Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Do Compliance Your Way With Custom Certifications!
Quick Take
On this episode of Compliance Unfiltered, Adam and Todd talk about how made-to-order custom compliance certifications are a reality and how they can change the face of an organization’s compliance practice.
Adam goes in depth into how an organization can leverage custom certifications to get the most out of their compliance team’s time and effort.
Curious how to simplify your engagements? Wondering about how you track your custom certifications? All those answers and more, on this episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin..
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside a man you could consider the orthotic insole to your compliance running shoe, Mr. Adam Goslin. How the heck are you? Is this the point at which I say I feel worn? Yes, well worn indeed. And today, you know, the orthotic pieces is apt in this moment because we’re going to talk about doing things your way, specifically, Adam, doing compliance your way with custom certification.
So let’s get started today talking about what exactly is a custom certification? Well, when TCT set out on this adventure, we set out with an objective, and that is making compliance management suck less. And of course, the TCT portal handles all manner of industry standard certifications. But with that, given the system that we’ve created has the capability to load up just about anything, it also opens us up to a notion which is loading up, you know, loading up kind of a custom list for organizations. You know, on our platform, we’ve got, you know, folks going through compliance. We’ve got assessment and audit firms that assess compliance. We’ve also got service providers that, you know, kind of facilitate compliant organizations. And, you know, one of the big elements in this space is the capability for organizations to have a tool set that allows them to… integrate their secret sauce into how they do what they do you know if you know if this isn’t you know you know choosing people to work with in the security and compliance space and or choosing a tool to leverage within the security and compliance space this isn’t you know hey I want to go you know pick up a you know a number eight you know number eight Phillips head you know screw you know type of deal. Where it’s a commodity but you know it’s really about, about having the capability to you know to leverage the, the true capabilities of the organizations that you’re dealing with and that’s really where you know kind of this notion of, of customized certifications you know really comes into play. The custom certification gives the, the organization the ability to effectively create their own list of collection items they need for some type of a purpose within the you know within the organization you know they’re a they’re a tool that exists within the TCT portal. However that custom certification as our clients have learned to expect of TCT you know is then you know only provisioned out for their organization, it’s something that’s unique to them, it’s something that they can use for their own purposes and you know and, and so it allows organizations to load up this kind of custom collection list you know into the into the tool and be able to integrate some of what makes them different you know into a standardized platform for overall compliance management, and, and kind of consolidated tracking you know of their you know kind of compliance related materials it gives them that capability.
You can think of the custom certification could be just a standalone collection tool. It could stand on its own just like TCT has the capability to link between certifications. So think linking between PCI link to HIPAA or PCI link to ISO, that type of thing. You could also link your elements of your customized certification into industry standard tool sets as well. So for the organization that is really looking at how do I want to leverage things in a consistent manner, given the framework of the TCT portal. and yet have that capability to integrate some of their customized advantages that they want to make use of, it allows them to be able to take advantage of that from within a tool set basically purpose built to make compliance management suck less.
Yeah, it makes a ton of sense. Now, in terms of some of the ways that clients are leveraging custom certs, like tell me more about how organizations can use one list to like cover multiple compliance certs. Yeah, so, you know, what we’re gonna get into here is kind of going through a couple of different scenarios, you know, for organizations, how they can leverage this capability just to kind of get their gears turning. This isn’t set, you know, these aren’t the full compendium list of all the scenarios, but probably some of the most common that organizations can, you know, some of the most common reasons why organizations will leverage the capability for custom certs within the TCT portal. So I like to refer to this as one list to rule them all, you know, type of deal. When you’re dealing with, especially, you know, I’ve talked previously about how the progression of kind of compliance management within an organization, you know, oh, well, we started off with SOC 2 and then we needed to add HIPAA, and then we needed to add ISO, then we needed to add PCI, you know, then we had to add NIST CSF. And, you know, at some point in the game, you know, the various list of standards starts to expand or may already be expanded, you know, for a particular target organization. You know, things start to get more and more complex. And the other side of that is that more and more, the more of these that you… layer in, the more and more you have the same requests coming across all of these various and sundry standards. So back in the old days, where I kind of had a tracking mechanism for certification number one, certification number two, you’d effectively have to track everything redundantly across two certifications. And then when somebody gets the bright idea to go layer on a third, a fourth, a fifth, your percentage of kind of crisscross across these continues to go up, up, up. You’re just basically doing a whole bunch of extra redundant work. And so when you’re looking at the notion of consolidation of this list, I’ve actually got one organization that they’re subject to six different certifications, basically worked with them, work with their assessor to consolidate the unique asks across each of their various and sundry certifications so that we basically had one line item that would be on there. And we would not only eliminate the redundancy within that list, but it would also allow them then to provision mappings from that one request item off to the various resultant certifications. And so that’s awesome. Yeah. Well, by doing that, you know, you literally, you know, you literally can go through and now have I’ll just get the which one do I want to use?
