Rob: 0:01

Welcome to February, Dawn. We're already here. Can you believe it?

Dawn: 0:05

Happy Valentine's Day.

Rob: 0:06

Happy Valentine right to it. Happy Valentine's Day. Well, are you gonna be in my Valentine's year?

Dawn: 0:13

Yes. Chocolate and flowers and smelly stuff. Yeah. We like smelly stuff.

Rob: 0:20

We like stuff like that. That's good stuff. Yes. Well, we also like, besides flowers and smelly stuff and chocolates, we also like new products. So this month here at Van Rein, I know it, we're offering two new products.

Speaker: 0:36

Welcome to the Van Rain Compliance Podcast with Rob and Dawn. We help growing teams reduce risk, build trust, and stay audit ready without the overwhelm.

Rob: 0:45

Tabletop exercise, which we're gonna unpack and dive in deeper today. And the other one is our AI and automation governance, which we're gonna talk about over the coming weeks with some guest um speakers and uh an interview with Benny, our lead auditor here at Van Ryan. So very exciting to offerings for um for our clients to actually show that they they are ready, they are proven, they are resilient uh in their in their compliance and security, and how are we governing AI AI? Because we know the bots are out there. There's a lot of bots right now, right? So we've got we've got the Claude bots, we've got the Molt bots, we've got all kinds of bots. So it's like with all the different bots, it's like, what do we, you know, how do we how do we guide those? We're gonna dive into those a little bit later in in the uh in the governance podcast. But for this week's pod, um besides Valentine's Day, Dawn, it's um tabletop exercises. So uh let's walk through what is a table, you know, what is a tabletop exercise and why do our listeners care about that?

Dawn: 1:53

Well, they should care about it because it is a a requirement pretty much with every compliance program you do, um, HIPAA included. So um an auditor is gonna ask you, have you done one? And someone's gonna say, Well, I don't know, what is it? Do I just sit down and answer some questions or what what do we do here? Um it it it varies depending on the organization. Um some large organizations are they they do they do some very detailed where it's multiple days, which I think Rob, you have done those uh way back when in the corporate world. Um but they can be just very simple as well. Um and it kind of depends on what what the scope is. And you know, maybe you're being asked to do a certain uh exercise from a customer or uh, you know, or a compliance program. Um, but really, you know, a tabletop is is there's lots of pieces uh, you know, involved in it. And and it also depends on the maturity level um of your organization as well. So um we can go ahead and and go in and break down some of the some of these offerings um if you want. Rob, what do you think?

Rob: 3:05

Yeah, I think we should walk through because what we do is we we focus on the the level of your maturity, right? So yes, we're talking like if you're five years old or 25 years old or 25 to 50 years old or 50 to 80 years old. And we rank the maturity level of the of the clients we work with in their organizations so that we can best fit and right size the solution to their to their business. Um and so we first start out with maturity level zero to two. Uh these are the foundational exercises. So we're really focusing on just awareness and orientation and policy and plan work uh walkthroughs. Those are those are the first things that we look at. Um awareness and orientation in the foundational exercise of a tabletop is really looking at roles and reporting paths and workforce awareness and training, kind of the basics. Like, how do we, what do we do when something happens? How do we, how do we dive in when there is uh a disaster or there's a problem or we're having issues with that? And then the other issue is policy and plan validation. This is a big one with incident response plans, disaster recovery plans, BCP plans. These are kind of like low to medium, you know, lifts, left low efforts. Um, usually take one to two, one to three weeks, and then maybe anywhere from four to like 10 hours of of time. Really kind of a low level, kind of just basic understanding within the uh in the business and the environment to understand um kind of what, you know, what your what your maturity level is and understand the risks of your policies and your awareness uh of your of your orientation and organization. And then we move into that maturity uh level two or three, Dawn. You can kind of walk us through is that operational and leadership exercise. This is kind of a fun one.

Dawn: 4:57

Yeah. Yeah. These ones, um, these may involve some um uh I can't even think about what it is, um, uh in interviews, sorry. Interviews, um, interviews of your leadership team, your security team, that type of thing. So this is this is more like operational tactical. Um, so we're gonna test under pressure, um, detect, contain, recover, recovery, um, things like that. So these are gonna be, this could be even where you shut something down. Maybe you shut a server down. Um, and a lot of folks have like a test environment. Well, they shut it down and see if it comes back up. Um, and that that's that can be pretty um pretty intense there. Um, and then then alongside that, there is a like a executive crisis management. So this is where you then you can test your leadership decision making. Um, when what we have on the SOP, is that really what is happening? Or is that really what, you know, how we can resolve this? So it also helps you to validate like we have these steps down. Um, this is what we're supposed to do. These are decisions we need to make because of this. Um, are these right? Um, and it could change, this could change year to year. And so that's why it's really important to do these annually. But this is like a little, this is more intense. This is not just like we've got something on paper. Let's pretend this is happening. This is like you're probably taking down like a some sort of a um, you know, hardware or software or something and seeing if it comes back up and what what you're gonna do and what was the outcome of this. And this is this is a little more heavier lift, um, a little bit more time uh, you know, involved in this one, a little bit more hours as well. So yeah.

