VComply Named a High Performer in the GRC Platform Category on the G2 Grid for Winter 2021
Dec 22, 2020
3
Minutes

We are thrilled to announce that peer-to-peer business software review platform G2 has again placed VComply as a High Performer in the GRC Platform category in their Winter 2021 announcement. Organizations rely on research firms like G2 to help them analyze and compare business software products, and we are excited about the recognition.

We are thankful to our valued customers for this validation. We consider user feedback as a great technique to stay in close contact with our customers and get up to speed on improvements and provide value.

In case you missed it, here’s the score that our customers have given us:

  • More than 96% users gave VComply 4 or 5 stars
  • 95% users said they would recommend VComply
  • Majority of the users started just last year and found immediate value

 

Besides this, VComply also stands out in the following areas:

Ease of use

VComply received 8.7 score on a scale of 1-10 for ease of use, outranking many competitors in the GRC category and became a preferred choice for customers.

Quality of support

At VComply, we take great pride in serving our customers. We talk to our customers and help them find the quickest way to solve their problems. And the results speak for themselves! VComply received a score of 8.7 in the quality of support category.

Ease of setup

VComply scored 8.7 in the ease of setup category. VComply is intuitive and it is very easy to create an account on VComply. On an average, our customers have gone on-live in less than 2 weeks.

How did VComply reach the top spot?

At VComply, our goal is to make the easiest and the most useful GRC software for organizations. Ever since we started in 2019, we have adopted a customer-centric approach. We have made meaningful changes to our compliance, risk, and audit product range to meet the evolving requirements of our customers. Now, VComply helps teams across compliance, risks, audit, human resources, and legal in varied industry sectors to manage their individual responsibilities, while making it easier for leadership to coordinate organization wide compliance activities.

What customers speak about VComply?

It was simple, it was easy to engage with, and it had a little bit of light-heartedness as well as a very easy to use Dashboard and reports. With VComply, our teams can quickly and easily comply with responsibilities, and our ability to provide oversight across the agency, in one central location is achieved.
CHD

Way Forward 

We recognize that there is a lot of work ahead. And, we are committed to the vision of making the world’s most trusted GRC platform for our customers. We continue to add robust features and enhance existing features in our platform to help you strengthen the compliance and integrity of your organization.

Read our reviews here on G2!  

Devi Narayanan
Best Practices for Remote Audits
Apr 22, 2021
4
Minutes

A remote audit or virtual audit came as a boon to audit teams during the unprecedented covid 19 crisis. It is a method of conducting an audit remotely using technology. Just like an onsite audit, it covers interview with management and employees, verification of documents and reports.


What Are the Benefits of Remote Audits


Remote audit can be internal or external. It can be at any stage of the certification process, and can provide many advantages.

Improved Efficiency

Unlike the widespread belief that only onsite audits yield results, the remote audits can bring in plenty of advantages. It forces auditors to think out of the box and come up with creative resolution to critical issues. Remote audits can enable active participation from people with different skills and expertise, and helps analyze the issues and come to resolution cost effectively.

Flexible Approach

Remote audits allow auditors to interview a global network of employees with out travelling. It also helps them to remain on schedule even with travel restrictions. By using technology and effective tools, stakeholders can perform large amount of work asynchronously. It allows them to work in their space and increase the effectiveness of audit efforts.

Saves Cost and Time

Remote audits can be less costly. All the money associated with travelling and time saved can bring in significant cost reduction. Communication at the starting of audit, before or after also can also be recorded. It provides better visibility to the leadership teams and improve the quality of audits.

Conducting a Remote Audit

The remote audit is a dynamic process with auditors engage in technology to audit. The phases in audit processes are:

Establish an Audit Plan

Define the audit scope first. Then, develop a  remote audit plan. The  audit plan should cover the criteria, checkpoints that will be audited remotely, and the technology used during remote auditing. Once the methodology and approach is confirmed, schedule the audit date with the firm.

Conduct the Remote Audit

Conduct a kick-off meeting with the management explaining the procedures of the audit. Take a record of the opening session attendees, and identify if there is any changes in the audit plan after the initial meeting with the management.

