My Compliance Assessment Didn’t Go Well… Now What?

It’s a scary situation: after all the meetings, evidence gathering and reviews, the compliance assessment comes back with red flags. Regardless of the type of compliance assessment (PCI, SOX, SOC-2, etc.) the prospect of fines and/or business interruptions can put a dark cloud over any organization. So what do you do if it happens? There are a few logical steps that will help ensure the situation can be addressed both internally and with the assessor to a successful end.

 

Step 1: Be Honest About Your Situation

Nobody likes bad news. But when bad news is related to compliance, it becomes important to understand the reality of the situation. Whether it is a serious data protection issue or a simple policy requirement, it is still a failing mark that must be corrected. Inside an organization there are multiple people impacted and there remains a potential for sharing blame. Accepting this fact as the baseline while preparing to move forward will take the excuses away and help the team address the real problem.

Step 2: Get Specifics

Compliance requirements and acceptance criteria are by definition a little bit vague. While it is frustrating, it is necessary since every organization is different and their approach to any compliance program will be different. That being said, when a negative report is received it is important to push the assessor to provide as much detail as possible for how the gap can be closed. The assessor is the only one who knows what they are looking for in terms of policies, technologies and evidence. And since every situation is different, it may not be a wholesale technology change but a policy change that can be enacted relatively quickly.  So, get the specifics about what the requirement means, how it needs to be covered and what type of additional evidence is required.

Step 3: Understand Your Options

For whatever changes are needed, there are typically multiple ways to cover a requirement where gaps are identified. For example, if an additional security measure is required it can often be performed either internally or outsourced to a 3rd party. Both of these choices have implications in terms of readiness, cost, timeline and evidentiary requirements. As an organization, it is important to consider how a possible solution fits within the structure of who will be responsible for delivery and ongoing maintenance.

Step 4: Create and Execute the Plan

Once the problem is recognized, the outputs understood and the solution decided, it is important to take a thoughtful and cooperative approach to implementing the changes. Many compliance standards, such as PCI, require the organization to provide a transition or implementation plan when gaps are uncovered to demonstrate that the above steps have been taken and to show an understanding of the timeline to completion. When creating the plan, ensure all the necessary parties from within the organization are involved such that all considerations can be documented. After the plan has been documented, identify the appropriate resources to execute the plan in the most efficient manner.

 

Negative compliance reports are challenging and stressful. They can cause an organization to point fingers and they often create panic among cross-functional teams. Following a structured approach to recognizing the problem and implementing the solution will provide a path forward that all stakeholders can support.

For further discussion, contact Boyd at bfarrish@wcapra.com.