Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Avoidable Mistakes That Cause Assessment Rework
Quick Take
On this week’s episode of Compliance Unfiltered, Adam and Todd run headlong into some of the avoidable human errors associated with compliance rework.
- What are some common mistakes that are made in an assessment?
- What are their consequences?
- How do you avoid these pitfalls in your own approach?
- What type of assumptions must you avoid to ensure you’re not doubling your work down the line?
All these answers and more, on this week’s episode of Compliance Unfiltered!
Remember to follow Compliance Unfiltered on Twitter.
Read The Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man whose compliance sunrise and sunset share one horizon line. Mr. Adam Goslin, how the heck are you, sir? I’m waiting until you do that and you’ve run out of things to say. Let me know when that happens. All right. How are you doing today? I’m doing good. Good man, I’m glad to hear that.
Today, we’re here to talk about mistakes. We make them, everybody makes them, we’re human. But specifically, we’re going to talk about mistakes that cause assessment rework. Tell me more. So in general, compliance rework, when you’re on a compliance engagement, there’s a lot of negative consequences of rework when you’re running through a compliance assessment. So you’ve got to keep in mind that as the compliance team, they’re just trying to get through this, right, or whatever. The team that’s involved in compliance is just trying to get through it. Every time that there’s rework, people are getting frustrated. Oh, I thought I was done with this. Now I’ve got to go back and revisit it, and it really brings down their morale. It’s also causing delays in other business objectives, which are impacted by that ripple of the compliance extending. Everybody’s starting to shift into this mode of, oh, okay, we made it, we’re done. And no, you’re not. So that plays into it. So, the productivity over all of the compliance engagement is going down. You may need to, depending on the timing and availability of the assessor, you might have to have the internal team moving into overtime mode. just pull things out of their hat, to get things done while you’ve got the availability of the assessor. But at the end of the day, time is money, and you’re burning it needlessly. So, also keep in mind that as you’re going through that compliance engagement, you’ve got all sorts of people clamoring for, are you there yet? Are you there yet? Where’s your report etc., many times it feels like there’s just this crowd of people outside of your office window, whatever it is, whether it’s clients that are clamoring for, hey, where’s your report? Whether it’s, your internal sales personnel that are getting beaten up by people saying, where’s your report? So there’s a lot of ripple impacts if you will, for getting the rework, and causing delays in your compliance engagement.
Yeah, and actually, and I know you made it first, but I think that the point of diminishing morale on a team that is already burning the candle at both ends, is something that can’t be understated. So, not to be particularly punny here, but what happens when you make assumptions? Well, someone makes an ass out of someone. Bottom line is, is that a lot of times the organizations make broad stroke assumptions about their compliance, based on the bucket of what it is that they’re talking about, right? A lot of organizations will go, oh, well, we’ve got a section around antivirus, well, we have antivirus check and they keep on running, meanwhile, there can be 10 plus line items that are related to antivirus. And, I’ve seen these assumptions that folks will make as they’re just trying to clear through their items. They make similar assumptions on things like, we have a firewall, or we have change control, and the list keeps going on and on and on. But the problem is, that organizations, they’ve got to bring the requirements analysis actually down to the line item requirements, instead of broad brushing it. Because, that way, they’re going to know for sure, yes, I have all of the various things that I need for antivirus, I’ve got them all in place, and here’s all of my evidence, etc. That’s the way to be able to stop the bleeding of the rework coming, organizations can’t play in the assumptions game.