The remote audit includes the review of internal controls, documents, evidence and proofs, and conducting remote interviews with employees. The proof, documents will be reviewed to support the findings. The team can conduct a closing meeting with the management and convey the findings. 

Reporting

The audit team can create an audit report, also document the methodology and techniques used in the audit and report whether audit was effective in achieving its goals.

Role of Good Software in Remote Auditing 

Any type of audits involve review, analysis and evaluation of processes, documents, evidences, systems, and organizations. Auditors assess the accuracy, validity, reliability, verifiability and timeliness of information, as well as the sources and processes by which that information is obtained. An integrated software like VComply helps automate processes and workflows, conduct methodological audits, report incidents, and resolve issues promptly. Using VComply, it is easy to collaborate with stakeholders. It also keeps employees responsible for their obligations,  and facilities oversight in executing compliance obligations. Documents, and proofs are made available and accessible. It also provides powerful reports and intuitive dashboards to help auditors gain real-time insights into the organization’s compliance data and risk exposure.

Devi Narayanan
Read More
5 Questions to Ask When Choosing a GRC Platform
Apr 20, 2021
4
Minutes

Governance, Risk and Compliance (GRC) management is an integral part of an organization's management strategy. Once the management identifies the benefit of adopting a GRC platform, the next question that comes up is that how to choose the best GRC platform suitable to your organization? Not all platforms are the same. The key is to set the right expectations and perform the due diligence before you choose your vendor. 

 

We have highlighted 5 questions you should ask your vendor:

Where Do You Host My Data?

Companies opting for SaaS applications are on the rise. It is vital to know where your vendor is hosting your data in times of data sovereignty and GDPR. If you are opting for a SaaS GRC platform, which is a great choice of organizations, including small and mid-tier companies, you need to ask your vendor where they are hosting your data. Your vendor is your data processing application, make sure that you choose the best vendor who host the data in a secure virtual server. VComply is hosted in cloud, and makes sure that your data is secure and compliant at all the times.


What Are the Features and Benefits the Vendor Offers?

Evaluate the features that the vendor offers. Compare the features with other vendors in the same price range. Analyze your organization's GRC goals, whether the proposed application provides a structured approach to achieve your organizational goal, minimize your risks, and manage your compliance requirements.

The basic features that you can look out for in a GRC platform are:

  • Centralized Internal Controls
  • Support for Future Frameworks and Standards
  • Workflow Automation
  • Scalability
  • Customizable Reports and Dashboard
  • Flexibility
  • Obligation Assignment


VComply is tailor-made to meet the demands of compliance professionals by helping them perform risk assessments and implement controls. It comes with built-in compliance frameworks that enables you to automate the implementation of compliance controls. VComply's workflow automation makes creating, assigning, and monitoring compliance responsibilities easier. It sends reminders to stakeholders who are entrusted to complete a responsibility. Automation can drastically improve compliance oversight, coordination, and collaboration.


How Easy is It to Use the Platform?

A GRC platform should be intuitive and easy to use. Many of the legacy applications available in the market are complex and pose difficulties in using. When there is a gap in the customers' expectations from a great GRC platform, it turns into bad UX costs. For example, if the user experience does not allow the user to create and assign a control quickly after a risk assessment, it fails the purpose of an effective GRC platform. Suppose the compliance team cannot collaborate on a document or a compliance obligation, or the leadership team do not get enough insights from the reports or dashboards. In that case, it can lead to wasted efforts, time, and frustration. In some cases, it can even add up to your tasks. Analyze the application based on these factors, and it should be easy for the platform to fit for your needs.

Compliance is considered an on-going process, and your tools should also embody that attribute. VComply evolves and proactively adapt to provide you enjoyable user experience. When it comes down to the nitty gritities of risk and compliance management, the dashboards and report should provide at-a glance information. The VComply suite is equipped to address this need and does so seamlessly to successful compliance efforts. 


Does the Platform Provide Integrated GRC ?

