Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Starting a Compliance Program
Quick Take
If you’re just starting out with compliance at your organization, the whole thing can be so enormous that you don’t even know where to start.
On this episode of compliance unfiltered, you’ll get an inside look at how to start a compliance program from the ground up. Whether you’re a new organization looking to get started on the right foot, or just now starting to focus on your compliance health, this is the episode for you.
What certifications do your need? How do you go about starting down the compliance path to success? What documents are required, and how long will it take to get where you need to be? We cover all these questions and more on this week’s edition of Compliance Unfiltered.
On this episode:
- How to figure out what certifications apply to your organization
- What if you really don’t have a certification?
- How to start the process
- Why you don’t want to do this without a compliance consultant
- Documents to get you going
- How long will this process take?
Follow Compliance Unfiltered on Twitter and Instagram at @compliancesucks
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome into another edition of Compliance Unfiltered. I’m Todd Coshow alongside the one and only, the venerable Adam Goslin. How are you today, sir? I’m doing great. How about yourself, Todd? Man, I can’t complain on a Friday. We’re going to be talking about something pretty exciting today, and this is a compliance topic that is especially useful for those maybe starting a new organization, making sure they get their compliance ducks in a row, and also those who might be looking to start a compliance program in their current organization.
Adam, tell us a little bit more about what we can expect today. So for any company that’s starting out, they might have been in business for the last 10 years, but now they’re firing up a true compliance program, or it might be a brand new company that needs to get its ducks in a row, whoo, say that 10 times fast, in terms of trying to meet the need of their new clients. So, the very first thing that organizations need to do is, they’ve got to figure out what certifications apply to their organization, and there’s actually going to be several realms where those inputs are going to come into play. So a couple of suggestions for organizations. One is go and check with your sales crew. They’re the ones that are talking to the clients. They’re the ones that are getting exposed to the asks, and inquiries from customers about, hey, are you fill in the blank compliant? So that’s usually a pretty good location to go to. Obviously, pick your oldest most seasoned sales person you’ve got, so you can gain the benefit of those years of experience as well. Going to whoever’s your legal representation, as long as they’re not brand new, only if they’ve been with your organization for a while, they should have a real good idea of what you do, how you do, and things which would be applicable, including what certifications that company needs to go through. And finally, the last rock that you can go and turn over is looking at data that your organization has. So, whether you have personally identifiable information, or PII, whether you have protected health information or PHI, whether you have credit card data, or PCI data, whether you have intellectual property, in those cases, the nature of the types of data that you’ve got may also play into what type of certifications that you need associated with those items.
Okay, I mean, I guess really the question is for some of those that might be new listening to this is, what if you don’t really have a certification, right? And that happens actually, well, more times than you think. And really as I’m thinking about it, it really is the company really doesn’t have any particular certification that they’ve got to go after, or they simply don’t have any idea what they need to go and take care of. So, in either case, the one thing for folks new to the space to get their arms around, and you’ll really understand this, fast forward five years down the road, a bunch of experience across a bunch of certifications. And this will become crystal clear, but it’s not readily evident to folks stepping in, is that each of these certifications will vary in their specificity. And what I mean by that is that, and let’s use, we’ll use HIPAA as an example. So HIPAA is a set of rules, which is more directional in nature. Part of the reason why it’s more directional in nature is that they created the various things that need to be done under HIPAA, and have those apply to everybody from a single dental practice, all the way up to an entire health system. So, they couldn’t necessarily call out all of the detail around exactly how people were gonna need to do it. So those requirements are directional in nature.
