Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Challenges of Managing Compliance Across Multiple Environments and More!
Quick Take
On this episode of Compliance Unfiltered, the CU guys navigate the labyrinth that is managing compliance across multiple environments. Adam lets the listener in on why compliance complexity can catch some organizations off guard.
Curious about the pitfalls of sub-elements? Wondering how companies can improve their compliance posture? Want to learn how splitting requirements can be a game changer?
All this and more on this week’s episode of Compliance Unfiltered!
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the May flowers to your compliance April showers. Mr. Adam Goslin, how the heck are you, sir? I’m doing good. It almost feels like we’re getting the April showers, and I think it started in February this year. It’s crazy. That’s right. And you know what? We are here to provide you some floral compliance relief. With that in mind, we’re going to chat a little bit today, Adam, about the challenges of managing compliance across multiple environments, especially with kind of the interesting work spaces that exist in standard business today.
How does compliance complexity often catch organizations off guard? Well, for anybody that’s hearing the lead into this topic that has already been up to their end, compliance management is never as simple as it ought to be. Every single organization is unique. There’s no organization that just fits nicely into the mold of whether it’s PCI, DSS, or any other compliance, you know. compliance framework. When you have things like multiple locations, multiple different types of firewalls, multiple different types of operating systems, you have multiple head. Whenever you have all this stuff, you have multiple headaches to deal with. You end up needing to gather multiple groups of evidence to satisfy individual controls. You’ve got, it makes the work more complex. It makes the work more cumbersome, etc, that type of a thing. So part of this conversation is just to kind of let listeners know about ways that they can make this a little bit easier on them. And certainly, we built those capabilities into TCT Portal.
Well, what are some. examples of organizations capturing multiple groups of evidence? Well, there are a lot of reasons why you might need to capture these groups, you know, multiple groups of evidence for the same control.
So some examples, you know, you have multiple physical locations. So we’ve got a, you know, whatever, we’ve got a data center in Denver, we’ve got another one in New York, we’ve got another one in Chicago, you know, type of a thing, you know, maybe you’ve got multiple offices, you know, that you’re operating out of. So, you know, those would, you know, those would, you know, be one arena. Maybe different areas of your organization have their own inventories. So, you know, this group is keeping track of this stuff and that group’s taking track of that stuff, etc. You know, if you’re an organization that happens to be running, you know, you know, Apple and Windows and three flavors of Linux, you know, et cetera, that could be, you know, another scenario. Maybe your organization has, you know, multiple different realms of hosting, including multiple cloud vendors. So, I mean, you could have devices that you have hosted, you know, on -prem, you know, at your headquarters, you know, or minor amounts of equipment, you know, at various, you know, kind of outpost offices. You could also have, you know, part of your infrastructure could be up on, you know, Google Cloud, some of it’s on Azure. We’ve got a little bit over here in AWS. You know, we talked about the, you know, the different firewalls. I mean, maybe you’ve got, you know, maybe you have a couple of, you maybe have a sprinkling of ASAs, watch guards, Fortinet’s, you know, etc, you know, across your kind of in -scope environment. You know, the reality is, is that, you know, for a long time, you know, lot of organizations, you’ve got, a lot of this builds over time, is what really builds in this complexity, right? So you look at the typical organization, well, we started out, we were in this one office, and then we went ahead and expanded to three more offices. And then we went and did an acquisition, you know, and, and, and, you know, and that’s the way that you, you end up doing this plus just the acquisition of new equipment over time, you know, may cause some disparity in terms of, you know, kind of your groupings, etc. But, you know, most companies have some situation where they’ve got multiple sub elements to a particular requirement. And, you know, when you’re in that scenario, you know, you don’t, it’s not like this just happens with one requirement.
