Rob: 0:00

Hello and welcome to the VanRien Compliance Podcast. I'm Rob and I'm Dawn, hey, and we're back Dawn.

Dawn: 0:06

It's been a bit.

Rob: 0:07

It's been a bit. We've been a few months off. Been a minute Little minutes off from the holidays and the kickoff of the new year and a lot of retooling within Van Rien, but we're back to bring the people the pod. The pod, yes, the pod there you go well and we figured you know what. What better way to kick off? Not only New Year's are coming into February which is also. Valentine's Day in a week and a half dawn just like yes, it is.

Rob: 0:38

I remember. But the key, the key piece is really talking about the importance of maintaining your compliance program. Because we're getting a lot of questions about hey, why do I have to maintain it? And then I like to say, hey, why do you maintain your P&L, why do you maintain your taxes? Because you need to.

Dawn: 0:58

Or maintain your car.

Rob: 1:00

Maintain your car exactly Oil change. Yeah, I don't understand that oil change thing, but yes, oil change tires washer fluid.

Dawn: 1:11

That's my annual maintenance.

Rob: 1:12

Today, dawn, and I want to unpack and dive in the importance of maintaining your compliance program, because compliance is not just a one and done Right Dawn.

Dawn: 1:21

That is correct, and you may have seen our marketing that actually has been sent out in social emails. You may have gotten some information on maintaining your compliance program and what that means. So we have a great gentleman on our team that has been doing great at our marketing. So you probably have seen some of this, but we think it's really important to talk about.

Rob: 1:43

Yep. Yep definitely so, you know, let's, let's just kick right off. Uh, talk about why compliance matters. You know, why does the maintenance matters. The first part is regulate regulate regulations.

Dawn: 1:54

I can talk today regulations and change consistency.

Rob: 1:57

We know HIPAA has not really changed a lot, but how we audit has changed. So, uh, as clients of ours, you know we're moving into live audits because we need to align basically our auditing from HIPAA into SOC, into ISO, into HITRUST. So you've got to actually provide evidence. That's a key piece. Dawn, why don't you talk about SOC and ISO? You know they're not static, so talk about how those have changed.

Dawn: 2:21

Yeah, so well. Like HIPAA, HIPAA has been around for a while. Soc 2 hasn't had so much change lately, but ISO has ISO 27001, we're now into the 2022 version of that. But you know, with those two compliance programs that our customers are moving into, those audits look a little bit different than HIPAA.

Dawn: 2:43

It's not really the question answer type of thing. It's more of a do you have, have you implemented? Show me, let me observe your encryption, your password, complexity, all that kind of stuff. So, like Rob said, we're aligning HIPAA compliance to be more like this because if you have answered yes or no in HIPAA, which is more of a yes-no questionnaire type of thing or attestation, rather, let's make sure we have this implemented and you've got it implemented and you can show evidence of implementation, which is usually like a screenshot or if we're doing a live audit, just showing us clicking around in your environment and showing us where you have these items implemented, like encryption, antivirus, firewall, that type of thing. So this is really important to do. We wanted to align with the other audits because that is where a lot of our customers are going is going into a SOC 2 or an ISO compliance.

Rob: 3:39

Yep, and the key, too, is policies. We're really good at showing evidence but to really be great at compliance is showing the policies to adhere and make sure that you've aligned your policies and procedures to the actual business you have to implement it, we can audit we can create, but we cannot implement.

Dawn: 3:56

Yep. And speaking of implementation, rob, we do have a brand new. We have launched brand new training this year as our customers know. But we are launching a new compliance officer training module and it is fantastic and it is I just viewed it last night and it does have those outlines a framework to how do we implement, because we get that question a lot is how do I implement these policy procedures?

Rob: 4:25

What policies?

Dawn: 4:26

do I need my staff to attest to, and we tell you that in this training module. So this is going to be another key piece of maintaining your compliance and understanding what it means to implement, because anyone can say yes, no, maybe so, but where is the proof of implementation? And that is a big key piece.

Rob: 4:46

Yep, because when you're audited from a I'm going to say a local, state level, federal level or a lawsuit, because anybody we live in a litigious society Anybody can open a lawsuit on data breaches, data security incidents, and you have to provide your evidence, but not only evidence, but your implementation. And those security threats keep growing, as we know, they just continue to grow and basically impact the businesses. So those are the key, key pieces. Things are very sophisticated. We know that. We know the bad parties, right. We know Russia and China and we know North Korea. That's how they make money is through cyber attacks. So you've got to be vigilant and keeping those going.

