A Business Technology Place

Getting rid of the compliance mindset

To follow, or not to follow the rules.

Have you noticed following established rules is a paradox of behavior? In some situations, we admonish employees when they don’t follow procedures and rules. We create manuals of standard procedures for consistent experiences and output. But when someone doesn’t follow the standard procedure and the outcome is wrong, they are reminded of the procedure and possibly disciplined for it. Yet in other settings, we applaud and recognize those who think beyond the rules to discover and create new things. Apple’s Think Different campaign, Bill Gates dropping out of Harvard, and Michael Dell dropping out the University of Texas are examples of people who didn’t follow the prescribed rules of society, but were later recognized a genius path makers.

In the modern office, there are entire departments for compliance to enforce rules, regulations, and requirements. This translates into mounds of extra paperwork and procedures, much of which is non-value add for the customer. Being honest, I’ve always taken a deep breath when the word compliance was mentioned. Wait for it…….

The biggest problem with compliance is when we treat it as a box to check. If we stop to think about the rule or compliance control, we might just see possibilities to improve our service or organizational stability. But it’s tough to get beyond the mask of compliance rules.

Checking a box.

In our most recent employee survey results, there were many write-in responses that questioned the value of visual management boards. The employee was frustrated because they found the process of keeping information up-to-date on the board a waste of time. They saw the entire process as mere compliance. Someone was checking a box.

In another example, my department didn’t follow procedures to keep ticket history updated so the customer stayed informed. It’s an expected standard to update tickets in a timely manner. But when the act is seen as compliance and not understood as a value-add communication vehicle, team members don’t complete it. When a standard is interpreted as “checking a box” rather than understanding the ‘why’ then the activity is rarely done.  

Ask the right questions.

I find myself falling into the compliance trap when I audit our visual management board for department adherence to standards. It’s easy to get into the mindset of completing the task so I can mark the audit complete. I generate a score, publish it, and forget about it until the next week.

But that mindset misses the opportunity to work ‘on’ the business rather than ‘in’ the business. Reality is, if the team standards are set with a meaningful purpose to help eliminate waste and add value to the team then the compliance audit of the standards is the ‘check’ in a Plan-Do-Check-Act cycle. A proper audit (check) also creates countermeasures for action. A proper audit digs past the standard/compliance control. It seeks to understand the flow of work through the department. It identifies opportunities to improve.

I think of all this as a battle between compliance and engagement. If I want mere compliance then I’ll find limited value in the time spent auditing and continue to be consumed with non-compliant behaviors. If I ask ‘why’ and seek to understand the behaviors behind the compliance requirements then I may just find myself called a rule-breaker. If breaking the rules leads to continuous improvement then sign me-up.

Onward and Upward!

 

The data we see

What we see

When I was an intern in college I worked as a desktop service technician for computer support. I remember an internal financial auditor on the fourth floor of my building that I would occasionally help. Reese was much older than me, but took time to talk to me about life as I fixed his computer. I wish I would have appreciated it more at the time, but I was young and learning my way in a corporate environment.  I thought about him recently because the world of auditing and compliance is changing rapidly in the areas of security and availability of data. While Reese was making sure our company followed GAAP for our financial books I wonder what he would think about compliance controls for information security.

Our news feeds are filled with incidents, thefts, and breaches of company assets involving personal and protected information. A whole new generation of auditors is here to check compliance with controls for how we protect data like credit card numbers, health records, and education records. Identity thieves and hackers have created a gold-rush in recent years to steal data bits that when assembled correctly tell them about you and me. Digital gold.

What we do with it

Today, I have to answer the auditor’s questions about controls in the audit. Unlike my time with Reese, I’m no longer part of the auditor’s day to fill time with a nice break and chit-chat. When I am answering an audit, I often try to really understand the basis of a control or as I as the “spirit” of what the control is trying to achieve (auditors don’t always like this, they’re often a bit stiff).

But here’s my take. The essential question behind the myriad of compliance controls is “what do we do with and how do we protect the data we see in our jobs?”  The intention of the controls is to modify our behaviors to take greater care of the data we see. To do this we have to modify our behavior to treat the data we see like our personal accounts. That means we have to consider who has access to the data. We have to consider the classification of the data we see (confidential, private, restricted, public, etc.) and take action to protect the data in storage and transit.

Thieves rely on our inconveniences to be successful. Restricting access to data in storage and transit is rarely convenient. It requires we think, classify, and take action. It could mean we need to password protect a file, use a secure site for sending a file to a customer, or check to make sure the network folder is only accessible to people in our immediate workgroup. But it doesn’t stop there; sometimes we need to challenge people asking for information.  Tailgating and phishing are made possible because it is uncomfortable for us to challenge people.

Behaviors worth changing

One thing is certain. We are stewards of the data we see each day. Our customers expect us to treat the data with confidentiality and care as if it were own personal data. Forming good habits in data security is worth a little bit of hassle. So here are some practical steps I can offer to help us be better stewards of the data we see each day at work:

  • Take the annual Information and Security Awareness training seriously. Much of the information will repeat each year, but it serves as reinforcement for good habits and the tactics used by thieves.
  • Be cognizant of the data we handle. Classify the data and treat it accordingly. This may mean marking the data classification on documents, storing data in secure places, or using encrypted controls for transferring data to others.
  • Challenge others who ask for access to data. Make sure they truly need access to the data to complete their assigned job function. Make sure they understand the classification of the data.

It’s rarely convenient. But it’s worth the effort.

Onward and upward!

Photo credit: Robert Couse-Baker via creative commons

How to use SharePoint to create audit trails

Show me the evidence.

I think auditors chuckle inside when they say “show me the evidence.” It’s part of their craft to seek and inspect. Over the past several years I’ve been giving documentation and evidence to auditors for various IT controls. With regard to policies, procedures, and standard practices auditors want to see more than a one-time pieces of evidence. They want to see proof that the behavior is happening on a regular basis. It’s the classic audit trail.

SharePoint – Love it. Hate it.

I’ve had my moments with SharePoint on a few items related to workflow. But one valuable attribute I’ve found with the tool is the ability to version documents and lists. This capability creates the perfect audit trail and evidence proof.

Example 1 – Annual Policy Updates

I keep version information in two places for policy documents. The first is in the document header. This shows the date of the policy, the last review date, and a version number. You can do this part without SharePoint.

 

 

The second place is in the version of the SharePoint document. First make sure that versioning is turned on for the document repository (one-time setup). Go to the library settings and select versioning settings. Then fill-in the specifics for how you want the versions to be incremented and how many versions to keep.

 

 

Each time I edit a document I use the check-out for editing feature. Then I apply my changes and when I check the document back-in SharePoint prompts for a summary of the updates. Each time this happens a new version of the document is created and logged.

 

To see the previous versions and comments select the version history from the document selection menu.

 

Example 2 – Production Change Updates

I use a SharePoint list to track requests and approvals for production change updates. As with documents, make sure the list has version control turned on by going to the list settings and enabling versioning.

 

The version history for a list shows the dates of the field updates and which specific fields were updated. It also keeps the name of the person who updated the fields (redacted in my example).

 

 

This is a simple way to keep history of policies, procedures, and updates. Having this available and ready to show an auditor makes the audit process a little easier.

Onward and upward!