You know, if you’re doing it for one, there’s a very high likelihood that you have a whole bunch of different controls that need these various inputs. So, you’ve got a number of elements. So when you’ve got an example, that multiple firewalls example that I was giving earlier, for every single line item has to do with firewalls or in the current PCI v4 NSC or network security controls. If you’ve got these multiple line items, then you’re gonna have a whole series of requirements that need different inputs and different evidence across these various elements. So, where you’ve got these items for disparate locations, disparate inventories, you’re going to need to, again, have multiple line items across your various certs where you’re able to track it kind of down to that level. Well, what are some of the pain points when dealing with multiple sub elements? Well, when you’ve got to collect these multiple groups of evidence, you know, you’re either using some manual or for most organizations are using a manual or a semi -manual process for their compliance tracking. You know, it forces you to monitor these multiple sub elements for every single requirement. This makes the tracking unbelievably complicated. I mean, we did, we were doing a pod recently talking about kind of complexity on compliance engagements and we gave an example of a simple organization. I forget, do you remember what the number was that I kind of came up with that simple example? It was in the, was it 60 something or 90 something thousand? Yeah, it was somewhere in there. Yeah, it was like 60 to 90 ,000 different unique kind of states just across the actual requirements. Well, now if I’ve got, you know, if you think about it, if I now have, You know, you’ll have to multiply all of those intersections by another, you know, another series of groupings, you know, type of thing. I mean, you could get your 60 to 90 ,000 could easily be going up into the hundreds of thousands, you know, type of a thing, you know, if you’ve got, you know, various locations that are spread out into, you know, across four different states. You know, you probably have four different people that are responsible for gathering evidence, right? Especially if you’re talking about physical, you know, physical elements, it’s unlikely that if I if I literally have locations in, you know, northeast, north, northeast, northwest, southeast, southwest United States, it’s probably not the same person, right? So, you know, how the hell do you coordinate with these people to gather up their evidence and attach it to this single line item? You know, every single person needs to remember, you know, not to be, you know, not to be shipping their evidence, you know, until everybody, you know, has finished the, you know, finished their particular, you know, piece of it. You know, how does the person do it, doing the controlling of all of this know, you know, know that they’ve got everything, they’ve got a hull of a lot of manual validation, checking, etc. You know, even when you’re using a compliance management system where you’ve got one place to go put everything, it’s not unusual for, you know, I go in, I attach my evidence and move it up the workflow. Well, meanwhile, I got two or three people that haven’t attached their evidence yet, you know, how do you control this, you know? And so you end up with this. You end up with all of this extra useless time being spent of, you know, I inadvertently go send it up the workflow. The poor person that’s got to go review this stuff is like, yeah, that’s great, but I need, I’ve got two, three other people, right, that need to still put their evidence on. So they move it back down, right? And meanwhile, the person, person or two that have already submitted their evidence, they go in and they see the, I already submitted this complete and they move it up the workflow again. And it’s just, it’s just like a comedy routine, honestly, you know, type of a deal.
So I’ve seen a lot of scenarios play out, you know, in all of this conversation we’ve been having so far, it’s just one freaking requirement. We’re not talking about the dozens or hundreds of requirements that have, you know, have this same issue, you know, the, you know, determining your engagement status. You know, that becomes a gigantic pain in the ass to figure out when you’ve got this layer of complexity, you know, dropped over the top of it. You know, the only way to go and tell is you literally have to have somebody saying they’re holding all these various strings, knowing which one goes where, etc., hunting down the missing evidence, etc. Meanwhile, try not to have your stuff moved up the workflow inadvertently, you know, so you’re constantly having to go back, checking things, you know, etc., updating your status tracking and blah, blah, blah, you know, and then you can go ahead and layer on to the back end of all of that. Now we’ve just been talking about it from the company’s perspective. Now you got the assessor that has to, you know, that has to go in and, you know, and handle this, you know, handle all this complexity, etc. I mean, it is, it’s just, it has all of the makings of a ginormous pain. Sounds that way. Now, how can an organization improve their compliance posture? Well, you know, over the years, if your company gradually added these multiple environments as your business expanded, etc., you know, in the beginning, it wasn’t a big deal. And you could easily go in and gather this up. Now, that said, and I want to kind of mentally pause here, you know, we’ve been talking a lot lately about, you know, for the upper levels of management, etc., kind of being in the loop about, you know, being in the loop about, you know, really the internal pain that the frontliners are going through. You know, it could be that 3 -4 years ago, you know, that the compliance was a lot more, your compliance posture was a lot more simple. And that just because of expansions in business and blah, blah, blah, don’t go under the guiding assumption that it’s, still simple.
