IT Security Regulations, Frameworks, and policyIQ

Organizations all over the globe follow information technology and data security guidelines to meet regulatory requirements, improve processes, strengthen security, and achieve other business objectives.

These IT security frameworks give us a common language that can be used by:

  • Internal stakeholders to evaluate controls in place within their own organization.
  • External auditors to evaluate and attest to controls in place within an organization.
  • Third parties (potential customers, investors, etc.) to evaluate the potential risks of partnering with an organization.

Because information technology impacts every area within an organization, it only makes sense that IT compliance is a process that needs constant attention and monitoring. Choosing a framework, following a set ofIT.jpg standards, and having a comprehensive internal controls monitoring program in place help organizations meet the needs of their various stakeholders.

We recently took a deep dive into regulations and frameworks that impact IT security, in our July training session, IT Security Compliance in policyIQ.

Some questions addressed in our training were:

  • What is the difference between regulations and frameworks?
  • What are some of the most common regulations impacting IT security? What are some of the most common frameworks?
  • Where can I access IT security frameworks?
  • How can policyIQ help to manage the IT compliance program?

We invite you to listen for yourself and to reach out to us today to see how policyIQ could benefit your organization with IT compliance!

Is anything more critical than the security of your data?

The security of your data – and that of your customers – poses arguably the biggest risk to businesses today, and is, therefore, the most critical compliance initiative that your company will undertake.  The stakes are high and the regulatory requirements can be vast.  And as more companies outsource tasks and utilize cloud services and infrastructure, the ability to control all of the aspects of data security becomes more difficult.

With all of the risk and complexity inherent in data security, the technology that you use to keep track of your compliance efforts should be simple.

itsecuritychalkboard

policyIQ serves as a great case study for policyIQ!

The policyIQ application has clients around the world who rely on the software, the team that supports the software, and the infrastructure on which the software resides to keep their data safe.  And the security compliance program for policyIQ involves many of the same complexities that our clients are managing:

  • Risk inherent in the storage of our own data, and even more critically in the management of our clients’ data
  • Distributed responsibility for critical aspects of IT security
    • RGP, our corporate parent, is responsible for things like employee background checks and HR functions;
    • We utilize Amazon Web Services (AWS) as our hosting partner, and rely on their IT security program to provide physical and environmental security for our data center.
  • Multiple IT and data security requirements, including…
    • SOC 2
    • SOX
    • GDPR

To keep our own commitments to data security, we utilize policyIQ to capture our IT policies, controls, action items, and audit trails.

With our own implementation of policyIQ, we are able to follow the SOC 2 framework and link our controls to the related requirements.  Controls are designated as being performed by our policyIQ division, RGP Corporate, or our AWS partner, allowing any team member to more quickly reach the right resource with questions or clarifications.

When it comes time for an external security audit, we can prepare evidence in advance of the on-site audit based, pull out policy documents to meet the audit requests, and document any follow-ups or recommended action items provided by our auditors to further enhance our security program.

Join us on Monday, July 8th at 1 PM ET / 10 AM PT for our CPE event on IT Security Compliance in policyIQ, where we’ll dig deeper into policyIQ as a case study for policyIQ – and take a look at other frameworks and resources that your organization might utilize for your security compliance!

And look for more blog posts through the month of July that highlight IT and data security compliance in policyIQ.

Happy Memorial Day!

Wishing a beautiful Memorial Day weekend to all the friends of the policyIQ community! While we remember and honor those who have fallen in service to our country, we also thank those veterans and active service members for all that you have and continue to do for us.

Memorial Day_WP

The policyIQ Team

Are your contracts in order? Your time, reputation, and revenue are at stake.

When organizations think about governance, risk, and compliance initiatives, managing contracts is not typically the first thing they think about.  However a contract is, by its nature, a governance tool that is designed to mitigate risk.

In a recent webinar, we explored the challenges and risks of poor contract management, and outlined best practices for effective contract administration that can be implemented by organizations of any size.  Watch the recording of our webinar for the full story, or keep reading to see the highlights!

Do any of these sound familiar?

Whether we are helping organizations manage contracts from the buy side (contracts with vendors or suppliers) or from the sell side (contracts with their customers), there are some common challenges that organizations face.  Do any of these sound familiar?

  • We waste a lot of time tracking down contracts when we need them.
  • Contracts have renewed automatically before we had a chance to renegotiate the terms.
  • We received an invoice for a service that we weren’t using, but the contract continued to auto-renew.
  • We have been in non-compliance with a client contract due to a lack of communication around non-standard terms.
  • Our company has multiple service providers for similar services, because we were not aware of all of our existing contracts.
  • It seems like we’re always wasting time trying to remember who has to approve what and when.

 

timemoneyreputation2

What’s at risk with poor contract management?

