compliance metrics that matter - surveygizmo€¦ · for this like sku rationalization, product...
TRANSCRIPT
Compliance Metrics That Matter
January 9, 2018
You will receive a copy of the presentation and a recorded
version of the webinar via email after the conclusion of the
webinar.
Type your questions and click Send in the Questions Pane
(left hand side).
You can use your phone or your computer audio to hear the
conversation.
HOUSEKEEPING
Janelle Hsia
Director of Privacy and Compliance
American Cyber Security Management
Stephanie JenkinsChief Compliance Officer
ETHIX360
MEET OUR EXPERT PANEL
DSurveyGizmo | What Do Customers Want?
2018: The Year of Proactive Groundwork
ESurveyGizmo | What Do Customers Want?
• Other business units use performance metrics as a gut check for how they are impacting the organization.
• Yet, in compliance and ethics, measuring “effectiveness” is a rather esoteric activity.
• Security POV - detect and prevent and use compliance in that way; you don’t know there is going to be a problem unless you know what you have
• Using compliance as a competitive advantage - beat others to market.
• Everyone has a product but what are you doing to protect it?
Metrics are the catalyst that is needed to level up compliance as a foundational business function.
FSurveyGizmo | What Do Customers Want?
• This uncertainty and lack of clarity leaves many professionals in the field still having to prove worth through continual validation.
• Other business units use performance metrics as a gut check for how they are impacting the organization.
• Yet, in compliance and ethics, measuring “effectiveness” is a rather esoteric activity.
• Security POV - detect and prevent and use compliance in that way; you don’t know there is going to be a problem unless you know what you have
• Using compliance as a competitive advantage - beat others to market.
• Everyone has a product but what are you doing to protect it?
• This uncertainty and lack of clarity leaves many professionals in the field still having to prove worth through continual validation.
GSurveyGizmo | What Do Customers Want?
If There’s No Story To Tell, It’s Just Numbers
HSurveyGizmo | What Do Customers Want?
• Making sense of the data, using it to personalize the consumer experience, integrating data into the process management for this like SKU rationalization, product innovation, store opening and closings, is critical to turn data into the way to better the consumer experience
• It’s not about being the one with the most data on your consumers, it’s most important to be the smartest with that data
Metrics That Might Matter to You
• Case management
• Conflict of interest
• E&C Training & Awareness
• Policy Management
• HR-Focused
• Assessments, Audits & Surveys
• Benchmarking
• Supplier Compliance Program
• E&C Program Business Impact
ISurveyGizmo | What Do Customers Want?
• Hotline/Helpline reports
• Broken down by Issues/ Allegation type -- Code of Conduct/specific policy
• Anonymous vs. Named
• Hotline/Helpline Intake Method
• Phone
• Web portal,
• Text Message
• In-person/ Open Door reports
• Who did they report to concern to -- Compliance, HR, Manager, Leadership
• Number of reported cases opened/closed
• Number of days to closes cases
• Number and type of legal proceedings
Case Management
JSurveyGizmo | What Do Customers Want?
• Broken down by Annual, New Hire, and Ad Hoc
• Completion rates
• # of actual COI’s vs. perceived COI’s and # of days to resolve
Conflict of Interest (COI)
• # of Policies
• How often they are reviewed, attested to, requested by prospect/ client
Policy Management
KSurveyGizmo | What Do Customers Want?
• Completion rates
• Number of days to complete training
• Training Medium
• Web Seminar
• Computer-Based Training
• Online/eLearning (video, Interactive game)
• Instructor-Led Classroom Training
• Training Test Results (if tracked)
• Final Score
• Number of attempts
• Days to complete training
• Training seat time
• # of Awareness campaigns
• Attestations
• # of policies
• New Hire/ Annual Code of Conduct completion rate
E&C Training & Awareness
LSurveyGizmo | What Do Customers Want?
Compare results year over year when possible and look past the numbers
• Culture Assessment results
• Employee survey/engagement results
• Internal Compliance Audit results
• External Audit Results – i.e. from healthcare providers
Assessments, Audits & Surveys
• Turnover
• Attendance
• Performance Review Results (if E&C is a part of them)
• # of E&C related new hire/ promotion interview questions
• Findings from Anonymous/ Known Exit Interviews
• # of E&C related new hire interview questions
HR Focused
MSurveyGizmo | What Do Customers Want?
• Program Benchmarking -- Whole program and/or by area – i.e., Case Management
• Compared to companies in similar industry
• Compared across industries (i.e., same size, geography)
Benchmarking
• Material created
• Level of engagement
• Audit results
Supplier Compliance Program
NSurveyGizmo | What Do Customers Want?
• Business strategy and operational changes with E&C impact
• Organizational impact/ Corporate profitability
• Involvement in deals
• # client audit request/ time
• # requested policies - i.e., Privacy
• # of deals involving review E&C program
• Of those deals, # won
• Reduction in legal fees
• Productivity Impact
• Improve access to policies and procedures
• Risk Impact
• Country
• Political
• Industry
• Constitutes Impact – Feedback from Customers, Suppliers, Partners, the Public
E&C Program Business Impact
OSurveyGizmo | What Do Customers Want?