Well, let’s you let’s use a let’s use to let’s use their extract of their GPO to support access control. You know, the notion of access control, how it’s configured, etc. That’s one that where there’s often one element of evidence and that element of evidence is then used to like a PCI alone that would kind of as long as it was configured correctly, check the boxes for what, 20, 30, 40, you know, different requirements under, you know, under a related to access control. Well, access control isn’t unique to PCI. It’s, you know, there’s access control provisioning under HIPAA. There’s access control provisioning under ISO under this stuff. And so now instead of having to go in associate that evidence at not only at line item under PCI, where I then have to go take that same piece of evidence and manually link it to the, you know, whatever, 20 to 40 different requirements of PCI. But then I’d have to go do the same thing and attach that to multiple locations under HIPAA, multiple, multiple, locations under ISO and then multiple locations under NIST CSF, where instead with this notion of a consolidated list, on the consolidated list, I can now say, go ahead and attach the rules and regulations that govern your access control. For example, your HTML export of your and your rules for LDAP, etc. And now I can go in and I can put not only in the custom certification, can I put that in whatever manner would make sense to the folks that are having to read this requirement. Now it’s written in your language. You have full control of how you ask the question, what examples or additional texts that you put in there to get the light bulbs to go off. You can associate that ask with customized guidance.
All of the standard features that we have under industry standard certs are also available under custom certification. So it really gives the target organization a way to structure things how they want, say things how they want, provide guidance as they like, examples as they like, etc. And it just makes things a lot easier. And the coolest part is that now that I’ve got this notion of, hey, go load up your HTML extractor, your GPO. Now I can use live linking off of that custom certification. And I can link that to the 20 to 40 items of PCI, all of the items on HIPAA, all of the items on ISO, all of the items on SCSF. And with that one attachment and attachment that I go put in and any additional explanation, instantly that evidence is now instantly available on all of those secondary tracks. So effectively I’ve filled it in once, but I’ve now concluded whatever, a hundred different items across all of these certifications. It’s actually really, really scary, just how efficient you can make, especially complex engagements.
And so, as you go in, and it’s gonna take a minute to get that list honed in or dialed in, but once you’ve gone through that, process. The even better part is, now I can take that single collection list. I can now turn it on. And we’ve talked about this previously as well. We talked about operational mode. I can now turn that customized list on in operational mode so that it will basically act as the proactive collection mechanism that the target organization uses throughout the year. So an example there, an easy example is PCI’S quarterly vulnerability scanning. And so instead of loading up your stuff for quarter one, load up stuff for quarter two, you can now take that one line item, which is please load up your vulnerability, your vulnerability scans. You can now take that line item, turn it on in operational mode, which basically means that as you conclude an engagement with that particular organization, let’s pretend for the sake of this discussion that that adventure wrapped up at the end of June in the calendar year. I can now spawn a new next year, so we’re in 2023 now. So I can spawn the 2024 run and basically have the system automatically generate due dates and prompts and things along those lines for, hey, it’s time to load quarter one. Hey, it’s time to load quarter two. And the awesome part about that is now you’ve got the advantage of this being written in a manner that is in your own words and easy for the client to understand that type of thing. But it also doubles as their kind of continuous compliance mechanism to keep them on track all the way through the year so that when they get to the end of that now 2024 cycle, they’re not having to hope that, oh, geez, do we remember to do everything that we were supposed to do all year long? Instead, they’ve been collecting up the daily, weekly, monthly, quarterly items each quarter. Any of the semiannual items they’re collecting at the mid-year point, you know, and as they enter into their kind of Q4 of their compliance engagement, now they can, you know, get a jump and they’ve just got their annual kind of compliance evidence left at that stage of the game, anything that had not already done.
You know, for a lot of the organizations that I see leveraging the operational mode, you know, that’s another arena where that we’re seeing a lot of organizations getting some seasoning is really looking at those annual collection elements and items and even spreading those out throughout the year in operational mode because the TCT portal supports that capability as well. It’s just been. It’s been really, really kind of heartwarming watching organizations. You’re kind of seeing the light and embracing the capabilities of the of the TCT portal to really kind of make their compliance management their own through the use of the tool. It’s been it’s been fun to watch. Watch that on full.
For sure. Now, what about tracking and monitoring like custom projects? In practical application, that’s where my head goes here. For custom projects, this is again another example of ways to use custom certs is that you may have a very specific list of things that you need to go in and monitor. So an example, maybe the organization’s either required to or just desires to do physical inspections of their facilities type of thing. I know there’s a requirements for that in the medical arena, oftentimes in manufacturing facilities, there’s various tasks, activities, etc that need to be done. So it allows them to leverage the capability for the customized certification to use it for some of those custom things that an organization either wants to or needs to do. They don’t really fit into a box. The best way that I can explain it to folks is, if you’re using a list, a list to track items and Excel sheet, to do a list of items, especially if you’re doing them on a periodic basis, once a year, once a quarter, whatever it may be, that’s kind of your key indicator for, hey, I probably have an opportunity to make this a little bit easier. So if you’ve built some type of an internal tracking system or a spreadsheet or whatever, that’s stuff that you can port that data collection right over into the TCT portal, use it as a custom cert. That’s kind of a prime candidate. So effectively the same tool that you’re able to leverage for all of your industry standard compliance certification, validation and management, you can also use then for additional tasks to alleviate load internally. It is a great way to go about, basically making better use of the tools that you’re already leveraging, especially since you look at it this way, the one thing in the way that we position the TCT portal is that if we’ve got an organization that is on the TCT portal, whether it’s what we call an applicant organization or the organization that’s applying to be certified or subject to certification, if they’re on the portal, we don’t have some limit on how many certs can I leverage for this organization. We don’t have a limit. Whether we’ve got an organization that needs to go up against PCI and HIPAA, they can go in and do that, or where we’ve got those organizations that I was mentioning earlier, where it’s PCI, HIPAA, SOC, NIST, ISO, etc, they can do that. And they can also layer on some of these additional kind of internal tracking tools to be able to take even better advantage of what they’re already paying for. So the structure of the TCT portal certainly would provide some organization to those. And if you think about it, for any organizations that needs to manage and maintain, whether it’s an internal system that they’re using or some type of a spreadsheet that they’re leveraging, now they don’t need to manage and maintain those systems and support them. Instead, they can leverage the capabilities of the TCT portal to go and do that. So all the way around, it just allows the organization to take better advantage of what they’re already bringing to bear, if you will.