Rob: 5:28

Auditor auditors expect continuous compliance. So, yes, when we come in and audit, we make sure and we verify have you actually implemented, but also maintained it? So you know when we come through and we have our managed compliance services, we meet monthly or quarterly. We keep, we keep tabs on everything. But if you are doing it yourself or it's a soccer ISO, you've got to maintain that and you've got to show meeting minutes right. You've got to show that you're actually doing what you, what you say you're doing. You don't want to scramble the last minute to fix things or clean before mom or dad come home. You know that old, classic thing. So, yeah, what about risk of neglecting compliance? Dawn, you know, if we just say hey, we're good and we're done, we don't need to continue services, what? All of that? What's, what's the risk there?

Dawn: 6:16

Yeah, the risk is you, you put your policies away, you file them away. Wherever they're filed, you just say, oh, we've done it, we've checked that box, and so let's just go about our business, well then? Well, something's happened, an incident occurred. I don't remember what to do. How do I do this? Where's the document? Oh my gosh, what do I do? What do I, you know?

Dawn: 6:37

And so that those are the things that come up that you have to constantly keep up on, or, if have an incident, that's not just maybe someone giving the wrong information out to to the wrong customer, but it is more of like we didn't check those network settings, or we didn't, we didn't implement that security setting that we should have. And so then we've had now an incident where someone got in and and they were, and it was, um, you know, they accessed something sensitive data that they shouldn't have been in. And they were, and it was. You know, they accessed something sensitive data that they shouldn't have been in. And how did they get in? Oh, we didn't implement that.

Dawn: 7:09

So, again, just saying yes, no, and attesting to things doesn't mean you've implemented them. And also action items of maybe we don't have them implemented today, but we're going to have those action items for Q2. And so we need to track that we've actually implemented those items and that they actually have happened. We've tested it, it's in act, it's active now and um, and, and we're we're tracking it. So it's all about. It's all about tracking it and making sure that that we are keeping keeping up to up to date with with our systems and or with your systems. Rather, either you're keeping up to date with it and you are constantly improving and and making those changes and documenting those changes.

Rob: 7:52

Yep, yep, yeah, even our, our HIPAA compliance fines of last year. I was just looking up sending almost like five to 8 million in just fines and, ian, they're still litigating a lot of those from Q4 of last year. So it has a real it's going to. You know it has a real monetary value to that. That's definitely, definitely key. Data breaches and financial losses are always key. You know, every time you have a breach, you have an issue, you have a problem, it's going to go ahead and it's going to put your name in the paper or the virtual paper right, and then it's going to just have more lawsuits and have that financial loss because if you're coming outdated you can't maintain your security, your compliance. You're going to lose to those financial losses, lawsuits and permanent business closures. I've seen that a few times where people just have to close shops.

Dawn: 8:36

Well, and also, if you're being, if something happens, an incident or a breach happens, and you're being asked to provide policies, procedures or your last risk assessment, and if you said, oh well, I did it once and I'm done, I did those back in 2005. That doesn't matter that she did it in 2005, because that was, you know, 20 years ago. It needs to be annually updated, annually updated, revised policies. Even if you don't have any revisions, it needs to have that revision date on there that you've reviewed them and you've updated them, if anything needs to be updated, and that you've done that audit, that annual audit. And so that is the risk of just doing the one and done. And this is if you, however, you do your assessment on a platform, on a spreadsheet. However you do it, it needs to be documented and it needs to be constantly updated on an annual basis.

Rob: 9:32

Yep, or if there's any changes. Oh, that's a big change we do have some customers that are changing platforms.

Dawn: 9:38

Yeah, then you definitely need to have another audit.

Rob: 9:41

Well, like another big change is the and the EU's June 1st is the. Ai regulatory requirements are going into place, becoming effective in the 1st of June. So if you're in AI platforms, ask if there's the ISO 42001 certificate. Do they have it? Do they not? Are they planning to get it? Stuff like that? All right, so what about? Um, what's one of the best practices for keeping compliance up to date?

Dawn: 10:33

What do you like to do? What do you recommend? Compliance, dawn? We need to review what your systems are. What you've implemented, what you have, is still an action item. Are you implementing now MFA or SSO? Yes, there are still companies that don't use it, that are still trying to implement it or in the process of with some of their systems, things like that. So have you gone fully remote now or are you back to the office now? There's all these things that are they change. A big thing, rob this is a big thing lately is companies don't want to pay for laptops, so bring your own device.