• Making sense of the data, using it to personalize the consumer experience, integrating data into the process management for this like SKU rationalization, product innovation, store opening and closings, is critical to turn data into the way to better the consumer experience
• It’s not about being the one with the most data on your consumers, it’s most important to be the smartest with that data
Metrics That Matter to ETHIX360
• Case Management
• Conflicts of Interest (COI)
• Training
• HR-Focused
• Audit
• Policy Management
• Supplier Compliance Program
• E&C Program Business Impact
PSurveyGizmo | What Do Customers Want?
• # Reported Issues
• Questions Asked
• Intake method
Case Management
• # completed forms
• Real vs. perceived
• # of E&C related new hire interview questions
Conflicts of Interest (COI)
HR-Focused
QSurveyGizmo | What Do Customers Want?
• # of courses
• How they fulfill a business need
• Completion rate
• Days to complete training
• Test results
• Internal & External
• # of Policies
• How often they are reviewed, attested to, requested by prospect/ client
Training
Audit
Policy Management
RSurveyGizmo | What Do Customers Want?
• Material created
• Level of engagement
• Audit results
Supplier Compliance Program
SSurveyGizmo | What Do Customers Want?
• Corporate profitability
• Involvement in deals
• Policy/ Code requests
• Compliance program assessment request
• Risk Impact
• Industry
• Country
• Change Regulations
• Constitutes Feedback
• Customers
• Suppliers
• Partners
• The Public
E&C Program Business Impact
TSurveyGizmo | What Do Customers Want?
• Making sense of the data, using it to personalize the consumer experience, integrating data into the process management for this like SKU rationalization, product innovation, store opening and closings, is critical to turn data into the way to better the consumer experience
• It’s not about being the one with the most data on your consumers, it’s most important to be the smartest with that data
Security & compliance metrics
• General Security Program
• Phishing
• Secure Configuration
• Inventory of assets
• Secure software development
USurveyGizmo | What Do Customers Want?
• # of security assessments completed
• Policy Management (SSP, IRP, BCP, DRP, SETA, TT&E)
• # of security incidents
• Breach Notification
• # of risks reported on risk register
• 3rd party risk mgmt program
• % of employees trained
General Security Program
• Open rate
• Click rate
Phishing
VSurveyGizmo | What Do Customers Want?
• # of systems with secure identity and access mgmt (IAM)
• % of systems with automated configuration & # of unique systems
• % systems NOT on current version
• # of systems
• # of software products used
• # of employees/contractors
• Mean time between failures
• % missing or stolen equipment
• Equipment Maintenance Schedule
• Infection rate
Secure Configuration
Inventory of assets
WSurveyGizmo | What Do Customers Want?
• Remediate Rate
• Critical & High Vulnerability aging
• Average # of open vulnerabilities
• Defect rate
• Days to patch
• % up-time (SLA)
• Adherence to OWASP (owasp.org) top 10
Secure software development
XSurveyGizmo | What Do Customers Want?
• Always encrypt sensitive information both in transit and in storage
• Understand your data retention policy - if you don’t have the data, it can’t be compromised
• Limit access to information - the fewer people that can access it the better
• Create a good (IAM) password policy - and enforce it!
• Patch your systems - as often as possible or at least know why they are not patched
• Ensure good boundary protection - including wireless access points and BYOD
• Create, understand, and maintain a Privacy Policy
• Train your employees on good security hygiene
How security works with compliance
YSurveyGizmo | What Do Customers Want?
CSA (Cloud Security Alliance) To promote the use of best practices for providing security assurance within Cloud Computing, and providing education on uses of Cloud Computing to help secure all other forms of computing.
CSA CAIQ template (Consensus Assessment Initiative Questionnaire v3)
CIS (Center for Internet Security) Secure your organization. Maps security critical controls to common frameworks like NIST, ISO, PCI, HIPAA, COBIT, CSA, ITL
CIS Controls - Inventory, Secure Config, Maintenance, Patching, Malware, Data Recovery, Incident Response, Penetration Testing
CIS for SMB - Guide for Small and Medium Businesses a smaller subset of controls
ACSM - CISO-as-a-Service, DPO-as-a-Service, Security Operations, and Training
Resources to help unpack Security & Compliance
ZSurveyGizmo | What Do Customers Want?
Q & A
AASurveyGizmo | What Do Customers Want?
How to Gain Company-Wide Insights with Culture
Assessments
Today’s slide deck with links to all the resources
E-BOOK SLIDE DECK
Check your inbox for access to:
A recording of today’s webinar
WEBINAR RECORDING
Thank You!
surveygizmo.com © 2005-2018 Widgix, LLC dba SurveyGizmo