Managing contracts well is good business.  Poor contract administration wastes time, damages your reputation, and impacts your bottom line.

Simply put:  Your time, reputation and money are at risk.

 

Seven contract management best practices for any size organization

Good contract management involves people, processes and technology – and we’ve outlined seven best practices that require all three.  The best practices below can be implemented by companies of any size – and policyIQ’s GRC platform can provide the technology you need!

goodcontractmanagement

  1. Central Repository
    Identify or procure a central location that can be accessed by the right people at the right time.  Cloud-based solutions are a great choice, as they offer accessibility from any location on a 24/7 schedule.
  2. Define & Capture Meta Data
    Identify key data, and capture those details within your repository.  Expiration or renewal dates, contract value, contact information, and details about non-standard terms can all be critical data points that will feed into…
  3. Key Reports & Metrics
    Use that meta data to create key reports and metrics that drive your business decisions.  When evaluating contract administration systems, validate your ability to customize the data captured, as well as the flexibility of reporting on that data.
  4. Robust Search
    Your central repository should provide a robust search, so that you can find contracts by key word or phrase, searching through all contract documents.
  5. Identify Contract Owner (outside of procurement!)
    Most organizations identify a contract owner, but often the internal contact is not the business user of the product or service.  Clearly identify, and maintain, the contact person for every vendor or supplier contract – and ensure that the contact knows and understands how those products or services are being used.
  6. Alerts and Reminders
    Don’t miss a deadline or allow a contract to renew without notification.  Be sure that you can set up alerts – via email or regular reporting – to let the right individuals know when contracts are up for review.
  7. Clear Procedures
    All of the technology in world is only as good as the procedures that are designed to ensure that it is used properly.  Create procedures that instruct your employees on the who, what and where of contract management – and keep that documentation accessible.

 

policyIQ can help!

pIQ_CMBP

Would you like to improve your contract management process to decrease risk?  Contact us today, and we’ll be happy to help you lay out a plan for the people, process, and – our specialty – the technology you need!

Let’s talk about the elephant in the room: heavy GRC technology.

RGP’s policyIQ team is seeing a lot of movement in the governance, risk, and compliance (GRC) technology market. Organizations are complaining of complex tools that are difficult and time consuming to implement. Many have expressed frustration and regret after investing several months—years, even—and tens to hundreds of thousands of dollars into the implementation of GRC platforms only to find they were still not producing the promised benefits. They struggled with finding the right time to cut the cord. Others tell tales of the constant perks in the flashy sales and marketing process that ended in crickets after they signed the dotted line—there was very little support to help them make the application do what they expected it to do. Some companies got up and running in a tool and later found it was very cumbersome to manage as business needs evolved.

Are you wrestling with heavy, cumbersome GRC Technology?

Many compliance officers, auditors, controllers, and IT directors have stories about how long they have tried to hang on and make it work.

It’s time.

It’s okay to say it out loud. There are other options that are easy to configure and customize for your team’s specific needs that don’t break the bank. Clients have raved about the flexibility of policyIQ and their ability to make adjustments in just a few moments when the business, market, or regulatory bodies call for it. They have praised the speed of deployment of policyIQ and return on investment that they observed almost immediately through improved effectiveness in meeting their objectives.

We understand if you’re feeling a little skeptical…

…after what you’ve experienced. Let us show you! We offer a 30-day free trial and are happy to show you YOUR data in the trial site as proof of concept before you buy.  You can spend time kicking the tires, so to speak, and working with your implementation expert and the policyIQ Support team.

P.S. The policyIQ Support team will be by your side for the long haul! We enjoy reviewing our team’s interactions with clients—we are prepared to tackle your tough business questions, to help you expand or adjust as needed, and we can’t help but celebrate the friendships we make serving our clients over time.

We are excited to partner with you, too! Contact us to start your free trial.

1 in 3 do not have a plan!

The policyIQ team recently hosted a webinar presented by GRC analyst, Michael Rasmussen, focused on how to drive employee engagement through effective policy management and communication. During the session, we asked the audience: “Does your organization have a policy communication plan?” Remarkably, one in three respondents answered, “no”.

In recent posts, we have drawn attention to the potential hazards of NOT keeping your employees informed, trained, and certified. No doubt, some companies have learned a multi-million-dollar lesson on why it is important to build out a policy communication plan. In case your organization can relate to the third of respondents who identified with not having a formal plan, we want to share some ideas on how you can get started crafting your plan and reducing legal exposure right away.

What is the risk?

1 in 3 respondents reported not having a formal policy communication plan in place.