Dawn: 11:08

This is a huge thing. Now Bring your own device policies Outlying and this is a big, a big gap that we're seeing. Yeah, you need to advise your remote employees, whether they have a Mac or PC, doesn't matter what brand, whatever they need to have certain things in place Antiviruses, malware detection, things like that. They need to have things in place, automatic log off, things like that Because and you need to tell them and they need to sign off and attest to that they have that on their PC.

Rob: 11:41

Yeah, because also look at the liability from the client from a company standpoint. Right, they've got to sign off that yeah, we've done everything, and if that employee doesn't do that, then um, yeah, there's consequences.

Dawn: 11:53

Yep, we have employed, we have a sorry. We have customers that that have moved to bring your own device, or we have the opposite of that. We have some customers that are saying we're going to buy everyone a laptop so they can.

Dawn: 12:06

They can control that more because they'll have like a you know, they'll have a, you know, a device, a device, a system authorization app and MDM on there that they can push out. You know updates they can push out. You know, do lockout stuff like that. But you know it's, it just depends on the business. So so businesses change and that's something that's a big one. I've seen lately that's happened, yeah, definitely.

Rob: 12:31

Definitely we run. We run a hybrid at Van Ryn, so we have a hybrid approach where we have majority computers we provide and we have a few folks that use their own, which is fine, and then they sign the BYOD policies. They sign their data security policy, they sign that they've got antivirus and we verify that. We do, like a live mini audit, make sure everything is enabled and do that Because you have to document that you've done everything in your power to maintain current regulations and company operations and keep things secure.

Rob: 13:00

And then training is always big Train employees continuously Train, train, train, train, train. So, like anybody in a leadership role, you have to be the chief repeating officer, so you're constantly having to go ahead and tell people how to look for fraudulent emails, look for phishing emails, make sure your passwords are complex. Actually, you should not even know your passwords. There's a password manager, or tie that into your Apple or your Google keychain, right, tie it in so then it's seamless, but you don't know those passwords or key pieces. I think you had just touched on our new training for compliance officers, which are probably going to come out next week, from when we're recording this podcast just in time for Valentine's Day. Right, making sure that their compliance officers are prepared to get questions, you know, to answer questions, but also to get, when they get the questionnaires from other clients, how to complete those security questionnaires legally and correctly. Those are big pieces too.

Dawn: 13:55

Yeah, training is big. We we're excited to that. We updated our training. All of our training has been updated for this year. We have, you know, our new regular HIPAA training. We have HIPAA for operators, for those customers that are answer services, and, with you know, scenarios in those that that. So someone can say, oh I'm, I'm watching this video, oh yeah, that happened to me, or yes, I can see that happening. So we're we've been very, very we're very excited that we were able to update the training and that type of thing. So we are going to be updating it more on a regular basis. But the key is if employees, you know, and they may need to take it a couple of times, they can certainly take it more than once, especially if an incident occurs and they forgot that they shouldn't be doing something. Train that employee again, make them take the module again.

Rob: 14:42

And get your employees comfortable to come into you and say I did something you know, like, like, um, like, like you tell your kiddos I hope, hey, if you break something on a car or you're running out of the house, or house, or you, you, you break something internally the microwave.

Dawn: 14:57

I think they would know if you run into the house, if they ran.

Rob: 14:59

Well, I hope so but just like, tell us, don't be, don't be shy, just say, hey, I made a mistake, and then you can deal with it, because when things linger, it just gets worse and worse we don't want the lingering yep, there's no lingering notification is big with hip hop.

Dawn: 15:14

yep. Notification is big, yep.

Rob: 15:16

Definitely. Now, third-party vendors is an area that we continue to push into. We know that third parties result a majority, if not well, a majority, I will say of the large-scale breaches from just the last year, spring, which was traced back to Snowflake, which is a large data platform that aggregates data and has thousands of plugins, if you will, or APIs, where they can share the data. Having that breach from a third party has elevated security and compliance, meaning now everybody's asking you to complete your security questionnaires. So you need to vet your vendors, whoever you use.