A modern and integrated GRC software can help predict and mitigate risks,  streamline compliance with regulations and the organization's policies. The flexibility to extend applications' capability to allow employees to access a policy library, upload compliance evidence, and proofs, and file and archive documents help to a great extent to avoid compliance mistakes and omissions.

VComply offers a federated approach to GRC wherein audit, risk, policy, and compliance management activities are integrated. A centralized view of risks, internal controls, and compliance responsibilities are available to the leadership teams. A holistic view of GRC is transformational.

What Does The Overall Onboarding Process Look Like?


More broadly than simply selecting a tool, consider how exactly the vendor plans to onboard you onto the platform. How long does it take to operationalize and reap benefits out of the GRC platform? First, identify your success criteria for implementing the system and convey it to your vendor and tie it with your onboarding process. It takes only 5 days to fully onboard with VComply. It is easy to set up VComply and set up organizational settings for managing your compliance and risk programs. The implementation team is with you at every step of the implementation process from kick-off, configuration, and workshops. VComply equips your team to shorten audit cycles and eliminate the cost of non-compliance meaningfully. By automating workflows, processes, and mapping of frameworks, VComply can generate faster ROI for you.


If you're looking for a better way to manage governance, risk, and compliance in your organization, take a look at GRC software by VComply.  VComply offers a complete GRC management solution to help you streamline everyday compliance processes with a centrally managed, cloud-hosted system.

Devi Narayanan
Read More
Why Are Internal Controls Critical for Your Organization?
Apr 13, 2021
4
Minutes

Growth is something that organizations have their eyes fixed on. They are cautious of wasting precious time and money in costly lawsuits, compliance risks resulting in penalties, or reputational damage. Internal controls help establish procedures and policies to keep the organization compliant, prevent employees from committing fraud, and improve the organization's operational and financial efficiency.

What is Internal Control?

COSO defines internal control framework as the following:

A process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

  • Effectiveness and efficiency of operations;
  • Reliability of financial reporting;
  • Compliance with applicable laws and regulations.

Internal Controls are made up of steps, procedures, policies, and rules designed to ensure that an organization meets its objectives in the most efficient manner and prevent, detect, and mitigate risks facing organizations. Internal Controls aim at operational efficiency and effectiveness through the control of risks. Many experts even comment that internal controls are part of day-to-day operations. 

The following are the basic features required for a robust internal control system: 

Establishing responsibilities

The most important principle of internal control is establishing and entrusting the responsibility to specific individuals. Many times, teams fail because of the lack of clarity on one's responsibilities. Controls work the best when individuals are made responsible for executing tasks. Establishing responsibility includes authorizing the power to execute certain actions to these individuals.


‍Segregation of Duties 

Separating duties involve bifurcating a task into a series of small tasks and sharing them among various employees. Separation of tasks (SOD) is the basic building block of internal controls and risk management and helps prevent fraud and errors. When parts of a  task are divided and distributed to two or more employees, it reduces wrong doings, errors, and swindling. The SOD promotes shared responsibilities and prevents just one person from accessing company's critical assets. The concept of SOD is derived from the notion that giving complete control of critical systems and vulnerable processes to one single individual can increase risks. 

Records Maintenance 

Documentation is a critical component of any internal control. Maintaining appropriate records enables storing and safeguarding of documentation, and includes destroying any tangible obsolete records. A GRC platform like VComply helps organizations maintain a central repository of records, and associate proofs or evidence for a control.  It also facilitates role based access to records and restricts unauthorized access. A backup of the data ensures that there is no data loss.

‍Independent Reviews and Audits

Independent internal verification or audits ensure that that controls are working as intended. They also assure the organization that it  complies with rules and regulations, performance of operations are effective, and financial reporting is accurate.

Safeguarding and Insuring of Assets

Physical as well as digital safeguards help protect company's assets. They can be physical e.g. locks or intangible e.g. – passwords and pins . Irrespective of the methods, they are an important feature of the company's internal control plan. Documents such as blank checks, company letterhead and signature stamps are items that require safeguarding. One may commonly overlook this. 

Thus, to ensure good governance and compliance, a company should have effective internal controls in place. 