Are you having a hard time figuring out how to prioritize your policy updates? Consider, first, how your policies are related to your risk environment and what practices you must have in place to protect the organization from the top down. Next, you may wish to focus on the policies and procedures that you have in place to safeguard your organization: security policies and procedures. The next area in need of attention, depending on your type of organization, may be documentation related to ensuring that product, process, or service quality is delivered. If you have a quality system in place, you likely already have associated documentation on a regular cadence of review.

How will you know that all of these practices are actually taking place and operating as designed? You could also prioritize the documentation and routine practice of monitoring, from an operations and financial perspective. Auditing your business and finance functions will go a long way to provide assurance that you have the right practices in place.  

Can your organization provide evidence that your house is in order?

Who is the audience?

Retail store managers, truck drivers, accounting and finance personnel, nurses, IT project managers—there is a seemingly infinite list of roles in the pool of potential policy and procedure audience members. Rather than drafting policies and simply publishing them for broad access or distribution on the company’s intranet, you may want to take a step back and consider more closely, again, the level of risk associated with the documentation. Starting with your areas of greatest exposure, which of your employee roles would be impacted by the absence of the policy or documentation? Pay particular attention to those roles that are directly tied to your high-risk areas and critical controls.

How will you reach them?

The question, here, may be two-fold: What level of assurance does the situation demand? What media is most accessible to the audience?

Policies related to hours-of-service limits for truck drivers and anti-bribery policies for employees working in high-risk geographies may be among your top priorities as it relates to communicating your organization’s values and practices, but they certainly do not have the same work environment or access to information. An important step in your communication plan is the consideration of the level of assurance that the situation demands. Simply publishing some policies may be enough, but for others, it will be critical that you capture a receipt of your employees’ review, their attestation that they understand and agree to follow your policies, and some may warrant training and certification evidencing the employees’ understanding of the critical values and practices.

Can your training materials for efficient and repeatable distribution when possible, but be sure to bring employees in for training on values and practices that are mission critical.

If you want to better ensure engagement by your employees, you may also wish to consider whether the content requires live and in-person training or if delivery to your employees’ mobile devices will be satisfactory. Getting into the flow of what your employees do and see every day is the best way to boost the likelihood that they will see and interact with your content.

Next steps:

RGP’s own policyIQ is an easy to setup and use SaaS platform that can be leveraged to author, manage and share policies, procedures, links to training materials, certifications, and other related documentation on an employee’s device-of-choice. Click here to learn more about our policy management solution or reach out to us, directly! We are happy to help you see your data in a free policyIQ trial site.

And if all of this still feels like a lot to consider, you may wish to reduce your organization’s exposure sooner than later by bringing in a subject matter expert to spearhead the effort. RGP’s professional consultants can help to assess your organization’s documentation and lead the effort to map out and implement the execution of your policy management program and communication plan. Click here to be put in touch with an expert in your area.


Again, special thanks to GRC 20/20’s Michael Rasmussen for sharing his expertise with our audience (and us, too!). If you are interested in learning more from Mr. Rasmussen, we encourage you to check out his website and, specifically, his “Policy Management by Design” white paper.

Can your organization provide evidence that your house is in order?

Actions by the U.S. Securities and Exchange Commission (SEC) have amounted to more than a billion dollars in disgorgement, fines and penalties every year for nearly two decades. On average, nearly a quarter of actions filed also included named individuals as defendants. What does it mean for your organization if one of your employees engages in illegal activity? Well, that depends. Can your organization provide evidence that your house is in order?

The executives who sleep well at night know that 1) they have policies in place, 2) they have and enforce a process to ensure policies and procedures are kept up to date, and 3) the organization has gone to great lengths to ensure that all employees and third-party agents of the company are aware of the policies and procedures.

Upon request, managers in their organizations can provide the latest policies, proof of maintenance, access to previous versions, a list of all changes including who made them and when, as well as evidence of employee notification and certification.

Employees in these organizations can also rely on their policy management systems to help them work more effectively and efficiently. Their policies and procedures are appropriately linked to related regulations, risks, controls, and principles, and they include ties to responsible parties, departments, relevant locations, and systems touched. If a new employee, system, or regulation is introduced, they can see who and what is impacted.

The most adept organizations have a broadly communicated philosophy regarding policy documentation and practices that provides a shared foundation for all divisions, departments, and regulatory management teams throughout the enterprise. They utilize a centrally accessible policy management platform that supports collaborative authoring and monitoring while also providing all employees with easy access to the latest approved versions.

How well have you been sleeping? Reach out to us and soon you can rest, too, knowing your house is in order: 412.263.3330.

What comes to mind when you hear “digital evidence”?

Who cares?

I mean, who actually has to care about digital evidence? Consider the audiences or different roles of people who need to produce or rely on digital evidence: management and business unit leaders; auditors; information management, technology, compliance, and security professionals; and the officers of your organization. We are producing unstructured data, much of it valuable, at a breakneck pace. Do you know who your producers of quality digital evidence are?