Sure. Now, I guess my next question is, how can organizations simplify their compliance engagements? I’m an efficiency guy. Well, whether you are regardless of the type of organization that you are, certainly for consultants and assessors, the use of a custom certification can provide really some stellar customer experience for your clients and make compliance a lot easier for them. There’s a lot of our assessor organizations, they want to give their customers a proprietary, simple, streamlined, confusion-free compliance engagement. And certainly, the notion of custom certifications will be able to do that. I use PCI as an example. It’s got a lot of confusing language in the requests, that confusing language. tends to spur questions from organizations that are going through it. And as a result, the funny part for the assessor or the consulting firm that is going through the process, the funny part from their perspective is they end up hearing the same questions repetitively. So instead of leveraging the certification language or trying to find some out of band way to go about go about doing the collection to reduce the confusion. If the organizations head down the path of that kind of customized certification, then you can go ahead and create your own custom lists to go in and collect and track these elements and then kind of map those off to your various certifications automatically. It’s a really, really good way for allowing the organization that is using the TCT portal to administer their engagement. It’s a really good way for them to go in, use their own language, use their own guidance, give their own examples, etc. That way, you can really streamline the request process of your customers. Rather than them continuing to answer the same questions every time on this particular requirement when they’ve been using the actual raw elements of PCI, or having to have some sideline how-to guide type of deal, they can go ahead and integrate all of those lessons learned into that customized certification and be able to only face, here’s the cool part. Let’s go under the scenario just to dot the eyes for the listeners. Under that scenario, I’m just going to make this really simple. I’m going to say it’s a custom collection list for PCI. In that case, we talked about the notion of the collection list that would include one item saying, hey, go load up your HTML extract to your GPL for access control. On the custom cert, they can line that up and word it however they want, answer all the frequently asked questions through the guidance, things along those lines. When they configure the TCT portal, what they do is they configure the client to see this custom request list only. On the assessor side, they’d have the capability to see both, but their primary work would be off of the standard. In their case, in this example, it would be PCI. So they would go in and do that. And from the client’s perspective, they only have access to the custom cert. The assessor is primarily working off the cert, but certainly could see both. And the live linking that we set up between the custom cert and the PCI track means that the elements and items, as they’re being added to the custom certification, are automatically showing up in the right spots over on the resultant track for the PCI standard. And all the way around, you’re then able to just make it really clean, really easy, etc.
Certainly from TCT’s perspective, if there’s minor tweaks to any of the language for the request list, etc. those are the types of things that we’ll just go ahead and take care of for the target organization, if they need to go in and make minor tweaks and whatnot, and that type of thing. It really just allows that organization as an assessor to really differentiate themselves when it comes to how they do what they do. Really, if you think about it, it gives them the capability to customize it up with exactly what it is that they’re looking for, looking to implement. They can do it in their own way and really allows a lot of flexibility and yet taking advantage of the structure of the TCT portal.
For sure. Parting thoughts and shots for the folks this week. Well, I covered it when we started walking into it. We covered three different examples of ways to use custom search with TCT portal, but honestly, there’s really no limit to things that you can come up with that you want to leverage it for, etc. The bottom line is that if, like I said earlier, if you’ve got a list of items that you need to want to do collection on, where you need to have supporting evidence, confirmations, affirmations from frontliners on evidence to support that particular ask, it’s a perfect use. Especially if it’s periodic in nature. Do this every week, do this every month, do this every quarter, whatever. The portal is built to be able to do stuff like that. I’d honestly encourage the listener, think about what are you doing that fits into this bucket? Where can you leverage this capability and how? Certainly, if you’ve got any questions, if there’s anything that You want to kind of throw off the wall or whatever it may be. I would strongly encourage them to, you know, if they’re a prospective client, then, you know, go ahead and reach out to you. If they’re already, you know, on the TCT portal, then reach out to support. But, you know, certainly get a hold of us. Let’s talk it through. We’ll, you know, we’ll certainly help organizations with being able to undoubtedly make their compliance management suck less.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.