Improving IT compliance in an hour is impossible!
There’s some truth to that, but let’s stretch ourselves to find faster solutions. You’ll find a few different ways to improve your compliance program in less than an hour. It’s a choose-your-adventure approach to improving compliance. Whether you’re a manager or front line compliance professional, we have resources for you.
- Self Assess Your IT Compliance Knowledge and Find Improvement Opportunities
Knowing is half the battle; in the fast-moving world of IT and compliance, it might be two-thirds of the battle. These self-assessment questions will help you identify gaps in your knowledge base.
- IT compliance concepts: Do you have an understanding of the frameworks and strategies used in IT compliance? For instance, your organization might use identity management standards or general IT standards such as ITIL to guide your work.
- IT compliance tools: What’s your experience accessing data and designing controls in compliance tools such as Compliance Auditor?
- IT compliance leadership: Ordering people to complete IT compliance activities isn’t sustainable. Ask yourself whether you have the relationships and skills to promote IT compliance activities throughout the organization.
Based on this self-assessment process, make some decisions about what you’ll do next. We suggest planning one action you can complete in the next 24 hours. It could be, attend a compliance software demo, meet with your manager to discuss leadership, or schedule an hour to review ITIL.
If you think your skills and knowledge are already sharp, there’s another way to improve IT compliance. Go out there and collect some evidence!
- Design an IT Compliance Check on a High-risk System
IT compliance is like bathing, meaning you need to do it regularly to get the benefits. One of the best ways to improve IT compliance is to run an IT compliance check on your systems. Now, we know what you’re thinking: we have dozens of applications, so how can we possibly choose the right system to focus on? For purposes of this one-hour program, keep it simple. Brainstorm a list of 10 critical enterprises and then choose the one that you know the least about to test for IT compliance.
In an hour, you may not be able to carry out a full IT compliance check, but you’ll have time available to design your approach. To guide you in building your IT compliance check, take note of the following factors:
- Staff support: Do you have anyone else you can work with on this IT compliance test? At a minimum, you’ll need the application owner to assist you.
- Timing: You want to minimize disruption to business operations when you conduct an IT compliance test. Ask the people and managers who depend upon the application for suggestions on the right time to test. For example, avoid testing finance and accounting applications near any important deadlines for finance.
- Identify compliance controls to test: You may not be able to test all controls at once, so focus on a few critical IT compliance controls. We recommend starting with access controls. If access controls are weak, your data is more likely to be corrupted or misused.
- Brainstorm an interview list: Sitting at your computer all day isn’t enough to test IT compliance controls; you need to get out and talk to people. Plan to interview at least one business user and one IT user to gain an understanding of IT controls.
Resource: Are you in the financial services industry? If so, check out our past article: “Access Governance For Financial Companies.”
In the course of carrying out IT compliance interviews, you may find gaps in your staff. In that case, the next option on the list will happen.
- For Managers: Identify IT Compliance Cross Training Opportunities
What happens to your organization if only one person understands IT compliance? You’re at risk if that person leaves, and responding to audits will be difficult. To avoid this problem, we recommend organizing a one-hour meeting to plan IT compliance cross training.
To make the most of the meeting, plan your agenda:
- Invite list: In addition to your current IT compliance specialist, invite one or two other people who might be interested in developing these skills. Consider inviting auditors, risk specialists, and compliance analysts.
- Reflect on professional goals: For cross training to succeed, each person needs to see value in it. For the “mentor” (i.e., the IT compliance specialist), he or she gains the opportunity to teach and mentor others, which is a good way to develop management skills. The learners gain a broader understanding of risk and control.
- Set cross training goals: During the cross training planning meeting, encourage the learner or learners to set goals. For example, ask them to observe one cycle of IT compliance tests and then perform a cycle on their own.
The final way to quickly improve IT compliance performance is to leverage insights from your auditors.
- Discover IT Compliance Issues from Your Auditors
Does your organization have an internal audit department or regular security reviews? If so, listen up.
Nobody likes to receive audit findings; they’re embarrassing and often take serious effort to address. How do you improve your chances of getting a clean audit report? Use your internal network!
- Call your contacts in internal audit: Think back to your last internal audit. Who was the lead person you dealt with? Get in touch with that person and ask what trends exist in IT audit across the organization.
- Ask other managers: Suppose you don’t have any contacts in the audit group. As an alternative, meet with a few other managers to ask what they have experienced from IT compliance reviews. Focus your efforts on managers who oversee important company systems with customer and financial information.
What’s Next to Improve IT Compliance?
You can make much progress by focusing on IT compliance issues for an hour, but there are limits to what you can achieve with a “quick hits” approach. For instance, you may find out that your organization depends on manual processes to carry out IT compliance testing. To put an end to that problem, get Compliance Auditor.