SOP Culture: How To Generate Scheduled Security Compliance Reports

Do you currently provide security guidance as part of your practice? You should; it’s a valuable service for clients, and can also offer a number of benefits to you as their IT firm as well. However, it can be a complicated process that yields poor results if it’s not done right. Brainlink would like to show you how.

We start our security compliance guidance with a roadmap, which includes a company overview of the work we’ve performed for the client since the last meeting, major accomplishments, etc. It also includes a section on servers, workstations, storage, any urgent notices, and anything else that absolutely need to be brought up with the client in the meeting. This helps to keep the meeting on track.

The roadmap addresses antivirus policies, backup and disaster recovery policies, email security policies, firewall, mobile device, network access, network maintenance, password, and physical access policies. This applies every security compliance regulation Brainlink has ever studied, including:

• HIPAA / HITECH
• PCI-DSS
• SEC OCIE
• State Data breach laws
• ISO 27001

So what does a roadmap look like? For example, a Brainlink antivirus (AV) policy would ensure compliance in the clients’ staff by addressing the following points:

• Staff members agree and understand that they’re not supposed to disable or hinder AV.
• Staff members know how to recognize symptoms of malware in the computers.
• Staff members have been trained and are aware of safe email and browsing habits.
• We install AV in every computer, all of which are monitored by IT staff.
• Staff members have been trained and they’ve agreed to comply with these policies. Failure to comply results in instant termination.
• We require that AV software accepts automatic updates from the vendor.
• Staff members have been trained and agree that they will notify the rest of the team when they have an infection.
• We are testing AV only on select mobile devices.

So this is how we give our clients the tool. We hold our clients accountable, and we give them a tool to go talk to their management and their staff about so that the entire business can review it and further ensure their compliance.

What Are The Keys To Developing Scheduled Security Compliance Reports?

• Creating this report takes CIO time (which is why you have the vCIO portion of your agreements in the first place). This is not something you’re going to delegate to a novice; this should be done by you or somebody senior in your organization who knows the client and has a good rapport with them.
• Data is pulled from tools, client interviews, and client concerns. That’s why knowing the client is important. It’s vital that you talk to the entire client staff, from the receptionist to the CEO. Ask friendly questions, and find out everything you can.
• Scheduled security compliance reports are a great way to ensure you and your staff knows what the client’s security posture is in the first place. As a separately billed service (don’t give it away for free, or they’ll expect it for life), it both becomes your responsibility and allows you to improve security in their business.
• Do not feel obliged to pay any amount of fines or penalties on the client’s behalf if they fail an audit. Be upfront and clear about this with the client. Think about it this way: Does your doctor offer to pay the first thousands of dollars of your medical bill if you fail a medical test, or suffer a heart attack?
• Standard Operating Procedure (SOP) Culture can turn this all into a simple, step-by-step process. We use SOPs, runbooks, and documentation to avoid assumptions, confusion, and unexpected consequences.

What is SOP Culture?

SOPs are your way to document any given process in your business’ operation, from macro tasks like budget development, to daily rudimentary duties like sales pitches. By documenting every single possible aspect of your business, you develop a culture of SOPs that will minimize your time and money invested in a given action, and maximize the quality, and therefore, profit.

The SOPCulture SOP Library Can Be Yours!

Interested the licensing? Current pricing is available at http://sopculture.wpengine.com/pricing/

There is a one-time fee for one-time setup, which includes:

• Setup of your Confluence server (on your equipment or ours)
• Three years of run book plugins
• Three years of semi-annual upgrades to your library
• Access to future SOPs (we are increasing licensing rates every quarter)
• The means to build your own SOP culture!

In the end, generating scheduled security compliance reports will help you avoid confusion with your clients. How many times have you and your client had a meeting where the two of you came to completely different conclusions while looking at the same data? With a clearly developed resource, you and your client can ensure you’re both on the same page.

To see how SOP Culture and scheduled security compliance reporting can help your clients and your team, get in touch with Brainlink today by calling 917-685-7731 or emailing raj@brainlink.com.