Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Time savings for Assessors and Consultants with Preconfigured Certification
Quick Take
On this episode of compliance unfiltered, the CU guys have a special one for the Assessors and Consultants out there! With so much of the work done for their clients being repetitive, the value of pre-configured certification tracks is immense – A true game-changer when it comes to time and money savings.
Adam breaks down what pre-configured certifications track are, how to use them, and exactly how you can benefit from them.
All this and more on this week’s Compliance Unfiltered!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the wind in your compliance sails. Mr. Adam Goslin, how the heck are you, sir? I’m doing fantastic. How about yourself, Todd? I cannot complain at all. You know I love myself some time savings, and today we’re going to talk about some time savings for assessors and consultants with pre -configured certification tracks.
So why, Adam, is the notion of pre -configuring your certification tracks helpful at a high level? Well, one of the most tedious and wasteful parts of every client engagement is at the beginning. You know, for assessors and consultants, when they’re doing setup phases to kick off an engagement, you know, you have to, you know, deliver, you know, deliver instructions and the same set of documents and the same information and answer the same questions and go through the same setup, you know, every freaking time. You know, not only is the engagement setup process, you know, painfully tedious, it’s a gigantic waste of time. That’s especially true when you’re, when you kind of have a, you know, kind of a prescriptive methodology or prescriptive standard, you know, for an assessment. like PCI DSS version four, compliance engagements like PCI, they’ve got almost 600 items that need to get disposition. So, the assessors and consultants are meanwhile spending hours of configuration, often through tediously difficult spreadsheets, et cetera, before the actual client work really even begins. And as a result, they’re already feeling like they’ve expended a bunch of energy and they haven’t even started the real work yet, you know? The reality is that the TCT portal, compliance management platform lets assessors and consultants skip all of that manual pre -configuration setup that they’d normally have to do on their certification tracks with just a click of a button for each individual engagement.
Well, tell us more about how the Assessor Templates functionality works. So in the Assessor Templates, we’re able to provide fully configured certification tracks. They allow the organization to hit the ground running with their compliance engagement. So with our TCT portals, customizable Assessor Templates, you’ve got the ability to preset all of those kind of starting points for each of your engagements in the manner that you want to kick off your engagements in. So you can do things like pre -populating assignments of particular requirements. If there’s one that you always know you’re going to hold in your hands, but I want to go ahead and start this line item in my customer’s hands, then you can do that. You can also preload in all of your examples, any customized guidance that you would otherwise provide to your clients on what are you looking for, what are different options that they can leverage, etc, what are different approaches they can take, and provisioning out even sample templates. So everything that the client needs is literally available upon launch of the engagement in the system. And there isn’t any additional configuration that needs to be done. You can use the template to explain to your clients how your engagements work. You can fill it in with all of the kind of documentation and resources that your customers are repeatedly asking you about. You can add in comments and explanation notes that answer any of their frequently asked questions. And you can provision instructions and guidance that you know that they’ll need. The guidance for your template, that guidance updates live out to every single one of your currently running engagement.
So let’s say I’ve got 16 active engagements right now. And on one of those engagements, a customer asks a good pertinent question type of a thing. Instead of what would normally happen is that I get asked this question or I get asked the same question as I’ve been asked 18 other times. And you just go and answer it again for the customer. Instead, you get in the habit of capturing their request, making an update to your guidance. Then you go in and you make the update to the guidance. You commit that. you know, on your template, it’s immediately accessible not only for the client that asked the question, but for any other client that’s, you know, going in and looking at the guidance tab, they’re now seeing that update as well. And then you just go back to the client that made the initial inquiry and you let them know, hey, I updated the guidance, go take a look, you know, type of a thing. And as you’re training your clients out of the gate, you train them to, first things first, go to the guidance tab. We’ve got a lot of good, helpful information there, etc. And basically this process of having the clients directing to the guidance tab, asking questions if they don’t see their question answered there, and you bringing that back into, you know, kind of back into the mix. Oh, it’s absolute magic watching, you know, watching these organizations, you know, getting just more and more and more efficient. And it’s also fun watching the clients that, you know, kind of see the net result of, you know, all the work that the assessor’s done with that guidance. It actually helps them to, you know, customers will get frustrated with not wanting to feel dependent, you know, type of thing. They want to be able to service themselves, if you will, you know, without, you know, having to sit around waiting for answers, you know, so it helps them too.
