portal can streamline your process, eliminate chaos, bring clarity, and cut your wasted time by hundreds or thousands of hours across your entire engagement. You’ll be freed up to do more meaningful work, and to enjoy your work exponentially more.

Let’s take a look at the benefits of using TCT Portal vs. spreadsheets to manage compliance engagements at higher education institutions.

Spreadsheets Can’t Track Your Engagement

Perhaps the biggest reason higher education institutions should stop using spreadsheets for managing compliance is the simple fact that spreadsheets can’t actively manage compliance. It is literally impossible to use a spreadsheet and accurately capture the true state of your compliance engagement at all times. Here’s why.

You’re probably running PCI DSS engagements on campus. The full breadth of PCI involves hundreds of line items, and that’s for each one of your merchant accounts. If you’re tracking your engagements manually in spreadsheets, you have to manually build out the spreadsheets, manually assign every line item, and manually track the state of every line item.  

Typically, the state of an item could be:

• In the hands of the evidence provisioner
• Internal QA or Consultant review
• Assessor 
• Assessor QA
• Complete

That’s five potential states for every single line item, across all your merchant accounts.

Now, try to track the state of every line item in even JUST your main engagement spreadsheet for the institution. It’ll take several hours to manually go row by row in the spreadsheet and confirm that you have or don’t have each piece of evidence. Often, you’ll need to look in multiple locations before confirming. In the time it takes to figure out the status of your engagement, others on the project have completed tasks that you already marked as outstanding.

You never truly know the state of your compliance engagement, because it’s changing even as you attempt to gain clarity. The minute you start updating status, it’s outdated!

If you’re using an automated compliance management system like TCT Portal, the current state of every line item is automatically updated in real time as personnel upload, review, or send back each piece of evidence. You can see the live status of the entire engagement with a single glance. Hours of toilsome labor are eliminated, just like that. 

Imagine saving that wasted time for every internal meeting each week, and in advance of the weekly Assessor meeting — across the many weeks spent on this labor of compliance love.

Submitting Evidence Is Remarkably Easier

In a spreadsheet-based system, you’re continually trying to herd the compliance cats. You can do all the training you want, but the reality is that evidence will be submitted through a myriad of channels that you have to keep checking on. You may have a designated drop zone, but provisioners will still end up submitting evidence through a myriad of channels:

• By email
• Through Slack
• Va SMS
• Dropping hard copies on your desk
• Leaving voicemail messages
• Dropping to various places on the network
• Verbal updates (passing in the corridor or another meeting)

Worse yet, several of these channels aren’t secure.

You’ve told evidence provisioners very specifically where and how to submit evidence, but you will inevitably find yourself wasting countless hours manually tracking down all of those ad hoc locations. All the while, you’ll be praying that you either haven’t missed a submission or that you inadvertently did not grab the latest version of the intended evidence. 

It’s a constant state of nerve-wracking hell that doesn’t end until the engagement is wrapped up.

With TCT Portal’s automated system, you have a single location that everyone can easily access. If evidence was submitted through some other channel, the Portal counts it as still outstanding and continues to send automatic reminders to the assignee until the evidence is submitted properly. 

Better yet, simply don’t accept evidence unless it’s submitted securely to the TCT Portal by the evidence provisioner. As soon as they submit it, you’ll see it, since you’re leveraging the power of a live compliance management system.

Thus, all your evidence hunting is eliminated and your evidence is neatly organized in a single repository — and you didn’t need to lift a single finger to make it happen!

Communication Confusion Eliminated

Compliance is confusing, and it’s tremendously easy to forget how to perform various tasks. Personnel inevitably have questions about requirements or submission procedures, and they’re continually coming to you for clarity. Even if they were the individual who submitted the evidence last year, they can’t remember what they used or where they got it from.

With a spreadsheet tracking system, you’re getting inundated with those questions from all directions — emails, text messages, voicemails, in person, etc. You have to manually field every question — and you’re often answering the same question repeatedly.

With TCT Portal, people can ask questions through the system and associate them with their line items. Tag the person who needs to answer the question, and the system automatically notifies Fred that Wilma sent him a question. The state of the line item also shows that Fred needs to answer Wilma’s question about that item.

No More Status Meeting Hell

Status meetings are a lot shorter with TCT Portal as well. With spreadsheet tracking, you have no idea of the real status of your compliance engagement. The one thing you can count on is that there was a mad flurry of activity right before the meeting so that people can say they made progress since the previous meeting. 

I know the practitioners with experience are chuckling, because it invariably means a good portion of your tracking spreadsheet is out of date when you go into that status meeting. This is because about 80% of the activity from evidence submitters happens in the hours right before the scheduled meeting.