VComply is a leading GRC platform that helps meet the demands of compliance professionals by helping them perform risk assessment and implement controls. It comes with built-in compliance frameworks that helps you automate the implementation of compliance controls.

Devi Narayanan
Read More
How to Prepare Your Organization for GDPR and Data Privacy?
Apr 8, 2021
4
Minutes

When the internet and technology are the lifeblood of modern business operations, it is no wonder that data privacy has taken the  center stage. According to a Pew Research Center report, 79% of consumers have raised concerns about personal data that organizations collect. These concerns have as much to do with discrimination and law as they do with ethics and policy. Across the EU, UK, USA, China, Singapore, and virtually every other location on the planet, the regulatory landscape for data privacy has changed and continues to evolve. In the EU, the General Data Protection Regulation (GDPR enforceable in 2018) and its policies have effected change worldwide.

EU regulators and legislators indicated that businesses' almost laissez-faire approach toward data protection compliance had gone on for far too long and that the GDPR would rectify this. And it did. Today, the cost of data privacy infractions can amount to a hefty penalty of up to €20 million or 4% of the company's annual global turnover. Moreover, on account of the GDPR's broad territorial scope, it is regarded as a standard globally, and businesses invest heavily to keep up with the compliance regulations.

However, despite efforts, a report published by DLA Piper states that data breach fines and notifications between January 2020 and 2021 increased by 40% and 19%, respectively. Naturally, this double-digit growth isn't conducive to healthy business operation and implores the question, 'What can or should companies do to mitigate losses due to data privacy non-compliance?' For insight on the matter, read on to know how companies can prepare for the inevitable progression of GDPR or any other such data privacy laws and regulatory guidelines.

Define the role and responsibilities of a data protection officer

The first approach companies could take is to hire a data protection officer or DPO. This is a relatively new role for most institutions and should exist, especially considering how quickly regulatory reforms can occur. A data protection officer is a professional tasked with doing all the heavy lifting in ensuring that the organization remains compliant with the GDPR. As a matter of fact, it is a mandatory requirement by the GDPR that a company must hire a DPO if it handles personal data of EU residents. 

Ideally, companies should look inwards at personnel working within the IT or legal departments for the role of DPO. A DPO's responsibilities often overlap with those of a Chief Data Officer and these professionals serve as viable candidates for the job. However, to be effective, it is important that the DPO receives formal training on GDPR. Organizations such as the Association of Data Protection Officers and the International Association of Privacy Professionals (IAPP) offer courses on data privacy and security. There is a talk that the GDPR will likely create entities that offer certification for such courses in the near future.

Ditch all age-old, legacy systems that make data management tedious

In a bid to save on costs, it is quite common for companies to take legacy systems forward with every passing year. While this may have worked a decade ago, it definitely won't in today's environment. Legacy systems used to track, enter, and monitor data make staying compliant difficult, especially when dealing with a breach. The solution here is to evaluate the efficacy of existing data management tools with today's standards. 

A good starting point would be to get rid of systems that don't easily integrate with workflow automation. Manual inputs and processes increase the risk of noncompliance, and new-age tools can help address this problem. One smart and effective solution is the VComply GRC software suite. VComply allows you to establish a centralized data model, where a single repository of all critical documents may be maintained. This enables easy management, tracking and can aid quick breach redressal when dealing with risk data.  

Ensure that the privacy impact assessment isn't lacking

An effective way to stay ahead of GDPR changes is ensure that the current documentation is maintained with maximum accuracy and as per requirements. Under the GDPR, all data-intensive projects must have privacy impact assessment (PIA) documentation, which must be accessible to everyone involved in a project. This is non-optional as it is a process that accounts for all the privacy risk present with any data a company collects from consumers. 

 Ideally, a comprehensive PIA should be able to document all key data-related information. Here is a table that highlights the main verticals and the type of data that should be documented.

Prioritize security above all

It comes as no surprise that data security is a key part of the GDPR compliance journey. To stay ahead of the ever-changing environment, companies should design all security measures with privacy as a priority. Common measures include creating workflows that govern data access, both on-site and remotely. As per the GDPR, an external data breach can even be a situation where an unvetted temporary employee is granted full access to data through a generic log in. 