Yeah, definitely. Now, what about the service provider functionality? Well, TCT portal has a way to eliminate all of that, you know, all of that initial manual setup. The service provider templates will allow the service provider to configure fully configured certification tracks to hit the ground running. Those templates can get applied on top of the client’s existing compliance engagement. So, you know, if you have clients that are struggling to keep, keep their tracks organized, then you can introduce them to the TCT portal. And when you provide that service provider overlay, everything that that client needs is now populated right onto the track. So, you can go through, I’m gonna back it up a little bit. I’m gonna explain real briefly. So let’s say service provider, I’m talking about a secure compliant hosting company as an example. So where they would normally have certain areas that they need to basically provide their AOC for as an example. or provide an explanation of how the roles and responsibilities work for that particular item, instead of them having to answer these questions for their customers. And again, it’s the same questions. It’s the same stuff they’re dealing with there. Yep, this is how we do it. Yep, this is what we do. And this is your role, et cetera. Yep, here’s our AOC and whatnot. You can just go and pre -configure it into the service provider template, drop it over the client engagement, everything’s where it needs to be. It’s a key changer. Yeah, I mean, you can literally fill in the template with documentation and commentary about who needs to do what, division of responsibilities, etc. You can attach your AOC to it. You can attach kind of sample overviews, et cetera, that will go right in there. You can provide. Similarly, the service provider can provide their own instructions and guidance, similar to what we were just talking about with the assessors.
So there’s just a ton of capability. And really, it’s kind of a game changer when it comes to that, instead of you getting as a service provider, anybody that’s a service provider is just like chuckling right now because they know every single time that each of their clients goes into kind of compliance season, they know they’re gonna get hammered with a bunch of inquiries and a bunch of questions and answering all the same stuff, etc. It just makes it so much smoother because you can go in and basically apply your template with a wave of your wand over top of the client’s engagement and TCT portal and poof everything that the client needs to be able to use your information for their certification is right where it’s supposed to be. The responses that you’re providing. as a service provider, those are also now made consistent. So instead of, if I’m on the service provider staff and I’ve got Bob, Mary, Frank, and Angela all answering these questions, are they all answering it the same way? Are they providing the same answer? Are they wording it the same fashion? Well, probably not today, but if you’re using a service provider template, yeah, you bet your ass it’s coming out absolutely consistent.
Now, what about streamlining PCI version four engagements? Because this is becoming more and more of a relevant topic as the days tip by. Yeah, as of right now, you know, we’re down to days left before the big 331 deadline for 321, so, you know, in PCI, PCI version 4 for those that haven’t had the opportunity to stray down that path, there are a whole bunch of new yes and no checkboxes that need to get, you know, go ahead and get filled in. You know, especially if you’re, you know, as it relates to did you or did you not leverage customized approaches, you know, when you have clients that aren’t taking a customized approach, which I would expect. The majority of people going up against PCI probably aren’t. There’s a ton of no checkboxes you have to go through and do. You know, with templating functionality, you can automate the completion of all of those checkboxes when you deploy your engagement and deploy them with a default starting, you know, starting a state of no and change it if you need to, you know, type of a thing. So, you know, the portal will go fill in your and default to know, you know, etc. You can just go flip it over to us as needed. The other client then just needs to go in and do their normal engagement work, etc. And for, you know, for the consultants and or assessors, you know, of the world report generation out of the TCT portal is just go press a button. And when you do, the final reporting is generated and it’s got all those yeses and noes already filled out for you. I mean, what kind of time savings legitimately are we talking about in just that portion alone? I mean, honestly, the using the TCT portal for the management of your report text and then being able to press a button. Honestly, that’s saving that’s saving dozens and dozens of hours, dozens and dozens depends on the size and scale of the, you know, of the, you know, of the the engagement. But, you know, the people that are the people that are listening to this that are in the know, you know, they’re all kind of nodding to themselves.
Yeah, we blow a ton of time messing around with our, you know, with our having to write our reports and. Thank you. blah, blah, blah. You know, it’s part of the cool part about leveraging the TCT portal is that you’ve got all that report text right in there and you basically press a button, walk away, wait for the report to generate and poof it’s done and you’re not blowing all of that time.