Well, I’m speaking on how the executives play into the rework game. Come on, Todd. Executives? Rework? Who’d have thought it? No, but all joking aside, the executive, the role of the executives in the organization is really seriously critical. I’ve seen many organizations where, the execs give the lip service to the security compliance team. Well, we really care about security and compliance. I forget, this might be one of our earlier podcasts, or something I was talking to somebody about, but how irritated I get with those letters that go out, right? So, when a company gets breached, we really care about your security, and in many cases, the executive lip service that they give to security and compliance, I mean, the internal personnel see through that stuff like a thin veil of cheesecloth, if they aren’t taking it seriously, underlings aren’t going to take it seriously either. And, quite frankly, things are far more likely to go sideways with the half ass evidence pouring over the wall to the assessor, because nobody cares. When you see an organization in contrast where, the execs actually care, it’s not just a plaque on a wall, it’s not something that they painted on as a saying, it’s not something that they put into their marketing material. But, the executives are actually devoting time to regular status updates on where are we at. How is our security and our compliance doing? They’re actively checking in on your progress, they’re holding the company accountable. When we find out that, well, we expected to be here with our security and compliance, and we’re not why? Those types of discussions. Lastly, and this one’s a little more subtle, but it’s the executives walking their talk in front of the organization. It’s amazing how little comments like, whatever, oh, we really need to, fill in the blank, and they’re like, we’ll get to it eventually, or they’re brushing it off, or they’re blowing it off, etc. You can tell the difference between, an executive leadership team that actually cares, and which is, again, just providing some form of lip service. Yeah, that’s a good call.
Now, how do companies run aground with recurring compliance tasks? I feel like that’s a common thing. Yeah, well, especially with those organizations, when they get their first year, I call it year one, right? We’ve made it, we’ve been struggling to get fill-in-the-blank compliant for x period of time, and the compliance party, we’ve made it. Then, they’re so relieved to just be done, that everybody goes, okay, that’s finished. Now we’re going to go back to business as usual, and a year down the road, we’ll go look at compliance again. And, the problem with that is that organizations, really, those that are going through it for the first time, they need to make sure they’re both, actively and mentally prepared to move into that operational mode of compliance, and having accountability measures in place to validate that things are on track, at bare minimum. Having regular touch points to validate their security and compliance ongoing requirements is important, because it allows organizations to catch, issues early in their compliance cycle, which allows them to make early modifications, so that they can turn around. Even if you have a problem, the assessors aren’t out there trying diligently to fail people, I mean, they want people to succeed. But one of the things that some companies, they’ll get a little, I don’t know, over anxious about, is, something went wrong, one thing went wrong, and now it’s the end of the world, and all this fun stuff. And what I’ve seen, generally speaking, is the assessors care more about the fact that the organization has their act together, and is catching this stuff, is making sensible modifications, doing it so quickly, and getting things on track, they’ll be happier to see that type of, maturity occurring within the cycle. Then they are gonna, blow a gasket because somebody forgot something, if they actually did something about it. And the best part about an organization that is on it when it comes to those operational compliance responsibilities is that, as you’re feeding the interim evidence, showing that you’re doing your daily, weekly, monthly, quarterly, semi-annual tasks, the assessor gets a far better sense that the organization is truly taking this seriously, which will help overall when you get to your next assessment cycle. The assessors got that notion that, hey, this company has been all over it. They’re doing these things, and they’re applying this evidence, they’re making fixes as they go. And, the assessor is actually feeling a lot better about things when they get to the, okay, now it’s time for the compendium of the stuff that we’ve got to go in and do each year. They feel a lot better walking in, which is a cool place to have the mindset of your assessors as you’re walking into, the throws of your annual cycle.