 

Such cases of unsecured data access can be solved by implementing clearly defined user access controls. Besides these, security measures extend to monitoring and logging. This is another branch of data collection, albeit internal, and should be handled in keeping with the GDPR.

Review existing risk assessment controls and revamp as needed

Before the GDPR took hold, data privacy may have not been a key part of the risk assessment and management strategy. This needs to change in order to adapt to the modern-day requirements and data privacy should be given its fair share of importance within these protocols. This includes designing specific risk assessment models, having controls to mitigate risks, and understand the impact of these risks and the extent of their exposure. 

 

Considering that the GDPR guidelines will continue to evolve with every passing year, it is safe to assume that companies will soon have to learn to adapt on the fly. These 5 measures should help prepare for many reforms, especially if the company has the right tools at its disposal. The VComply GRC software suite offers such a solution to organizations to map their data and efficiently implement controls to track and manage compliance with GDPR regulation. To address any queries or know more about the provision, contact us online.

VComply Editorial Team
Read More
Avoid These Mistakes While Implementing Policy Management
Apr 6, 2021
4
Minutes

A holistic GRC management is incomplete without policy management. In an ideal world, policies guide an organization to follow the rules and regulations, prepare for internal and external audits, and finally keep the organizations away from risks. However, the reality seems to be different. Many of the organizations seem to have only very basic policy management system in place. It can cause severe consequences as it leaves you at the risk for financial losses, security breaches, and overlook the improvement initiatives.



Avoid These Mistakes While Implementing Policy Management


Let's see the major risks companies can face not implementing a full-blown policy management system, and how to avoid them.

Approval Processes Hurting Your Business? Automate It

Is the policy document approved? Who approved it? Are we distributing the approved version of the policy to employees? These are some of the common questions that we hear in organizations. Policies usually require multi-level approvals. There could be occurrences that the organizations' performance improvement initiatives can get delayed due to a missed approval.

VComply helps you set up workflows for multi-level approvals.  Instead of manually sending a policy and wait at every turn for a manager to approve a policy and then send it to another level for approval, you can automate the whole approval process and configure parallel, round-robin, or sequential level of approval.


Policies Everywhere? Centralize It

The lack of having a central repository can create chaos when it comes to working with multiple policies. The employees find it difficult to choose which version of the policy is to be followed in a manual set up. VComply encourages efficient policy management as all the policies are centrally located, saving employees' time retrieving the policy. VComply's policy portal helps ensure that your organization complies with laws and regulations, and helps share policies with your stakeholders for attestation or reference.


Disparate and Disconnected Systems for Compliance, Risk and Policy Management? Link Them

Organizations using disparate and disconnected systems for risk, compliance and policy management miss the integrated system's benefits. Compliance, Risks management, and Policy management share interrelated tasks and common objectives. Combining these processes, and establishing transparency and accountability requires an integrated and linked system. 

VComply's GRC management is tightly coupled with policy management and helps implement proactive and risk-based policy management. It saves time, effort and money – and streamline the efforts required for managing risks, compliance, and policy management.


Role-based Access Control

Every policy management workflow should define the policy owner and with whom the policy is intended to be shared and not. VComply's Workflow Management System should allow you to customize what each user can see and edit. It enables business-level control of access rights by using roles to match user permissions to the organization


A comprehensive policy management tool can alleviate the difficulties in creating and implementing policies. Cloud-based solutions like VComply’s Policy Management Software give you a powerful way to create, modify, distribute, and test policies. For instance, with VComply, you can create questionnaires to gauge the effectiveness of a policy, assign privileges to give proper access, have a convenient audit trail, get real-time alerts, and more. Policy is a crucial component of GRC and VComply offers a range of tools for governance, risk, and compliance management.

Having considered what a policy management process looks like and some reasons to invest in a policy management solution, deliberate on how to better govern your organization. Remember, the cost of bad policy management may far exceed that of investing in a policy management solution. So, when the time is right, do not think twice about using a smart software to empower your efforts!