When I hear digital evidence, I think of the artifacts that may be considered digital evidence such as raw data, reports, signed documents, test results, specifications, and performance receipts. Documentation of activities that provide assurance, including procedures, work instructions, training sessions and materials, and attestations are also critical. Have you identified which practices and assurances are closest to your significant accounts, risks, and controls?

How do we wrap our arms around digital evidence?

There are systems and practices that provide the bookends for ensuring relevant and reliable results contributing to digital evidence such as systematic management and monitoring of workflow, milestones, deadlines, analyses, and remediations. Digital evidence also relies on the trail of bread crumbs that show who touched what and when including the audit trail of changes, versions, handoffs, and approvals. Without a central portal or system in place, it is plain to see, we cannot reliably manage digital evidence.

Are you taking advantage of all that policyIQ has to offer in these areas?

Alerts, dashboard notifications, and email generated systematically by RGP’s policyIQ helps employees know when work is required of them. The taxonomy of the digital content is configurable and can be subject to the information governance preferences of your organization with appropriate read, write, and approve rights established during initial configuration. policyIQ can provide an enforceable framework to manage contributions, the complete capture, monitoring, and reporting on critical documentation and evidence.

If your opportunity has more to do with the quality of your existing evidence or the need for corroborating evidence, RGP’s subject matter experts can help to assess your need and to fill any gaps identified. Right now—whether related to technology, process, quality, or completeness—make a note of some of those gaps or pain points that just crossed your mind. And then reach out to us: Information@policyIQ.com; 412-263-3330.

How to Transition from Manual to Automated Workflows

Tis the season for fresh starts!

Let us help you manage the development, hand-offs, review and approval of your GRC content more efficiently! Have you designated the parties responsible for updating your Process Narratives and Control documentation? Do you have a process defined for who captures testing details and who performs the final review of audits?

Have you mapped out hand-offs in your processes?

The workflow features in policyIQ support multiple levels of authoring, reviewing, and final approval by individuals or groups, such as one of two line staff or any of 3 auditors. These features allow you to institute your expectation for updates and hand-offs so that those actually responsible for performing various duties are prompted by the system to properly wrap up their work and to establish a defensible audit trail with appropriate documentation and evidence.

Is your team utilizing the Check-in/Check Out capability to collaborate with fellow contributors? Have you added external auditors and other stakeholders as Viewers on your documentation? Rest assured that Viewers will have Read-only access only after your content has completed your designated approval process.

Ensure greater communication, security, performance, and cost savings with automated workflows

We are standing by ready to talk through your options on how to transition from manual maintenance to automated workflows. It’s 2019! Time for a fresh start and more efficient and effective processes. Talk to you soon!

5 Simple Steps to GRC Technology Implementation

Whether for IT Security Compliance, Enterprise-wide Policy Management, Contract and Lease Administration, your organization’s GRC or Audit program, policyIQ can be up and running in 5 simple steps. Read on for more information and contact us to automate your initiative in Q1!

Step 1: Configuration
A policyIQ expert will assist you and/or your RGP Consultant to customize the design of the user interface in policyIQ for input of data, navigation, reporting, content and user security based on your input and feedback. Of course, we do not progress to step 2 until you, the client, approve of the configuration.

Step 2: Prepare data
RGP Consultant requests data from your team or organization, then scrubs provided data to help ensure completeness and accuracy. You give approval regarding the condition of the data before progressing to step 3.

5 Simple Steps to Go-Time!

Step 3: Populate
RGP Consultant populates approved data (import or authoring, depending on your needs) and subsequently validates the completeness of what is in the system to the approved data. The RGP Consultant will provide you with a walkthrough of your site and data for feedback and your approval.

Step 4: Refine (Reports, Dashboard, Planning for roll-out/training)
RGP Consultant demonstrates the policyIQ user interface using the populated data. You provide a live example of a transaction, and with your RGP Consultant’s side-by-side help, you drive the live example from input to reporting. Any additional configuration items identified during this process will be considered for further customization. You give the green light when you’re ready to go-live.

Step 5: Go live and train
Often there are a handful of “power users” who are expected to regularly participate in the process that is being automated using policyIQ. The RGP Consultant sits side-by-side with your power users, individually or as a group, to train on use of the software. Your power users will be directed to policyIQ’s written and recorded materials that you can leverage for your personalized procedural guide. Your RGP Consultant and the policyIQ support team are available onsite or remotely for any questions.

Our methodology your yours?
What initiatives or processes are you looking to digitize and manage more efficiently in 2019? Hit the ground running with RGP’s subject matter experts implementing our proven methodology in our technology or we can support your team to implement your methodology. What kind of support do you need? Contact us, information@policyIQ.com, and we’ll help you to get the ball rolling!