Yeah, absolutely. Now switching gears to a topic that’s maybe a little less clear, how does vendor management or lack thereof play into things? Well, in many cases I’ve seen organizations, they’ll wait too long to go in and gather up their vendor compliance documentation. What I mean by that is that the organization, they get to those things that they’re going to do once a year, and all of these once a year items, they start approaching those, let’s say for the sake of this discussion, well, we got six weeks left until the end of our cycle. So now they’re going to start doing their annual stuff. And, if you cram like hundreds of items into the last six weeks, you’re basically setting yourself up for failure because what happens if any of those go bump? And vendors in particular, will take multiple reminders. They’re going to take their sweet time fulfilling any requests. I mean, I can hear the chuckling from folks that are, listening to this as they think dreamily of the fact they wish they had faster vendors, where you can go, put a request in, and you can go follow up with somebody, a week, two weeks later, and they still haven’t even touched it. It’s almost like it’s fallen off of the face of the planet. So, the recommendation on the vendor documentation side, go after that documentation earlier. Maybe you approach your vendor documentation mid-year, rather than toward the end of the year, because, that’ll account for slow vendor responses. Another suggestion, see if the vendor has some type of an online portal with their compliance documentation readily available, because if they do, well, hey, guess what? Now you can skip the pain of going into their support line. Another suggestion for folks that are in the PCI space, if the vendor’s on the PCI Level 1 service provider listing, I’ve seen QSAs that’ll accept screenshots from the Level 1 service provider listing off of Visa’s website, because they know that Visa requires a valid AOC to be submitted. So in some cases, I’ve seen where the assessor will basically take the screenshot off of that site as confirmation that, yeah, the organization’s done their part to make sure that the vendor is maintaining their compliance.
And then how does some form of quality assurance play into that? Well, most of the time, when you’re on one of these engagements, especially once the heat starts to really turn up, right? You get into the thick of things where you’re really starting to move a lot of items, especially at the point where you’ve been moving items up toward the assessor. The assessor’s now starting to go in and review those items. And now, you’ve got the flow of things coming back from them with questions. That’s typically where I’ll see the quality assurance start to wane on an engagement, the team’s just busy trying to fling stuff, and trying to get things done according to the timelines they’ve established with the assessor. And, what’s one of the first things to start going is the notion of the internal QA check, it’s usually one of the early things to get set aside. So, my recommendation to organization is at bare minimum, use an intern, some type of internal QA process, one person generate evidence, another person go in and sanity check it, that type of thing. But in many cases, it’s better to have a compliance consultant that comes in to review the evidence in advance of it heading off to your assessor. The compliance consultants are typically gonna bring more experience to the table, and be able to far better mitigate issues with quality of evidence. But that way, you’re using some type of a trusted resource that’s going in, catching these issues, it’s not making it all the way up to the assessor. It’s the same theory as you’d have in a development team, right? You’re better off to catch the issues, after it’s already gone through design, and initial coding, and unit testing, integration testing. You’ve moved it to between two, three environments. And finally, you bring it over to the client for final QA and then find an issue. No, you’re far better off to catch it during design at the very beginning, right? And it’s the same theory here. In the event that you do have a compliance consultant in the mix, then also use them for helping to prep in advance of your actual assessment, doing things like coaching the team about topics that the assessor’s going to want to go through, so that they’re prepared for both the onsite, as well as that assessment process.
Sure. Well, it’s that time again. Give me some parting thoughts and shots here. Well, reality is that the TCT portal is the compliance management system to address all these issues, and lot more. You’ve got your evidence, your input, your answers down to the requirement level. You’ve got accountability for all of your personnel on your team with assignments, system reminders, and all your information in one spot. You get customizable workflows that allow for the handling of that internal QA process that we talked about, as well as the ability to flow it straight through to your assessor, and do it all within one system. All of your annual documentations in one location, instead of being spread out all over Hell’s Half Acre. The ability to leverage, both the automation, and organizational capabilities, end up saving for an organization going through compliance or, quite frankly, the assessors on their end being able to save hundreds of man-hours every year. The ability to easily reference your prior year documentation. Even if you have turnover on your team, that way you’re not a victim of tribal knowledge that the team from last year gained, but now members have left either the department that they were in, or left the company its entirety. The integrated operational mode, within the TCT Portal, ensures that you and your team are staying on track all year long, and prepared for your annual assessment. The bottom line is, that we built the TCT portal to make managing compliance suck less, and it’s the cost-effective tool that I wish that I had when I was in my early days of compliance management.
And that is the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. I hope we help to get you fired up to make your compliance suck less.