Rob: 6:44

Yeah, we this could go up to a month of of testing. Um the and really it's getting your leadership team like your war room, get in a war room and you go through um the team from the executive level and decide uh how the steps. You're gonna go through the steps. It's legal, where do you need to get engaged? Or do you have to write a letter to the FCC, the uh the uh OCR? Um, do you have to write it to additional um, you know, customers, large entities, what do the communications look like, the regulatory pieces and the risk decisions, and then um the the tactical piece, like how do we, what do we do? How do we detect it? How do we contain it? Or how do we recover those actions, those RTOs, RPOs, which we'll talk about here in next up? But that's kind of that maturity two to three. Like you've done, you've done like a HIPAA audit, you're probably there, you've done some good, good stuff, but you're like, okay, now I don't know if our executive team knows what to do, who to call instead of the one person, or what are the steps to go to go through. Then we move into that maturity from that two to three to like two to four, and then three to four. Um, this is where a majority of clients usually have issues is this disaster recovery and business continuity uh um tabletops where they lack it. So um HIPAA, the NIST frameworks, HIPAA, and um SOC2, ISO, and Hyptrust, they all require that disaster recovery piece. Like what is it? How are you going to recover the environment? How are you gonna get back to where you where you are today? What does that really look like? Um, so this is where we validate the recovery uh capabilities. So if you're in AWS, you're in Azure, you're on-prem, you're in GCP, wherever you are, how are you gonna roll your environment back? How are you gonna get your your systems back on and and review those RTO and RPOs, review that failover, review the manual operations? And this is like three to five weeks. So we're actually going through step by step, um, looking at the systems, looking at the documentation, looking at the communications, and really pulling that apart and really diving in to really see where are you? Where are we within our um within our DR plans and we really be able to get the environment back up and running? Yeah. That's usually about 12 to 18, 18 hours-ish is usually what we see. Um and then we move into that from a DR piece into that compliance and driven exercises. So regulatory compliance is driven. This is this starts getting into kind of companies that have um maybe they have boards to report to, maybe they have a large, you know, maybe if they're a public company, maybe they have VC money, maybe they have uh large investors, or maybe they have multiple members, that uh we really have to demonstrate the audit defensibility. Um, this is where the legal pieces come in. Can your organization withstand uh a lawsuit or an incident or a breach and be ready to demonstrate that they are their audit is defensible, the documentation is defensible. And this is sitting down again in a war room and going through that. What are some of the things, Donna, do we validate within our that regulatory compliance piece?

Dawn: 9:55

Um this would be evidence, um, evidence and documentation and um workflows. Um and and basically how are you what well, first of all, you're gonna you're gonna have remediation items. How are you going to fix those? What are the gaps and what are the solutions to fill the gaps um to make sure this doesn't happen again? Um to make well to make sure not it's it's gonna have, but to make sure that next year when you do the testing that you've you've identified that this was a gap. And so we now have a SOP for how we're gonna handle that um, that that remediation there. So um understanding that and you know, in in documenting all this along the way too, it's like it's great to do the test, but also the documentation so you can see where your gaps are and what needs to be, what needs to be updated in your SOPs.

Rob: 10:47

Yeah, and that and then understand the workflows. Like a lot of people say, what tools do we use to get this result? Or what do we have to do? Um, what are the steps we have to take? Or do we have the right tools? Do we have the right uh the right environment? You know, um a lot of people don't know, or people don't have, or organizations don't have SOPs, so they can really understand what they need to do and how they need to do it. So then you go from that maturity three, four into the next maturity level three to five. So these are these are some you you and I think you should go through each step. You should go through each level to really get a good understanding of the environment. Um, but this is where we do the cross-functional, the enterprise level. So this is probably companies that are maybe 20 or 30 seat, maybe 40 seat or more, where we're looking breakdown organizational silos. Like so we have like here's HR and here's marketing, here's IT, here's development, here's legal. Um, maybe you have onshore, offshore uh resources, maybe you have divisions in different parts of the world or uh and you know, and countries, and how what does that look like? And how do you coordinate all of that? So this is a lot of effort. Sometimes these efforts will be in person, you know, four to six weeks. You could be up to 20, 30 hours of effort. So these are big lifts, but what we find is this really aligns um the organizations uh uh in their coordination to make sure they understand how to coordinate between IT and HR and legal and all that and really be really focused on everything we need to be focused on. And then the last one here, Don, you want to take us through the threat intel? These are fun. It's like SWAT team stuff.

Dawn: 12:29

Yes, it is. Um this is um, yeah, just it, you know, it's really to to maximize, you know, what's going on and in in the learning um and to align to to to real world attacks, you know, um, the real world, you know, cyber system outages, things that are really happening nowadays. So it's really that alignment um and and making sure that that everyone, everyone's role in this company, you know, and in because this is very organizational, you know, uh departmentalized, kind of a bigger organization with these multiple departments. So making sure everyone knows what they need to do and just aligning it with what's going on. So um this one is like Bra said, is definitely a high effort. This is gonna take, it's gonna take a, you know, a month or two, um, you know, up to about 30 hours. Um, this is this is gonna be kind of a higher, higher end, uh, you know, you're very mature, um, you've got a larger scope, um, that type of thing, and and the multiple multiple uh departments and that type of thing um um in this. So so yeah, this is definitely a a a larger scale type of tabletop.

unknown: 13:41

Yep.