Rob: 15:57

If it's a cloud platform you know from AWS or Azure or GCP or any of those to your AI, if you're using Claude, which is Anthropix AI, or ChatGPT, or using something from Gemini or 365, or your own vendors, you need to vet them. How are they conducting regular audits? How are they ensuring their maintained compliance? Do they have a SOC or ISO or high trust certificate or SOC examination? Making sure that they have those pieces, because that's key and that's critical, because their success is your success. If they have a breach, you have a breach. So always vet the vendors, right.

Dawn: 16:36

Yep, and don't just wait until you're in the middle of a SOC 2 audit.

Rob: 16:41

That doesn't happen.

Dawn: 16:42

Yeah, it is. It is something that is has come out. Oh, I didn't know they didn't do that or did do that. Or you know, really know your vendors. You're entrusting your vendors with your customer data, so you should be on top of that and vetting them well and not just, oh, I'm just going to use them because they're you know. Make sure that they have the right security measures in place because, like Rob said, a lot of these third-party vendors are the ones that are breaching data. Make sure you've got you've got you know what their contracts say and you know, and you've got that you understand how they're handling your data. That's a big part of it.

Rob: 17:20

And today I get a lot of questions about how do we leverage AI, how do we leverage compliance and technology to deal with compliance and technology? Right, there are tools. So we'll unpack this myth about GRC platforms. First of all, tools don't get you compliant. Grcs do not get you compliant. Grcs do not get you compliant. It's people that get you compliant. People can leverage AI, People can leverage the tools, but at the end of the day, it's the people that get you compliant.

Rob: 17:44

And just last week we had two clients come to us from Drata where they were sold hey, the GRC platform will take care of you and it'll be done and it's easy. Until they figured out that they had to do the work, that they had to get the evidence, that they had to pull it together, that they had to hire a contractor, that they had to do this, do this and that where we package it up, and we know we have to show you and help you prepare for an audit and then you have to show the evidence. That's the key. So there's a lot of great technology out there that will help package things up, that will help package reporting and everything up, but you still need folks, Right, Dawn?

Dawn: 18:22

Yep, you still have to work through it. It's not going to. You know, automation not everything's automated, not every system is available in these platforms, and it's a great tool. Great tool, great dashboards. We use a couple great, great readiness readiness to get you ready for a.

Dawn: 18:41

SOC or ISO. It's really, really good. It explains a lot. It's very, it's very clear. It's a. It just gives you kind of the over overview, but again, it's not automated. It's not like, oh, I'm just going to click and go. It's very clear. It just gives you kind of the overview, but again, it's not automated. It's not like, oh, I'm just going to click and go. It's not that you still have to go through each of the controls. So just know that they're great tools to use, but you have to. Just it's a tool and it's not going to do it for you Absolutely not.

Dawn: 19:01

I think people think that they just pay a lot of money and it's going and we walk you through that. Whatever tool, whichever one you want to use, we walk you through that and some like the fancy tools, some don't. It just kind of depends on your business and how you work. So, but ultimately, compliance is all about documentation, implementation and it's focusing on you know what you've done and what you've implemented already, what's on your to-do list and making sure it's in line with federal guidelines, state. There's a lot of state privacy laws every year that are coming out. A lot of stuff, a lot of AI is going to be coming out. The EU has their AI policy regulation. We're coming out with them, too, here in the States. So it's just keeping track of all that and keeping on top of it and understanding what you need to do and how to make sure your business is adhering to those regulations.

Rob: 19:55

So what would you say is the kind of packaging this up is like kind of what's the biggest mistake DAWN companies make when maintaining compliance, or thinking about it.

Dawn: 20:06

Well, I think we just heard a one today from a customer is not implementing.

Dawn: 20:11

Is basically basically going through the motions and taking care of the HIPAA compliance. Just using HIPAA as a as an example, uh, taking care of all the things policies, procedures but not actually implementing those policies and procedures within the team. Understanding that the team and the team changed over right, and so a lot of those team members didn't know because they're new. And so it's the implementation, the ongoing implementation. When you onboard your employees, them understanding that this information is confidential, this is how you handle this sensitive data, that type of thing. So it's really it's just the implementation, the ongoing implementation, and training the employees, and so everyone knows what they need to be doing with this sensitive data. So I think that's you know, it's one thing to just go through the audit, but it's a whole other thing to implement and maintain, and I think that's what we find is that hasn't been implemented. Yeah, I think the thing is is the, is the thinking.

