Best Practices for Staying Compliant

Most businesses do compliance training once a year. It consists of a series of slideshows followed by a quiz that must be passed in order to continue doing your job. These same businesses often do a yearly audit as well to verify that all facets of the business remain in compliance. The problem with both of these is that it’s far to infrequent. How can companies guarantee compliance? Everyone is most compliant on the day they are audited. What about the other 364?

Auditing more frequently than once a year is a positive step. But doing so can be a large undertaking depending on business size. It can be costly in both time and money. It’s a step in the right direction, but most businesses are not capable of doing monthly or even quarterly audits. So how can you ensure that your business remains in compliance?

There are two best practices businesses can employ to ensure year-round compliance. First, implement proper training practices, and second, start toll gating.

Annual training, testing and auditing is not enough. It’s not targeted enough, it’s basically giving the same training to everyone in the company whether it applies to them or not. While annual training and testing may be sufficient for those in certain positions, employees who are on the front lines and touching data on a regular basis should undergo training and testing on a quarterly basis, at minimum. This method keeps compliance in front of everyone, gives them a refresher and keeps them thinking about what they are doing to protect the company, clients and co-workers.

The second, and probably most effective, way to remain compliant is to implement toll gating. This isn’t a road block that prevents someone from doing their job, this is adding a small step that makes someone think before working with data. For example, a customer service rep gets a call. While on the call, the rep determines they need to pull certain sensitive data. They submit a request to their manager, who has a two minute SLA, to approve or disapprove the request. This step does not impact the rep’s ability to do their job, but it will make them stop and think about whether the information they are requesting is actually needed. Without this step, the rep could pull up sensitive data they might not need and risk exposing a customer’s information. With the step in place, the rep is more likely to try and solve the problem without contacting the manager, thus limiting exposure.

This example can also apply to coders. Many places don’t have code security review policies in place. But if a business pushes new code, a security review should be conducted as part of the process. If it doesn’t pass the security review, it reverts back to the coder to fix it before it ever hits the system. This will teach coders to code securely from the beginning as opposed to having to fix code that’s already been breached.

Compliance governing bodies generally put programs in place, because someone has done something bad. Compliance is generally a reaction, resulting in a law, a bill or a set of rules that must be followed or there are repercussions. Most businesses have their employees complete this training as part of onboarding and annually to “check a box”, but they do not take steps to ensure that compliance is followed throughout the year. The result is problems arise on the 364 days they aren’t under audit resulting in fines and fees accrued and customer data exposed. Implementing more frequent training and toll gating practices helps ensure businesses remain in compliance year-round.

About the Author

PWV Consultants is a boutique group of industry leaders and influencers from the digital tech, security and design industries that acts as trusted technical partners for many Fortune 500 companies, high-visibility startups, universities, defense agencies, and NGOs. Founded by 20-year software engineering veterans, who have founded or co-founder several companies. PWV experts act as a trusted advisors and mentors to numerous early stage startups, and have held the titles of software and software security executive, consultant and professor. PWV's expert consulting and advisory work spans several high impact industries in finance, media, medical tech, and defense contracting. PWV's founding experts also authored the highly influential precursor HAZL (jADE) programming language.

Contact us

Contact Us About Anything

Need Project Savers, Tech Debt Wranglers, Bleeding Edge Pushers?

Please drop us a note let us know how we can help. If you need help in a crunch make sure to mark your note as Urgent. If we can't help you solve your tech problem, we will help you find someone who can.

1350 Avenue of the Americas, New York City, NY