Starting your compliance program for the first time? I’ve been there.
I got my start in compliance when the boss came by, dropped a four-inch stack of paper on my desk, and said we needed to get compliant. I was staring down Alice’s rabbit hole, wondering what to do and where to start. I’ll never forget how overwhelming it was.
If you’re just starting out with compliance at your organization, the whole thing can be so enormous that you don’t even know where to start. This article will break it down into a framework that will make your compliance program a bit more manageable.
The first step is the simplest: relax. Take a deep breath, grab a cup of coffee.
Okay, let’s begin.
Track Your Compliance Project
Before you begin implementing a compliance program, find a reliable, robust system to track your progress. You’ll need to track the following items:
- Each certification (if you’re doing more than one)
- Certification requirements for each
- Tasks for each requirement
- Supporting evidence for each requirement — tracking details such as attachment names, versions of each attachment
- Person assigned to each task
- Due date for each task
- Task status with date
- Record of communications
- Notes/comments
A lot of organizations use spreadsheets to track compliance. Don’t do it. Spreadsheets are great for handling simple projects and doing accounting, but they were never designed to handle the enormity and complexity of a project like tracking compliance.
Spreadsheets are a manual tool — they can’t automatically update. Excel runs into challenges when you have multiple authors working on it simultaneously. You have to manually manipulate your spreadsheets during each weekly meeting just to track status. Merely maintaining your tracking spreadsheets will take several hundred man-hours alone.
Instead, an automated compliance management tool like TCT Portal can handle every aspect of managing and tracking your compliance efforts:
- Provide updates independently
- Show you real-time status
- Track all the workflows between the various team members
- Handle things like team assignments or group assignments
- Consolidate all of your evidence and commentary into one spot
- Organize your evidence under the appropriate requirement
- Provide explanatory guidance for each compliance item
- Automatically remind team members of tasks that are coming due
- Show you what items are left outstanding and who is responsible for them
Invest in an automated compliance management software that was designed specifically to manage compliance programs. It will save you so much pain, heartache, and time. And it’ll shave hundreds of wasted hours off of the adventure you’re about to walk into.
Best of all, that investment will pay off for years to come. As you enter maintenance mode for your certifications, all of your hard work to get there is memorialized in ONE location, in a system that belongs to YOU (not your consultant or auditor / assessor).
Featured Case study
Phoenix Financial Services Navigates Compliance Chaos
Learn how TCT removed Phoenix Financial's overwhelming challenges of becoming PCI compliant.
Phone a Friend
Depending on the certification, there are hundreds and hundreds of line items that need to get done. Don’t go through it alone. Find a friend you call for help and advice. Walking into this space is extremely challenging and it’s tremendously valuable to bring somebody in to help navigate the water — someone who’s been there before, who can walk you through it.
There are terms that will come up that don’t make sense. What is this item? Does the evidence I have look like it’s in the right ballpark? You need someone you can call on to ask miscellaneous oddball questions. A trusted guide not only gives you the answers you need, but they also provide the encouragement and support that’s vital for an overwhelming project like this.
Don’t lean exclusively on your auditor or assessor for this. Their role is to be an objective third party who determines if you’ve hit the mark. When looking for help, you need someone who is on your side, that you can openly confide in, who has your best interests at heart. Some options to consider:
- Hire a consultant
- Talk to a past coworker with compliance experience
- Find a friend who understands and has gone through compliance
Assess Your Situation
Determine all of the certifications that you need to be subject to. That list will come from several sources:
- Your customer requirements
- Any agreements your company has signed
- Any industry requirements
- Your legal team
- Your competitors — check their websites and see what they’re compliant with
In the end, you may be surprised to learn how many standards you need to comply with. Don’t let this new list overwhelm you. This step actually helps you gain more control over your compliance program. Here’s why.
First, this exercise will answer the question, “What is everything we need to do, at the end of the day?”
Second, it allows you to determine the most prescriptive standard on your list — the most specific one of the bunch will give you the best insight as to controls needed. This is the standard you want to start with.
For many organizations, PCI is their most prescriptive standard. It has hundreds of line items, and each one is very specific — and that’s a good thing. Because of its enormous breadth of coverage and strict line items, fulfilling PCI requirements also fulfills a multitude of requirements in other standards. When you become compliant with PCI, you’ve already done the lion’s share of work for your other certifications.
If you start with something less prescriptive, like SOC, ISO, or HIPAA, then you’re staring down a standard that has a lot of wiggle room. Those certs are meant to provide flexibility, but that also means they aren’t very well defined (or prescriptive). In the end, it can encumber someone who’s going through compliance for the first time. You have to figure out what is this, how it applies, and what your options are.
In fact, I often recommend to organizations that they use PCI as a framework for their compliance engagement, even if they don’t have to be PCI-compliant. It’s such a strong standard that it sets you up for greater success. (Just replace PCI phrases like “cardholder data” with “sensitive data.”)