Rob: 13:42

Real world attack paths. So this is like you're looking at your vectors, you know, maybe attack path, maybe it is bots, you know, but maybe it's power, maybe it's it's um um utilities, maybe it's phones, maybe it's um who knows, databases. Maybe uh there's an attack vector that you've never thought of. Uh this is where we go through that threat intel, red team, uh, red team, blue team, sit down and really go through those steps and all those vectors to understand and make sure that you're you're um you're protecting um the business, you're protecting the data, and you're able to re you're able to come back from that and recover. So and in all of these, in all of these um tabletops that we're rolling out here in February, um, what we like to do is we don't want to just do the like the audit, right? Not only just walk you through that tabletop and go through all the steps over the multiple weeks. But we're gonna lead and facilitate everything. And then we're gonna give you a AAR is what we call it, is an after-action report. So we'll give you a report on everything we find and our recommendations. So you know, say, like in your DR plan, we sit down and we we you know basically uh facilitate a disaster, we facilitate the recovery, and then we're gonna give you the findings or recommendations of what we found so that you know what to go and and um dive into and how to resolve those issues. Um it's big, I think the cross participation, cross-functional participation is huge because a lot of us we don't have time, we don't sit take the time to sit down and go through things. So if you can break things apart and get your team aligned and get your team together and um be able to work on stuff like this, then you're ready. It's almost like best to do an off-site. Um from those parts, you go into those realistic scenarios. Uh, we're really good at creating scenarios that custom tailor, custom fit your needs so that you um so you can really align it to your business. So, you know, say if you're um, well, if you're an ice cream company, well, the bad thing about an ice cream company is if you can't keep it cold. So what does that look like? How do we keep that going? You know, do we lose product and all that? And then aligning the tabletops, what we like to do is aligning those to HIPAA, SOC, ISO, and HITRUS, right, Don. So what are some of the values that you can get out of the tabletops that lead into, say, soccer or ISO?

Dawn: 16:05

Well, you're gonna be you're gonna be more prepared. You're gonna show the auditors um that you're prepared, your preparedness for if something happens. So, or if when, when something happens. We shouldn't say if, because it's it's something's gonna happen. Um, so it it just really shows the preparedness. And so we help you with that, and then then you can be um better, better aligned with with, you know, the auditor is gonna have more um, you know, it's gonna feel feel like you've you've really gotten everything together, um, everything in place. And um, and then also your leadership team, your security team, you know, your your whole team is gonna feel confident in if something happens, you've got, you've got a, you know, you you understand what to do. Um, and then you're gonna practice this every year. You're gonna do this every year, um, and and learn from it and make it better. So Yeah.

Rob: 16:56

Yep. Yep, definitely. Um and get the it would give you those real, real steps, right? These are clear next steps, risk reduction and resilience of what you need to do. And that's what we're that's what we put together and that's what we do with our new tabletop exercises. Tabletop's been around a while, but we put it, we put it together in how Van Ryan does it and how we do it. And we're seeing a lot of value in our clients or seeing the value and understanding their risk, understanding what they need to do and go from there.

Dawn: 17:25

And if you got an email from from me um that talks about this and and we we are just excited to share these these services, um, this and also the AI, which Rob will dig into. Um, if you got an email from me, there's also a coupon. So we offer uh 50% 15% off um a tabletop. So um, you know, respond to my email or just reach out to us and um we'll schedule a time, kind of figure out what the scope is, uh, what you're needing, what kind of tabletop you need, and we're happy to help you um add that service and so you can feel more confident and and understand what you're what you're up against if something happens, so you're prepared.

Rob: 18:09

Yep. Yeah, it's not a one-size-fits all either. Yeah, everybody's unique, every situation's unique. What may be important to you, one startup, uh maybe it's maybe it's um throughput, where the other one is like, I don't care about throughput, but I care about high availability uh and what that looks like and how that changes. So when we put that together. So yes, yes, look for that email from Don uh and and respond. We'll set up a time and discuss that. But for the folks that aren't clients, uh right now, there'll be more details down in the um in the notes so she can understand how to how to actually do a tabletop, or just reach out to us on the podcast here or hello at vanright compliance.com. And once again, thank you everybody for listening to this week's pod. Uh like or subscribe, it gets us into more people's feeds and really helps them protect their companies and get their compliance dialed in. So um, and yes, it is the it is Valentine's Day month, right? Or week, or no, not yet. We're getting there. But uh don't forget your Valentine's, I guess, right?

Dawn: 19:11

There you go. Don't forget chocolates and uh chocolates and flowers.

Rob: 19:15

That's it. Chocolates and flowers. Alrighty, until next week. Bye bye.

Dawn: 19:20

Bye bye.