Access control under HIPAA says something akin to, hey, make sure that you’re using strong authentication and implementing it in your implementation of access control. But what the hell does that really mean, right? I mean, I could cure that 100 different ways and purport that I’d met the really waffly barrier of a requirement for meeting the mark. And so my suggestion to those that are walking in, pick something which has a greater level of specificity in the standard that you pick. So my standard recommendation to companies is, PCI is a great framework for folks to use as a starting point. And some people will say, PCI is the credit card industry standard. And some people go, well, I don’t have any credit card information, or we only use this little terminal, and I’ve got to worry about all this other stuff. So when I tell people to go use PCI as their framework, what I tell them to do is, I tell them to go into it with the mental knowledge of, everywhere there was a reference to cardholder data, just mentally substitute sensitive data. And why would I do that? Well, there’s a couple of different reasons. In PCI, there’s specific instructions for how to go about accomplishing, fill in the blank goal. There’s specifics around what needs to be in place, there’s instructions on what to do when. And most importantly, out of that compendium, is that because PCI is very specific, right? Well, I mean, we talked about it earlier with the directional nature of access control for HIPAA. In PCI’s case, there’s literally dozens of do this, do this, do this, do this, related to access control. And so, it becomes far more prescriptive, and a lot easier for folks to get through. And the cool part is, is because you’ve got the detailed specifics about what exactly I’ve done, it’s a hell of a lot easier for me to take that framework and let’s say, I fast forward six months, nine months, two years, whatever. And somebody pops out of the woodwork and says, hey, we’re gonna need to go ahead and get ISO compliant. Well, guess what? If I’m dealing with HIPAA as the underpinnings, Eh, I might make the requirements for ISO, I might not.
But if I’m using PCI, there’s a much greater chance that I’m going to be able to easily and readily map my stuff off of PCI down to those secondary certifications.
Well, I guess, how should a company know? How should they go about getting started in this process? Like, I just, I feel like there’s so many beginning points that it’s tough to really grasp the path for a lot of these organizations. Well, here’s the beauty of how I’ve entered into this space. I entered just like a lot of these folks that are facing this for the first time, I faced it for a first time, and I can tell you that I felt like I was just going under the water. Like, I was getting dragged, I was in an undertow. I was just slowly getting dragged underneath the water line because there’s just so many things moving in so many directions, with so much stuff you’ve got to do. You’ve got to coordinate with so many people. It’s very, very easy to become very quickly overwhelmed. And so to that end, I would highly recommend, for companies that are starting to go down this process, get a system for tracking and managing all of your evidence for whatever security or compliance certification that you’re going after, that is key.
Part of the reason that I started TCT is, I wanted to build the system. The TCT Portal is really what I’m referring to. I wanted to build the system I wished I had in my first trip to the rodeo, when I was struggling with Excel sheets, and manual tracking, because honestly, Todd, it was an absolute effing nightmare. Oh, yeah. Anybody who’s dealt with this process through spreadsheets can absolutely agree with what you’re saying. Yeah. Well, and here’s the problem, a lot of organizations, and I think we’ve got a topic coming about the benefits of spreadsheets and tracking systems, so I won’t go too much into it on this one. But the bottom line is that you don’t have the context yet to just truly understand what a nightmare you’re signing up for when you go the route of the, quote, free Excel sheet. So, yeah, just trust me, don’t do it, you’ll thank me later.
The other element is no matter what, do not, please, please do not expect that your internal IT personnel, or your existing vendors automatically know security and compliance. My experience is, that while they’re really good IT people, while they can keep a network going, or they can code their brains out, or maybe it’s your existing IT vendor, do not assume that they know this stuff. And the other double-edged sword aspect of this is that, if you go to them and you ask, what do you know about security and compliance? The answer you’re going to get every freaking time is, oh yeah, no, I know everything about that. Here’s the deal, I went through this myself and I watched a team of people that I had, because I had developers, I had net admins, I had firewall people, I had vendors. Fast forward the 18 months it took me to get through it, when I look back, dude, none of these people had any clue. And that is not an unusual state. Almost all the time they’re gonna say, oh yeah, yeah, we got it. That’s one side of it. The other is that these people have been doing this job, ingrained, neck deep, eyeball deep, whatever, in your day by day. It’s almost like they’re too close to how things have always been done to remain objective. And so, my recommendation is start with some type of a security or compliance consultant to run your program. They’re going to bring fresh ideas, they’re not going to be swayed by your corporate norms. They’ll know how to cut through the BS, they can get you to results faster, without you and your team needing to find a line item that says file integrity monitoring as an example and go, gee, what’s that? And let me start Googling options, right? The help that you get from somebody that actually knows the space, is really going to help that organization gain their sea legs more quickly, gain traction and get where they’re looking to go.