Hiring the right C3PAO is only one small piece of successfully navigating the Cybersecurity Maturity Model Certification. Get fully equipped with TCT’s online guide to CMMC.
Write Your Policies
Figure out the policies that you already have in place and the policies you need to develop. This is a good starting point, because it will give you a more complete understanding of everything that needs to be done.
You can find off-the-shelf policies to get you started, but don’t expect them to be plug-and-play. The majority of them are generically written, and they’re full of little placeholders. You still have work to do in order to get them customized to your organization — which is what your auditor/assessor will be expecting.
Another option is to see if a consultant can help you through that process by generating the first shot at the policies you’ll need. They can get the ball rolling for you, and then you can customize them as needed, ongoing.
Once your first drafts are together, send them around to team members and relevant department heads. Make sure they understand what the policies are, and what they mean. Get their feedback and make changes, then rinse and repeat until you’ve got a workable set of documents that align to the requirements of the standards.
You can expect to generate 50 to 100 pages of policy statements for your company, at least.
Generate Technical Documents
There are four cornerstones of technical documentation that you should focus on right out of the gate. You can work on the technical documents in parallel with the policies. Since the two sets usually use different resources, you can save time by attacking both sides at once.
The very first thing your organization should do is generate a network diagram. The diagram should show where everything is, physically, as well as how it’s logically connected.
The second technical piece is a data flow diagram. A data flow diagram shows where information is coming from, where it’s going to, what those flows contain, and how they’re moving — i.e., how they’re secured. In many instances, organizations will use their network diagram and add numbers between the device connections, then add a secondary document with a description of flows.
Next is the documentation of your firewall rules. Make sure your rules are documented outside of the firewall, and follow best practices for pruning them.
Finally, create a full inventory of all hardware and all software being used in the environment of the organization.
Once those four elements are in place, you’ll have a good understanding of what you have, where it is, how it’s connected, what data is being passed, and what assets of hardware and software you have. At this point, the rest of the compliance puzzle starts to drop into place.
Assemble a Compliance Team
Who needs to be on your compliance team and how many people do you need? The person who is tactically leading the team day by day should be someone who is extremely organized, able to simultaneously juggle multiple elements, and has at least a semi-technical background.
Pro tip: a generic non-technical project manager will struggle to manage a compliance engagement, because they aren’t technical enough to translate inputs from the team to the compliance track appropriately.
You’ll also need an executive sponsor who will drive the effort for the entire organization. Without executive leadership, nothing will stick. A CIO, CTO, or CSO is the best person for the job. That person should be a cheerleader for these efforts, and a critical support mechanism.
Key day-to-day players include:
- IT personnel
- The person in charge of infrastructure
- Anybody involved in any applications that are in scope
- Critical vendors involved in day-by-day functions involving sensitive data
Other people who will need to be involved occasionally:
- HR
- Legal
- Any vendors represented on your network diagram
Status Update Meetings
Weekly pulse checks are critical to the success of your compliance program. As you start to get into the thick of things — for example, heading into an audit — you might want to step it up a bit and meet two or three times a week. These status meetings keep your finger on the pulse of the engagement:
- Who’s doing what
- Which tasks are outstanding
- What roadblocks are getting in the way
- What’s overdue
- Who needs a kick in the pants
The biggest thing that stretches out your compliance engagement is a loosey-goosey approach to managing it. Stay on top of the status and keep your people accountable. Otherwise, you’re in for greater frustration and effort.
Don’t Stop!
There’s one more thing that you need to know as you begin your compliance program, and this is vitally important. I can’t tell you how many companies I’ve seen that walked into an engagement expecting to check all the boxes, get an auditor or assessor’s blessing, and be done with compliance. That couldn’t be further from the truth.
Once you’ve achieved certification, there’s the work of maintaining it. That involves tasks that need to be done daily, weekly, monthly, quarterly, semi-annually and annually. It takes work and accountability, but once you have a system in place it’s manageable. At that point, you’re doing little bite-size tasks that often take a few minutes at a time. But they must be done, and you must stay on top of them.
So it’s important to walk into compliance with the notion that, yes, you have a goal to get there in the first place and achieve certification — and then shift into Operational Mode. Compliance is a lifestyle change. Security compliance is now integrated into the DNA of your organization.
You Can Manage Compliance Successfully!
Stepping into my first experience with compliance, I had no idea how much pain and frustration I was about to go through. I didn’t have any idea how long it would take or how hard it would be. But my experience doesn’t have to be your experience.
I founded Total Compliance Tracking to help people tame the chaos of compliance and manage their engagements without going insane. TCT Portal is our compliance management software that eliminates wasted time and effort that most companies deal with. With TCT Portal, you can get your compliance program up and running faster.