As you doubtless already know from experience, you need to go through every line item with your team and ask about the current status. Inevitably there will be discussion as well. Over the course of the year, you’re spending thousands of man-hours in meetings simply updating your spreadsheet, line by line.

Since TCT Portal provides live status updates, you can go into your status meetings, take a quick look at the dashboard, and determine in seconds which few line items you need to discuss. Each status meeting’s normal duration can be slashed and personnel can return to their jobs in no time. 

You have saved your institution tens of thousands of dollars — and freed up hundreds of your own hours — simply with that one single feature of TCT Portal.

Organizing Historical Repositories

The last few weeks before the annual assessment is a full-out sprint, and all kinds of things go sideways. The compliance manager doesn’t have enough time in the day to keep all the moving pieces organized in the spreadsheet, and the end state of the engagement is a train wreck. Nobody goes in to clean up that train wreck — you just leave it there, wipe your brow, and hit the reset button to blessedly look forward to starting the next compliance cycle with a clean slate. 

But that means you don’t have a solid repository that you can refer to, when you have questions about how things were done the previous year. 

• What was supposed to be included in the network diagram? 
• How did we end up organizing our device inventory? 
• What was it that finally passed muster with the Assessor last time? 

Good luck trying to figure it out. You’ll have to go through the same trial and error as last year, all over again.

TCT Portal keeps a single, organized historical repository of all your evidence from prior years. If you have a question about how things were done last time, you can easily go back and see it for yourself. 

This is especially helpful for new staff who have never had to gather evidence for a compliance engagement — they can benefit from the work of their predecessor and immediately be successful in their new role.

Managing Data Flow and Easing Comprehension

Usually, the higher education institution itself is responsible for covering most of the compliance requirements on a compliance engagement, and the individual functional entities have a handful of line items they are responsible for. Depending on the compliance approach that the institution takes, either the institution’s line items have to float down to the hundreds of sub-entities, or the evidence from the sub-entities needs to roll up toward the institution. 

The institution is either generating one compliance report to rule them all, or is living a death of a thousand papercuts being required to generate hundreds of reports for each merchant. Either way, the task of managing the data flow on these engagements is a huge one.

In an automated system like TCT Portal, you can automate all of the heavy lifting. TCT Portal’s document request list eliminates that work and simplifies comprehension. The document request list asks sub-entities for each piece of evidence they need to provide, in language and using terminology they understand. They only need to submit evidence once and the system automatically populates it to every line item where it’s required in the compliance track(s). Tens, even hundreds of line items are populated in an instant.

This functionality also works for more than one compliance track. Even though your institution is subject to multiple certifications or standards, your provisioners can submit the evidence once and TCT Portal populates the evidence across every applicable certification in the system.

Instead of looking through each requirement for each target certification line by line, you can use the document request list to simply view the evidence you need to supply. You can easily go down the list, item by item, and supply what’s on it, just once.

Version Control Issues

If you’re sharing your tracking spreadsheet with sub-entities on campus so that they can enter their information directly into it, you have all kinds of version control complexities to deal with. You might send copies of your spreadsheet, which then requires you to take their inputs and incorporate them with your master spreadsheet. If multiple people have access to the same spreadsheet, it’s easy for them to step on each other’s toes and undo one another’s work — corrupting the tracking sheet integrity.

TCT Portal allows every person to work simultaneously in the platform, without the danger of interfering with one another’s work. Because each person can only work within their assigned line items, all of your data is protected and version controlled seamlessly. Never worry about misentering information in the wrong cell or deleting someone else’s work.

Stronger Security 

Finally, there’s the issue of spreadsheet security — which, let’s be honest, doesn’t cut it.

Over the years, Excel has dramatically improved the quality of its security. But it still doesn’t measure up to enterprise-grade security and compliance standards. When you’re dealing with data that’s as sensitive as your vulnerability scans, penetration testing, network diagrams and internal inventory, spreadsheets don’t make the grade.

Because TCT Portal is designed to manage compliance for any certification, we built the platform to meet the most rigorous security standards out there, maintained via TCT Portal itself. You have a whole new world of enterprise-grade security to protect your status information and especially your Sensitive Data leveraged as evidence to support your Assessments within TCT Portal.

Get Off the Spreadsheet Addiction

Many higher education institutions are addicted to their compliance tracking spreadsheets. As much as they hate struggling with them, they have a hard time letting go. But TCT Portal makes it easy to kick your spreadsheet habit.

Managing compliance complexity has never been so easy with one secure, convenient, automated place to manage it all. Escape the endless spreadsheet hassles and start making compliance suck less, with TCT Portal.

See what TCT Portal can do for your institution. Schedule a personalized demo today.