Devi Narayanan
Read More
Internal Audit: Trends in 2021
Apr 2, 2021
4
Minutes

The primary role of auditors is to help the organization remain compliant and meet its objectives efficiently. The growing and changing needs of stakeholders, crisis management requirements, and uncertainty have widened the scope of internal audits. In response to these requirements, new trends have emerged in the field of internal audit that will add value to the organization and guide it through the landscape of risks.

Here are some of the new trends in Internal Auditing:

Holistic approach towards auditing

Disruptions, threats, uncertainty, and changes are part of today's organizations. Starting from cyber-attacks, climate change to supply chain disruptions, organizations face numerous challenges. They need a resilient approach, frameworks, and mechanisms to bounce back when dealt with unexpected risks. Internal auditing should assume bigger responsibilities beyond just evaluating the company's compliance challenges, fraud detection, and reporting in this environment. Internal auditing should take on a central strategic role in an organization and provide insights to the management to run the organization efficiently. It should provide guidance to govern risks, stays compliant, and implement an operational resilience strategy.

Remote audit

The pandemic has forced companies to go remote. And, at least for some companies, the trend is remote from now on. Similar to other functions, audit functions need to resort to tools that overcome communication and availability challenges. The adoption of communication technologies enable audit evidence collection, review of records, and report generation to support audit conclusion. The companies must conduct risk assessment and document the outcomes achieved through remote auditing. Internal audit must take up a proactive role by giving insights concerning different risks, challenging practices, processes, and the organization's overall risk landscape.

Build agility in audit

Audit teams need to agile to keep up with the increasing pressures of the organizations. They should let go of their rigid practices and long audit cycles, instead, focus on the organization's present needs, respond to quickly to changing risks, adopt short and accelerated audit cycles, and fewer documentation requirements. Agile auditing empowers auditors to prioritize audits based on its importance and provide long standing value.

Innovative audit techniques

While many companies are looking at technology specific to audit function, others already invested in technology are expanding the role of automation and analytics. Audit automation simplify the process of constructing new audits and creating new checklists. It ensures that non-compliances and weak areas are properly addressed. Thanks to advanced machine learning techniques, auditors are gaining invaluable insights by accurately analyzing mass amounts of information, saving time and money.  Meanwhile, advanced analytics can shed light on new risk patterns, anomalies, internal control gaps, or opportunities. They help internal auditors improve the scope and quality of their work, while also delivering better insights to stakeholders.

Organizations use GRC tools such as VComply to conduct audit programs, schedule audit checklists, and issue audit report. The advantage of such a tool is that you can monitor and improve upon control systems and areas of risk in an ongoing manner and in real time too. Moreover, you govern your business better as you are no longer working in silos and with spreadsheets, but organization-wide, with customized software. VComply, for instance, allows you to schedule tests, classify incidents, track progress and more. Now that you are aware of the basics of conducting an internal audit, venture forth to create a robust and consistent business process!  

Devi Narayanan
Read More
How Does Your Organization Comply with PCI DSS? All You Need to Know
Apr 1, 2021
5
Minutes

According to an analysis by Atlas VPN, credit card fraud cases surged by 104.7% when you compare Q1 of 2019 and 2020. Likewise, Julie Conroy,  a research director at Aite Group, reported that by the end-2020, credit card fraud losses in the US amounted to a staggering $11 billion! These facts make it clear that the digital payment ecosystem is rife with vulnerabilities. After all, security gaps can emerge at various points of handling, storage, and transmission, such as at POS devices, e-commerce apps, Wi-Fi hotspots and personal computers. 


To create a safer payment ecosystem, major players, namely, American Express, JCB, MasterCard, Visa, and Discover formed the Payment Card Industry Security Standards Council (PCI SSC) and subsequently, a standard for data security, the PCI Data Security Standards (PCI DSS). The latest version of PCI DSS is v.3.2.1 and though PCI DSS is not a law, it is expected that the industry needs to be compliant with its requirements as non-compliance entails hefty fines and lost business opportunities and customers.