The reality is, is that, you know, as your as your compliance complexity goes up, the more beads of sweat are happening on the brows of both the people that are trying to manage your compliance, as well as those that are provisioning evidence.
And that complexity is really slowing your internal team down creates confusion, you know, and really makes your overall management process sock more than it should. You know, for, for a lot of companies, they won’t realize this, you know, incrementally slowly growing inefficiencies and workarounds that have been, you know, slowly layered on to the complexity of their engagement over the years, you know, and, you know, the other the other side of it is even for even for those that are you know, that are going through, you know, going through and doing this, you know, a lot of times it’s human nature just to go in and go, this is the way I did it last year, I’m just gonna do it that way again. And I managed to survive last year, you know, type of a type of an approach. And you know, they just kind of it’s almost like they got used to, you know, the pain, the pain levels, etc. So, you know, if you’re telling yourself that, you know, that’s just how compliance needs to work, it isn’t, you know, at the end of the day, you know, TCT went through the through the efforts to try to make a compliance management system that doesn’t, doesn’t make it not have to suck.
So, you know, we, we created the TCT portal specifically for that purpose. Well, how can splitting requirements streamline the overall compliance process based off of what we discussed at this point? Well, you know, tracking these requirements really doesn’t have to suck. The reality is, is that if you’ve got, you know, if you’ve got a piece of compliance management software, that has, you know, integrated capabilities for requirements splitting, your world gets better. Basically, what you can do is you can take a particular requirements. So let’s go back to, you know, that notion of, you know, that notion of physical evidence across multiple locations. four different states kind of in the four corners of the US type of thing. Let’s say we’ve got to go in and gather up evidence showing that we have cameras at door entry points and things along those lines. In that case, I can take my requirements that relate to physical access control and validation that we’ve got cameras and entrances and exits, etc. I can take that particular control on whatever. This isn’t something, in our system, it’s not something that’s specific to PCI. This can happen on any compliance engagement. So whether you’re doing HIPAA or ISA 27001 or PCI or whatever, you can go ahead and do this. So basically, the user can go in, define the type of the split that they want. So in this case, where we’re talking about physical location. So the split type, we’ll call it locations as an example. And then you can go further to then define the instances of those locations. So I can go Washington, California, Florida, New York as an example. So I can define all of those. And basically then you can apply that split to that particular requirement surrounding the gathering of the camera information. But when I have to turn around and apply that same split to things like, do I have publicly accessible jacks in the, you know, do I have any network attached jacks in the publicly accessible areas of the building as an example? Then I can do the same thing and very easily then say, hey, I want to apply the location split to this item, poof. It’ll automatically split it out into four separate buckets, you know, underneath the mainline requirement. And what that allows the user to do is to go in and take each specific sub element and then assign it to the appropriate person. So what they can do is they can take the, you know, the New York split, assign that to Fred.
You know, they can take the Florida split, sign it to Mary, the California split. They can assign it to Brett and the Washington split. They can then go assign to Angela. And so in that way, now I have number one, I have the splits all broken out properly. I have the, I have the, capability for each of those individuals to see exactly what they’ve got, et cetera. The person that’s managing their compliance now, they’re not worrying about Angela accidentally moving it up the workflow when two of the others still need to attach evidence because each of these pieces moves through the workflow independently, it makes things astoundingly simpler. And the cool part about this notion of splitting is that it isn’t just we can only do location splits. Quite literally, you can define the splits however you want. So if it’s locations, if it’s firewall types, if it’s, you know, if it’s badge systems, if it’s, you know, inventories, it doesn’t matter. These are all capable of being self -defined by the organization that needs to go in and do the splitting, you know, so that they can go in and get those splits allocated to all of their appropriate items, get the assignments made, oh my, it is so much easier.