Rob: 21:14

It's a one-time project, a one and done and it's not you know all of these frameworks um that we've talked about today, it is all ongoing. It is not a one and done Um. Every year you come back and you pay the same amount because it's the same amount of work to maintain what you've built. And you have to continually maintain that car, like you mentioned Change the oil, Take care of the tires and wipers and fluids and all that. You have to maintain that compliance car because it's not a one-time project. It's not a one and done, because once you feel like you've checked the box, the next day is when you're going to have that breach. The next day is you're going to have a lawsuit from someone that states that you've impacted their data privacy or security, or an employee that that made a mistake, because maybe they weren't trained correctly or you didn't, you didn't educate them how to handle that data correctly. So those are the key pieces, those are really the big key pieces, yep, yep.

Rob: 22:14

So what do you think? Some of the key takeaways we always like to kind of give listeners kind of some action items right. So kind of a couple of the action items that I kind of came up with first of all is you've got to stay proactive. You got to have someone on your team that is a compliance officer that partners well with companies like ours, or even legal counsel or leadership that says hey, what's our space? Where do we have the data? What certifications do we need to maintain, what's our legal obligations or requirements and how do we do that? What are a couple other key takeaways?

Dawn: 22:45

Dawn, from this week's podcast, just Just keeping you know, I think, just having a compliance partner in general, because we're the ones that keep up with the regulations. Hipaa hasn't changed in 30 years, honestly, but it's still one of the really only regulated and required regulations. Soc 2 and ISO not required.

Dawn: 23:09

Now it may be required by your customer that you get that to keep the business, but that's a whole nother, whole, nother thing. So but just keep you know we are the ones that keep up with the state and the regulations, making sure that you have things in place. So keeping up with that, being proactive and that type of thing. The other thing is really, I think, another big thing, sorry is just the vendor vetting making sure your vendors have compliance top of mind that they are securing your data.

Dawn: 23:37

It's yeah, we've heard a lot of bad things and that's another one.

Dawn: 23:42

So, yeah, yeah, so vendor vetting, I think. So vendor vetting and just making sure that you've got a good compliance partner and your compliance officer. You know you may have a big enough team at your company that they are doing these things, that they are doing the implementation and keeping up with it. So that's great. So that compliance officer and that they are, they're just you know they're they're implementing what they can, but then then we help them with with the, with the additional, additional items and that type of thing that they need to do.

Rob: 24:20

Yep, those are key pieces. Those are very key pieces. And I think the last kind of piece is just make sure you're in it for the long haul. This is a long term compliance project. Once you start, it's like taxes comes every year. You're going to file, you're going to file your extension. Whatever you're going to do, it is the same. It's just as important when companies go to acquire other companies or do any M&A activities. They're always good about looking at the P&Ls, but are you actually looking at your compliance risks? How much risk are you going to absorb? But are you actually looking at your compliance risks? How much risk are you going to absorb? What are you going to do and do that? So I think those are kind of the key pieces is making sure you stay proactive on your compliance programs. Don't let things just sit there right. You've got to maintain it. It's not a one and done and then plan for the long game. That's the key.

Dawn: 25:08

You've got to keep going and, and and.

Rob: 25:10

what that does, then, is makes your whole company as an organization think about compliance before you buy software, before you hire someone, before you do a remodel in the office, before you add 20 people, and all that, a lot of different changes like that. So those are some of the key, key pieces.

Dawn: 25:28

lot of different changes like that, so those are some of the key, key pieces.

Rob: 25:32

So well, good, Well, I hope everybody and anybody that has found this helpful. I'm going to ask you just something from Don and I is just share. Just share it on your social, just like and subscribe. Give us some comments. We love to read the comments. We only grow because of you. There's no marketing, there's no ads, there's no nothing. It's Don and Rob and the team here, the great team here at Van Ryn, that continues to grow. So if you like it, like it. If you don't like it, let me know. Just don't put it there in the star ratings because, like mom always said, if you can't say anything nice, don't say it. But if you want, I'd love constructive feedback. Give me, you know, put something in there.

Dawn: 26:10

We'll chat about it right, and thank you for welcoming us back. We were probably a little rusty. It's been a bit, but we are. We are excited to keep this going and to be talking with you and talking about compliance, because that's what we do.

Rob: 26:24

That's it. That's who we are. Alrighty Don, that's a wrap.

Dawn: 26:28

That's a wrap, that's a wrap. All right, take care Bye.