The audit preparation process can be long and tedious, as documentation has to be gathered from departments that are unprepared or disinterested in the audit process. Confusion about what is actually required, who needs to provide it and when it must be completed is par for the course. Many people are guaranteed to forget whatever it was that they did to complete the prior request or think it is different from what was previously provided, generating multiple emails to get it clarified.
All the pieces of evidence that must be collected to document an organization’s compliance status are often stored in a disjointed collection of network folders, email inboxes, workstation hard drives and SharePoint folders. This can make collection and presentation to an auditor quite inconvenient. As a security administrator, the pestering nature of chasing up documentation from co-workers can make them want to hide when they see you coming. These headaches (and more) are all too familiar to a security administrator or compliance officer.
Approach
Frequently the audit-preparation process will be spearheaded by one or two people who work closely with department heads to collect the evidence needed to satisfy each audit requirement. These department heads are responsible for reviewing and approving each piece of evidence and this usually triggers requests to staff for log files, reports and other info for review before going to the compliance officer.
As a compliance manager, you might get a calendar reminder a week or two before each audit task is due. An email request goes out to the head IT guy. But he’s busy, and he’s probably not really sure what you need him to provide. So, he forwards your email off to one of the people on his team, who then send him back a report that he thinks fits the request, which he forwards back to you. But, unfortunately, it’s not actually what you were asking for, so you send a follow-up email with clarifications.
The problem with compliance management:
- Endless collections of complicated spreadsheets that are used to track audit requirements and the evidence needed for each.
- Email chains between you and multiple other parties requesting each piece of evidence… Perhaps you receive a few emails deferring responsibility… Maybe some emails asking for clarification about what is required… Emails with follow-up requests… Always more emails!
- Tackling the inevitable dense forest of nested folders spread out on some shared network drive that are used to store (err…hide?) the evidence you worked hard to gather.
Vendorin, Inc. is an authority on electronic payment enablement based in Omaha. Focused on delivering cost savings, ROI and value to their own clients, Vendorin is acutely aware of the need for quick and efficient business processes.
When Vendorin’s Corporate Security & Quality Administrator, Michael Brodie, was faced with the stress of visits by outside auditors and the piling up of more work on already overflowing plates, he felt his choices were limited to very expensive or inadequate tools to help along the audit path. Looking for another solution, he decided to give KnowBe4’s Compliance Manager a test drive.
Discovering KnowBe4’s Compliance Manager marked a positively-impactful event in the development of Vendorin’s security and compliance program. All told, it took Brodie less than 20 hours to get KnowBe4 Compliance Manager (KCM) up and running in support of Vendorin’s PCI-DSS compliance program. That included mapping PCI controls over to other internal controls and requirements.
“Thanks to the pre-mapped compliance templates that are available in KnowBe4 Compliance Manager, the system was very easy to setup and start using to oversee our PCI-DSS compliance effort. Since KCM provides you with suggestions for industry best-practice controls that satisfy each PCI requirement, I was able to save at least 20 hours of work during the initial setup process. KnowBe4 also has pre-made compliance templates available for all of the major auditory frameworks such as HIPAA, NIST and ISO. So we can easily add additional modules as our business needs evolve over time.
KCM’s built-in ability to map a single piece of evidence to multiple auditory frameworks and requirements allowed us to save hundreds of hours a year simply by eliminating all the redundant work we had previously suffered from as we worked to obtain and provide evidence of compliance to different auditors each reviewing different audit scopes.”
With KCM, all of the pieces of evidence that are required for each audit requirement are individually tracked and described with examples provided. This completely eliminates the confusion and back-and-forth communications that used to plague the evidence request process.
Delegation made simple
The KnowBe4 Compliance Manager allows you to schedule each audit task, and a reminder email will automatically be sent to the person who is actually responsible for providing the evidence you need. That request will even link to examples of the exact information that you need to have provided to completely fulfill your request. The KCM portal allows each responsible party a location to directly upload the evidence you need while still allowing their supervisor the ability to review and approve the evidence that has been provided. Together these features help you to easily delegate responsibility for each audit task while preserving the ability for supervisors to review each piece of evidence before it is signed-off on in the system.
No more email cycle. No more confusion.
KCM substantially eliminates the inefficiencies of the old email chains that used to go hand-in-hand with many audit tasks. KCM also helps increase efficiency by clearly showing specific examples of exactly what must be provided for each audit requirement, eliminating the familiar request clarification communications that commonly follow requests.
“The KnowBe4 Compliance Manager is a powerful, and intuitive, content management system that has allowed us to store all of our compliance-related evidence in a single, centralized and secure system. We no longer have to go searching through a myriad of systems when we must locate a specific piece of evidence related to a specific control.”
Audit savings
“It can be very challenging to present your evidence of compliance to an auditor in an efficient and thorough manner. KCM has streamlined this process for us. We no longer have to spend significant amounts of time “holding the auditor’s hand,” guiding them through each piece of evidence and telling them which audit requirement the evidence is related to.
Our auditors can log directly into our KCM system (with a unique username and password) and easily review each audit requirement, along with the exact piece of evidence that has been uploaded to satisfy that requirement. I especially love that each auditor will only have access to review the controls and evidence that are directly related to the specific scope they have been hired to audit.
You can even allow an auditor to review your evidence of compliance remotely in a safe and secure manner, freeing up your team while reducing audit-related costs by minimizing or reducing the amount of time auditors need to spend on-site. And time is money!”
“An unanticipated benefit to KCM sending out the audit requests and prodding the procrastinators for any late evidence is that the general attitude toward the compliance department has become significantly more positive. Now our department is viewed as working together to improve the security posture of our organization as a whole. We are now free of the stressful and inefficient cycle of playing last minute catch-up each time the next audit period rolls around.”
The numbers below represent the effort required to gather evidence for just a single requirement at Vendorin – the periodic audit of user access and permissions. Although these numbers represent time savings for a single audit task, the trends they show are consistent for every task KCM was used for. The typical number of controls for PCI is 135. Some controls are shorter or simpler than others, but the average time savings you can expect for most audit-preparation activities is immense.
“I can’t speak highly enough about the level of personalized support that we found was provided by everyone on the KnowBe4 support team! The team at KnowBe4 is universally friendly, competent and responsive – you always get to speak with a real person when you call KnowBe4. And what’s more, they are not just sales people or software developers – most are actual certified security professionals who know what is needed to support your audit process.”
“When I first proposed that we consider using the KnowBe4 Compliance Manager, I faced some pushback because our current process was ‘working,’ and the system of emails, Excel sheets and network storage was ‘free.’ However, it only took a few months of using KCM before we realized the vast difference between merely ‘working’ and ‘working well.’ We are now free of the stressful and inefficient cycle of playing last minute catch-up each time the next audit period rolls around.”
Michael Becce is a freelance writer covering the business impact of technology. He can be contacted at mbecce@techjournalists.com.