I mean, that sounds like a game changer. Yeah, it is, oh my God, it’s so much easier to go run your, you know, run your engagement, just simply because you have, you know, you have literally got everything tied in to the specific individuals, etc. You know, you think about, you know, you think about it from this perspective, you know, one of the big problems when you’re doing these compliance engagements is, you know, getting the right things into the right people’s hands, you know, giving them, you know, sending them updates about, hey, you still have three items open or you have 48 items open or whatever. You have those types of features and functions, those come automatic when you’re using a good compliance management system. So you’re literally, as you go in, use the system, get it set up properly, get it dialed in, get everything split, get the assignments where you need, it just is evaporating, just sheer waste of time on these engagements. You know, as you go through that process, it’s actually really, really, it’s part of what I find really, really fun is getting involved with organizations. You know, some of them, it’s funny, you know, that people are so used to doing things the way that they did. It’s fun watching those light bulbs go on. Parting shots and thoughts for the folks this week, Adam. Well, you know, with the capability to leverage those, the splitting capabilities, it, you know. Tracking, it becomes transparent. It becomes efficient. It becomes effective. Just the ability to know who’s got what, seeing your status at a glance, getting your full understanding of where are we at, who’s got what. It’s life. It’s sitting right in front of you, and you don’t need to go down and chase people for updates or spend hours preparing for status meetings, etc. The people that have been in this space and done this job, again, they’re sitting there nodding their head saying, man, you’re right. This is a gigantic pain of the ass. Do your work simultaneously or synchronously. There’s no need for any coordination because you’re using a system which is purpose built to be. you know, to serve everybody simultaneously. You know, you’ve got the ability to do this. You know, I started saying earlier about, you know, organizations that, you know, kind of they’re, they’re doing the rinse and repeat and they’re doing the same thing that they did last year. And they’re kind of doing, I don’t know, I almost, it’s almost like a security and compliance zombie walk, right? You know, we’re just, we’re like, okay, we’re hitting the button, it’s Groundhog Day, we’re gonna do the same damn thing again, you know. And, you know, it’s funny when you see these people, you know, heading out. Well, you know, and for me, it is, that’s the part that gets me really jest is when you’ve got this organization that is, you know, fighting it tooth and nail, blah, blah, blah. One of the rewarding parts about this is having those clients coming back and they’ll come, it’s funny, they’ll pop back in and pull me aside or whatever, maybe it’s, maybe it’s the next year, maybe it’s a couple of years down the road or whatever. And they’ll say, you know what, you’re right. You know, I remember, I remember clearly how much what we used to do sucked big time. And, you know, it is, it’s funny, the use of the tool, how much weight that, you know, lifted from us, lifted from our people, lifted from our organization, you know, and how much time we’ve been able to recapture you know, and the lack of hairs leaping from heads, et cetera. You know, it’s pretty, pretty cool to see that unfolding. You know, for those organization, we’re talking about complicated, this topic today was talking about complicated, you know, engagements. You know, keep in mind that, you know, that we’ve got the capability for facilitating things like multiple certifications where you can automatically link evidence across your multiple certifications, etc. So, you know, we kind of take together the notion of this, you know, a complicated scenario, you know, in terms of the organization’s scope, layer on two, three, four, five different, you know, security and compliance standards and, you know, layer in all of the splitting, etc.
This could, you know, honestly, it could be the thing that nightmares are made of if you’re not using some type of a good quality security and compliance management system. But, you know, that’s the whole reason that we built the damn system is to try to make people’s compliance management world suck less.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Cosh. And I’m Adam Gosling. Hope we help to get you fired up to make your compliance suck less.