So, all right, I have a list of certs in my head. And, a good way to track things, a good compliant Sherpa guide to get us through it. What are the things that I’m really going to need in order to make this a reality for me? Sure. Most of the time for most organizations, and obviously, I’m not going to go into any specifics, because it’s different for every freaking organization. One organization can be subject to PCI and HIPAA and SOC, and another one’s going to be subject to NIST and HIPAA and ISO. So, it really depends on what that list is. But most of the time, 90-something percent of the time, there’s hundreds of requirements that you have got to go and get through, validate, vet, make sure that they’re being done correctly, all that fun stuff. And the most important element of that exercise, when you’re staring down hundreds of requirements, is figuring out where the heck are we in the grand scheme of things? What do we have? What do we not? What do we need? What is straight missing, versus what’s close with some tweaks, versus what do we have? And so, that exercise is typically referred to as a gap assessment, effectively identifying the gaps between the requirements of the organization and the requirements that they’re obligated, or chosen to meet. The best bet is, have your compliance sherpa do that for you. The compliance consultant will really be able to be helpful with getting your arms around it. A lot of the assessment firms, their starting point for a cold client, right? As they’re walking cold into the engagement, assessment firm will offer to go in and figure out where they’re at. My recommendation is don’t have the assessor go in and do that. Typically, especially for the first run through, it’s usually a bloodbath in the grand scheme. It is what it is, right? I am a greater proponent of smooth assessments, smooth audits. It just works better when you’ve got a company that’s walking into that assessment, or audit process where the assessor is there to do their job. When the company has it buttoned up, and has their act together, it’s just an easier, cleaner experience for the organization to go through.
So going through that gap assessment is the one side of it. So there’s a couple of different types of gaps that you’re gonna end up finding. One is technical gaps. So the starting point recommendation is go through and do a full penetration testing exercise with a reasonable penetration testing group. The scope should be everything. Sorry, let me back it up a little bit to penetration testing. What is it? Penetration testing is a group of experienced security engineers that’ll go in and they’ll look at your external network, internal network, and all your applications. They’ll do them with authenticated testing, APIs, web services, even your wireless, they’ll go in and take a look at all of that. But the net output of that is going to be a detailed report and directional guidance. You’re going to gain the benefit of their experience, If you have them there to be able to ping questions off of. they’ll also be able to validate that as you go through and clear things up, that you’ve closed them correctly, that type of thing. So basically, the output of that will be a list of technical to-dos that you need to go through and get addressed. What about the non-technical issues there? So in that sense, my recommendation is, we talked about the gap assessment earlier, combine that with a risk assessment. For almost every standard that’s out there, a risk assessment is going to be a required annual event anyway. So do the risk assessment while you’re going through the gap assessment, because the combination of those two, that’s going to end up providing you a list of the non-technical requirements, and you’ll have recommendations, identify gaps, and the organization can start putting together that puzzle, and see what the things are that we need to go in and get started on. Sure.
So are there specific documents which might actually help a company get started here? Sure. So there’s a core set of things which will truly help the organization get their sea legs. So while we’re going through and we’re doing the high level assessment of technical gaps and non-technical gaps, those are going to tell me tactical things that I need to go do on the tech, and non-tech side to go get bolted in. In the same sense, and at the same time, this list of documents are things that the organization can start working on. You may have some of this stuff, you may not, but start working your way down the list if you will. So first up is the network diagram. Your network diagram is important because it’s like a visual representation of what do we have, who are we connected to, how is the network logically set up, things along those lines. So some of the inclusions there are gonna be, include all of your external connections, vendors, and all of your offices for your organization, make sure those are on there. Hosting facilities, whether they’re physical or cloud, depict on there the connectivity for remote workers, the internal layout of the network, and segmentation of that network. The network diagram should include a physical diagram that shows all of the physical assets, and how they relate to one another, where’s that barrier of the firewall between the outside and the inside, that type of thing. And then also there’s typically a second diagram, which is a logical network diagram. That’ll show all of the network segmentations, how the network’s broken up, what elements are grouped together, that type of thing. From there, go into the data flow diagram. So that’s literally exactly what it says, which is I’m trying to depict the flow of the data through the various systems that we’ve got. And basically we wanna look at inputs, inputs that are coming in and being provided by various locations, vendors, clients, any internal processing events that are being done, outbound flow of data. Don’t forget about vendor flows, so things like data files that either you supply to them or that they supply to you. Usually the data flow diagram, but more often than not, it’s more of verbiage covering various different instances.