You know, the portal also provides a field that allows organizations to explain why they chose to approach a control in a particular manner. So if the clients aren’t using customized approaches, you know, you might choose to provide some text that calls out not applicable. The organization didn’t need to leverage the custom approach. You know, you aren’t required to fill in that field, but what we’ve been seeing is certain firms would prefer to do it that way. The template allows you to go in and do that as well. You know, so you’re able to add that explanatory text to just make it clear that the client, you know, didn’t use the customized approach and why didn’t they use that customized approach? Well, and can an organization use multiple templates? So usually for most of these organizations, one template usually isn’t gonna fit everybody. So we give the organizations that leverage our systems the capability to create multiple templates for various, you know, for various client scenarios against a particular standard.
So I’ll give you some examples there. Maybe you wanted a template that has no wireless. You want up another one that says that there’s no POS devices. You want another one that says no wireless and no POS devices, etc. That way, the kind of use case scenario from the client perspective of that particular certification, you can now capture that with templates that identically match the scenario that you’re looking for. You know, the organizations that leverage TCT Portal can create any number of templates. to match all the various scenarios that they need. And it doesn’t matter which standards we’re talking about. We’ve done a lot of talking today about PCI, PCI DSS4, but this templating capability, it applies against, right now we have north of 150 different industry standards on the platform. You can use the templating approach for all of them, which is pretty damn cool. That means that as your organization starts to take on different standards or a new one pops up or whatever, you don’t need to worry about it. You can continue to use the same system. That is pretty damn cool. Now, what if I need to make changes to a template? Things change, right? Yeah, it’s not a problem at all. As your firm is updating their guidance process, explanations, attachments, whether it’s a service provider template or assessor consultant template, whatever, it’s no big deal. You can go in, make the updates to your templates. Certain elements will push out live. Certain elements are the starting points for when you deploy a new engagement, but you can always go in, edit your templates, change them, update them, maintain them, etc.
If you just remember that notion about the guidance as an example, the guidance being live is a big deal. That means that it will automatically splay out across all of your active live engagements. You don’t run the risk of having to redeploy your instruction sheets to everybody. You don’t have to worry about, geez, did I catch everybody? Every client always has your latest and greatest information at their fingertips. Tell us about the benefits for new personnel, Adam. One of the big challenges in this space, the security and compliance arena, is there’s a ton of hand -holding that happens when you get a new assessor, a new consultant that joins your firm. Even the simplest of your procedures needs explanation because you have your own way of doing things. The TCT portal templates eliminate a lot of tedious onboarding process. I don’t need to go and explain ad nauseam exactly how we do and what we do and why we do. All we have to do is go in and fling the template up. A lot of that, how should I do this, it’s done. You just basically need to point the noobs to which template to use for which purposes, etc. It streamlines a lot of the painful parts of bringing people in, etc. You don’t have to hope that they figure it out. They don’t hope that they do the right thing. Hope is not a strategy, right? Yeah, exactly. I’m a much bigger fan of process and structure than I am a prayer in this case. Cause it’s, you just spend less time explaining stuff and more time doing things. It gives your new personnel really the ability to replicate your process consistently day one, instead of, and anybody that’s been in this position of the onboarding, especially for folks that are in an area as complicated as, you know, kind of compliance assessment or management, you know, you know, that it’s a tough arena. And there’s a ton of things that, you know, that folks need to kind of pick up and, you know, pick up and leverage as part of probably getting their arms around things.
Parting shots and thoughts for the folks this week, Adam. Well, our goal from the very beginning was we wanted, we wanted to make compliance management suck less. You know, so the, you know, we did, that was our objective out of the gate. It remains, it remains kind of a part of our credo, if you will, you know, the template, the templating functionality, it’s one of many features that provide benefits for assessors, consultants and service providers, you know, so, you know, for those that haven’t had the opportunity to check it out, use it, leverage it, just get your compliance engagements going faster, do it with less stress and pain, spend less wasted time at the front end of your engagements, you know, go ahead, you know, give us a, you know, give us a shout. We’ll be happy to be happy to help spread the, spread the knowledge about how the TCT portal can make compliance management suck a lot less.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of compliance unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