Do you need to be PCI DSS compliant? 

If you handle, store, process, or transmit credit card data you ought to be PCI DSS compliant. Moreover, your card processing agreement normally requires you to be so. Depending on how much sensitive information visits and resides in your systems, your compliance requirements could be more or less, complex or basic. 


Achieving PCI DSS compliance entails adhering to 12 high-level requirements, and depending on your compliance needs, 300+ controls. Here is more on how to comply with PCI DSS. 


What is needed for PCI DSS compliance?

PCI DSS compliance is validated against a list of PCI DSS requirements. Read on to know more. 


Goal: Build and Maintain a Secure Network and Systems

  1. Use and maintain a firewall configuration: The goal is to protect cardholder data using a network security device (firewall) by controlling incoming and outgoing network traffic. Here, it pertains to traffic within internal trusted networks as well as between internal and external (untrusted) networks. A firewall is your first line of defense, preventing unauthorized access and securing the cardholder data environment.
  2. Ensure proper password protection: Operating systems, routers, POS terminals, etc., often come with vendor-default passwords and accounts. These can help with installation; however, such initial settings are often freely available on the internet or are widely known. Hackers can easily exploit this loophole and hence, change all vendor-supplied passwords and security parameters, and delete default accounts.


Goal: Protect Cardholder Data

  1. Protect stored data: As a rule, it is good to avoid storing cardholder data when it is not necessary. However, some business transactions need you to store sensitive information. In such cases PCI DSS mandates that you employ protection methods like hashing, encryption, masking, and truncation to ensure that in case of unauthorized access, the cybercriminal will not be able to read the data or use it meaningfully.
  2. Encrypt transmitted data: Open, public networks can be accessed by cybercriminals and hence, you should ensure that the data you send over networks like the internet, Bluetooth, GSM, and Wi-Fi, is secure. PCI DSS asks that data be encrypted, and that encryption strength be appropriate, that you use trusted keys/ certificates only, and that you employ a secure protocol for data transmission.


Goal: Maintain a Vulnerability Management Program 

  1. Use and update antivirus software: Today, there is an increased amount of business activity that is susceptible to malicious software attacks. Hence, it is essential to have an antivirus software (which may be supplemented by an anti-malware solution) that can detect, protect against, and remove all known types of viruses, worms, trojans, adware, rootkits, spyware, etc. Since, software threats evolve with each day, regular updates are also a PCI DSS requirement.
  2. Have secure applications and systems: All code is buggy and hence, applications are never “perfect”. Loopholes exist and are discovered, and for this reason, developers frequently release security patches. PCI DSS requires you to install critical patches supplied by vendors within 1 month of release. Also, you need to set in place a process for identifying security vulnerabilities and map them to a risk ranking – “high”, “medium” or “low”.

Goal: Implement Strong Access Control Measures

  1. Restrict access to cardholder data: Risk increases as data exposure increases, and to limit this, PCI DSS proposes that critical data be accessed only by authorized staff, on a need-to-know basis. What is the minimum amount of access that is required to perform a specific job responsibility? That is what you must consider when assigning and approving privileges. A system admin will enjoy more privileges than a call center staff, yet none may require access in a particular scenario.
  2. Assign unique IDs for access: Having unique IDs for users is important to ensuring accountability for actions taken and tracing the cause of issues. Point 8 of PCI DSS also requires that you use sufficiently strong passwords. Inactive IDs are to be removed or disabled in 90 days and passwords are also to be changed within this period.
  3. Limit physical access to data: Restricting and monitoring physical access to cardholder data is important to the integrity and security of the sensitive information you hold. Ensuring a secure cardholder environment could involve everything from installing video security cameras to having password-protected login screens and procedures to authorize visitors.

Goal: Regularly Monitor and Test Networks

  1. Create and monitor access logs: Having audit logs in place allows you to trace suspicious activity and attribute it to a specific user in case of any data compromise. However, PCI DSS also requires that you monitor these logs. Else, you will find yourself backtracking only after a data breach occurs. The goal is to stop it in its tracks.
  2. Test security systems and processes often:  To root out fresh vulnerabilities PCI DSS asks that you conduct tests on your custom software, processes, and system components regularly. In particular, check for the presence of wireless access points, through which an intruder can gain unauthorized access “invisibly”.