Well, I mean, yeah, let’s talk about the next step here, which is what? Well, after that, then you want to get into firewall rules. Okay. So you want to go in and take a look at what rules you’ve got on your firewalls. And there’s a specific exercise here, and that is listing all of those current firewall rules that are in place. Make sure we’ve got all of our connections between systems. We’re showing what ports and protocols are leveraged for communication, as well as, and probably most importantly, is the business justification for each of those allowed connections, whether they’re inbound or outbound. But the business justifications, the reason that they’re important, you want to list out why is that firewall rule there, not what is it doing. So what I mean by that is in the case of, let’s say you’ve got web traffic that’s coming through. So a lot of times where people go sideways on the business justification, they’ll say, oh, well, this rule is here to serve up web traffic. But instead, don’t tell me what it’s doing, but why is it there? Well, it’s serving up web traffic, which supports our client portal as an example. As you go through that exercise, you’re very likely to find cleanup that needs to be done. But then again, that’s part of the point of that exercise. Another document or another piece of documentation that’s a good underpinning is your inventory. Yeah, because the inventory is going to have a list of all of your hardware assets, whether they’re physical or logical. So this would include things like firewall, switches, routers, servers, internal, external workstations, printers, cameras, door systems. I mean, anything drawing an IP address on the network, actually that’s drawing an IP external or internal, should be on this list. I would recommend, add in some columns for the external and internal IP addresses. And that inventory should not only include the hardware, but it should also include all of the software that’s in use within the organization. So some of the easier elements of that would be things like, everybody’s workstations using Microsoft Word or whatever it may be. But we’ve also got installed software on the servers. You’ve got to look at any software that’s being used on servers, workstations, or components of software that are being leveraged within any written software for the company.
Let’s talk about vendors here, because I know that it’s a lot more difficult to line that up consistently, because you’re dealing with all the outside factors, correct? Sure. Here’s the deal. Vendors is a tough one because a lot of organizations, what they’ll do is they’ll sit down and they’ll go, okay, who are my vendors? They’ll start writing them down. That basically turns into the gift that keeps on giving, because every time you turn around, you’re thinking of a new vendor, you’re adding another one. I’m a bigger fan of just stop the bleeding. And so what I’ll typically do is I’ll tell people, go to accounting and tell them anybody that they’ve written a check to in the last year, go ahead and put them onto the list. Now, are you gonna have all sorts of things on there that don’t have any bearing, the person that does, maybe I don’t know, your business cards for the organization, that type of thing. Yeah, you could have some that are not applicable for the sake of your security and compliance, but now I can go in and I can say, are they in scope for security compliance? Yes, no fields, and start bucketing them if you will. But this is your one-stop shopping to go in and grab all of the vendors and start gathering them up. I mean, ultimately you’re gonna want to gather up details of, is the vendor compliant? What are they compliant with? Gathering their compliance documentation. What due diligence did you do on those vendors? So that consolidated vendor list is really gonna be helpful as you’re going through that process.
Okay, well, I guess once you have all those documents together, like what do you do then? So the documents form a good foundation. You’ve got to put work and effort into each of them, right? But once you’ve got your data flow, your firewall rules, your inventory, your list of vendors, once you’ve got all of that together as units of work, then you need to sit down and put them up against one another, because what’s going to end up happening. And this happens every single time without fail, you’re going to find items that are on the inventory, but they’re not on the network diagram. Vendors that are on your list that are missing from the network diagram. Firewall rules that have IP addresses that we’re communicating with, but the IPs aren’t on the inventory. So all of these documents, when you start putting them up against one another, then you’re going to be able to really vet those documents out to make sure that we’ve got a solid foundation to get started into the security compliance engagement, so that you’re scoping it correctly. And you’re basically walking in eyes wide open. Because one of the things that really kills these programs, or draws them out substantially is if you don’t do the legwork upfront, then what you end up having is, you end up having these things popping up in the middle of the engagement, which now means you’ve got to go back, redo work you’ve already done, you’re getting scope changes from various people along the way. So it’s just a hell of a lot easier if you really get your ducks in a row in the beginning, and use that to streamline the rest of the engagement.
