Top 10 Back to School Blunders
(translated to your Compliance and Security program)
Back to school! A recent 'Best Life' blog listed the biggest mistakes parents usually make at the start of a new school year and, interestingly enough, they all seemed to easily convert to best practices for your team to consider when building and maintaining your organization’s information security and compliance programs.
They don’t make their children read over the summer
Repetition is the key to success and, without ongoing education for your staff, they will become unengaged, start to ignore the importance of security, fail to proactively prevent risks, and start slacking on important tasks like payment card device inspections. Don’t make compliance something you only enforce once a year as a check box activity.Educate staff throughout the year with updated training, and stay in front of them with relevant news, best practices, alerts regarding specific cybersecurity risks, etc.
They don’t prepare for bedtimes
Failing to plan ahead and prep team members sufficiently before the annual PCI Self-Assessment Questionnaire (SAQ) cycle or Annual Risk Assessment can cause pushback (and potential non-compliance fines). It is also important to account for operational calendars and schedule accordingly so you aren’t requiring Athletics to complete their SAQ the first week of football season.
They buy cute or trendy supplies (not on the list)
Buying the hottest new technology or jumping on the bandwagon for every new trend doesn’t help if the new solutions are not compliant and if they are not able to successfully meet the requirements on your IT Security checklist. So what if all of the other kids are doing it? The vendor’s commitment to compliance and security is important and, without properly reviewing and assessing their solutions prior to implementing, a department can negatively affect the entire organization’s compliance status.
They don’t keep the receipt so can’t return the item
This is important. Do not sign a contract with a third-party vendor before you have approval from the IT Security Team or the PCI Committee. Trying to backtrack and make a non-compliant solution compliant after the fact is never easy.
They aren’t present for their child
If the compliance and security team isn’t available to help address staff questions, assist in the review of new devices or technologies, share best practices, etc., personnel are more likely to go rogue and do what they want – which may or may not align with your security strategy. Be available to help review possible new vendors, support them with Self-Assessment Questionnaires, remediate vulnerabilities, provide procedure templates, etc., and make sure they know how to get ahold of you (via your compliance and security information page online).
They wait to ask questions
Parents shouldn’t wait until the end of the year to voice concerns or ask questions of a student’s teacher, just as the Security and Compliance Team should not hesitate to check in with your staff and verify they are still following the approved procedures. Sending out a survey mid-year to confirm processes and remind them of their responsibilities, as well as scheduling periodic drop-ins will go a long way in ensuring ongoing compliance.
They don’t go over after school transportation
If you don’t clearly explain timelines and action items to your staff, they aren’t going to magically know that specific items are due, how to complete the necessary documentation, and where to go to find additional information. Provide clear benchmarks so everyone understands the expectations and their role.
They don’t sign up for the recommended technology platforms
Sometimes it may seem like the emails asking parents to sign up for school services and applications are endless, but these modern technologies really can make a parent’s life easier. Similarly, automated tools and applications help improve the security team’s ability to monitor compliance and track tasks on an ongoing basis. Systems can even be used to send automated reminders for outstanding tasks like upcoming due dates, vendor compliance documentation collection, etc., which can often be bottlenecks in the compliance timeline.
Parents shouldn’t do everything for their children because, by doing so, they fail to allow their kids to develop independence. In this same vein, it is best not to engage with your staff on remediation and reporting tasks, as opposed to avoiding them because you think they might not understand or because you just don’t want to deal with the complaints and questions. Make security and compliance an organization-wide responsibility, and hold each area accountable for their own compliance status. Without ownership and adoption at the department and individual level, your ongoing compliance program will likely fail. To gain momentum at that level, it can be helpful to select a champion (or two) that will set an example for the others to follow.
They want to be their friend and not a parent
View your role as that of a partner to the individual departments but also as an advocate for the organization. This means that you enforce all applicable compliance and security requirements on all departments in the same manner. Exceptions can be made when necessary but only after following your documented process for an in-depth review and risk acceptance process
One of the most important aspects of any compliance and security program is the engagement and active participation of your staff. Make sure this effort starts from the moment they start working with you - talk to them about the risks that can come into play in their area and the controls that must be in place to mitigate those risks accordingly. Explain their requirements for compliance with clear guidelines for how to meet those requirements, action items, and deadlines. Make sure they understand that compliance and security impact your whole organization so you are here to help them reduce their risk, continue to expand their businesses with safe and secure behaviors, and allow them to focus on providing great services to their customers.
Some additional guidance from Customer Relationship Management Team:
[Seguy]: Like many of you, the new school year brought with it a wave of nostalgia to me – though, this year was different. Instead of my own children heading off to a new year, it was my first grandchild, heading off to pre-school. How would he do? Would he willingly walk into this new environment and away from his stay-at-home Mom? I’m pleased to report that he did – and I believe he did so because, just like in the article, he had been properly prepared. We all had been coaching him on what to expect, from the new morning routine to the high-level schedule for the classroom. In the very same way, your efforts to prepare your merchants through on-going training, engagement discussions, vendor management, and clearly defined expectations will help to ensure they, too, are confidently walking through that door to compliance.
As always, CampusGuard is here for you. Feel free to reach out to us for additional guidance.