Okay, so you’ve got your documents, you’ve got your ducks in a row, where do you go next? So my expectation would be whoever’s your compliance consultant, will be going through reviewing any existing policy or high-level procedure documentation that you’ve got, and start whipping those docs into shape. And or, a lot of people will go, well, this is the policy that we established back 15 years ago, they become fond of them, if you will. And in many cases, take the lead from whoever’s helping you through the process. Because if they’re really far away from where they need to be, in many cases, you’re better off just starting with new baseline docs, and tweaking and customizing them from there. So your compliance consultant should be able to give you the direction there, and be able to hedge you in the right direction. From there, take the lead from your consultant on running through your requirements in an organized and prioritized manner. Since every single company is different, with different things in place, different technical layouts, different soap systems, different certs, and different maturity. The bottom line is, and as much as most of the CEOs out there want to have some silver bullet to call on, and just go poof, and make everything secure and compliant. It just doesn’t work that way. Oh, we don’t have one of those. Yeah, I wish that one existed. I’m a bigger fan of direct communication with clients. And, I’m not going to blow smoke up their fanny. But the bottom line is, is that any company walking in saying just use us, and poof all your problems go away. Yeah, it’s bullshit. So, you might as well just turn them away at the door and save yourself some pain. There’s a lot of companies out there that will have big promises that end up falling dramatically short of the smoke they’ve been blowing.
Yeah, that makes a lot of sense. Actually, I guess my last real question is, I’m thinking about this, and thinking about the audience as they’re listening to it. The real question that I think we’ve yet to address is, what’s a reasonable expectation for time? How long do you think it would take for an organization like this, starting out at compliance, to get to the end of the line to where they can throw their party? Yeah, well most organizations that initially engage, seem to have this notion that it’s going to happen far quicker than it actually is. And again, with the notion of just direct talk, answering that question is an extremely complicated answer. All these companies are different. The bosses are thinking that all I’ve got to do is cross my arms, twinkle my nose and nod. But again, there’s no silver bullets. So what I’ll do, I’ll typically tell companies the truth that they don’t want to hear, but that’s also part of my boyish charm. For most companies, I’ll tell them right out of the gate, plan on six to nine months, minimum, minimum, and I’m not kidding, because there is a lot of things that need to get done. There’s a lot of validation, and a lot of vetting, and it takes time. I’ve seen very few companies, regardless of their starting point maturity, make that trip the first time that I’m engaged with them in less than six months, just because that’s reality. But in the same sense, some companies have taken 18 to 24 months to go from start to finish. It’s a long process. There’s a lot to do. A lot of it depends on where the company is in the grand scheme of things. But it really comes down to a combination of their starting point maturity, how much money and resources that they’re willing to put into the endeavor, that’s really what’s gonna end up driving the timeline.
What I’ve seen more often than not is that these organizations will get started into this arena, and not really understand to realize, or be prepared to allocate appropriate resources to the endeavor that we’re doing. And a lot of them are trying to do it with existing resources, right? I mean, if there’s a company that’s got a whole crew of people that’s just sitting around doing nothing, other than figuring out which cocktail they want to drink next, well, fantabulous, but that’s not the reality of most organizations. And so they end up taking these people that are super, super busy, and busy with administering networks and managing the firewalls, and putting them into this mix, expecting that they can just go put an hour or two in a week. It’s going to take longer. So, walk in and make sure that you’re willing to either, pay the money for the resources, or allocate those resources enough time to be able to get through and do their thing.
Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Goslin. Hope we helped to get you fired up to make your compliance suck less.