Goal: Maintain an Information Security Policy

Document a security policy: Protecting sensitive data is the responsibility of all employees and to set the right tone, PCI DSS requires that you establish, publish, maintain, and disseminate a security policy that educates personnel on what is needed from them.


What are the essential steps of PCI DSS compliance?

Know your compliance level There are 4 PCI DSS compliance levels.
  • Level 1: Merchant processing <20,000 online transactions annually, or up to 1 million total transactions annually
  • Level 2: Merchant processing 20,000 – 1 million online transactions and less than 1 million total transactions 
  • Level 3: Merchant processing 1 – 6 million transactions annually
  • Level 4: Merchant processing over 6 million transactions annually

Depending on your compliance level, you will determine which networks and components are in PCI DSS scope.

Assess system components within scope: Each PCI requirement has corresponding testing procedures, and at this stage you must check for compliance and identify gaps. Level 1 businesses need to conduct an onsite assessment and draft an Annual Report on Compliance (ROC). A Qualified Security Assessor or an internal auditor will be involved in the process. A QSA is a PCI-SSC-approved independent security organization that validates your business’ adherence to PCI DSS.


If you belong to Level 2-4, assess your compliance by filling out an annual Self-Assessment Questionnaire (SAQ). There are 9 SAQs and these comprise Yes-or-No questions for each PCI DSS requirement. You need to use the SAQ relevant to you only. Every quarter or less, businesses at all levels engage the services of an Approved Scanning Vector (ASV) to check for external scanning requirements of PCI DSS.  Depending on the gaps present, you will need to adopt certain security controls and protocols. The 12 PCI DSS security requirements outlined above indicate how you should go about protecting sensitive information.


Report, attest, and submit: After assessing and taking remedial measures, documentation of the SAQ/ ROC and compensating controls occurs. You can then fill out a formal Attestation of Compliance (AOC) and have it verified by a QSA to show that you are in full compliance with PCI DSS. You can submit your SAQ, ROC, AOC, etc., to any organization requesting them with everything in order.


Remember, PCI DSS compliance is not a one-time task. It involves an ongoing process of assessing, repairing, and reporting. It requires you to bring together your legal, technology, finance, and security teams for a common purpose, and a software solution like VComply can help you manage and monitor the 300 odd security controls you may need to set in place. With it, you can easily delegate responsibilities, conduct gap analysis, generate reports, get prompt alerts, and more. With PCI DSS 4.0 slated to arrive in mid-2021, getting compliant today is the best thing you can do to prepare for the future. So, take steps towards securing your cardholder data environment and use VComply to accelerate your compliance efforts manifold!  

VComply Editorial Team
Read More
Understanding Risk Appetite and Risk Tolerance
Mar 30, 2021
3
Minutes

Risk management is the process of identifying, assessing, and managing risks in an organization. In times of uncertainties, the organization looks to risk managers to make crucial decisions about risk management and mitigation. Risk officers are required to bring all stakeholders on the same page and decide on the organization's risk appetite. Risk appetite and risk tolerance are the two essential concepts in risk management around which misconceptions and confusion are prevalent.

What is Risk Appetite?

Risk appetite is referred to as the degree of uncertainty or the level of risk an organization or individual is willing to accept in pursuit of achieving its objectives. If the organization is ready to take on significant risks, then its risk appetite is considered high. If an organization does not want to confront a situation that will affect the company's revenue and want to play safe, then the organization's appetite is supposed to be low.

What is Risk Tolerance?

Risk tolerance is the degree of risk that an organization can withstand. For example, if the management decides that the organization can take the financial risk up to 250, 000 USD, then the tolerance level is agreed about that much amount. Once the risk appetite and tolerance level has been defined, the risk managers can evaluate whether the existing risk framework is adequate. They need to adjust risk management strategies to keep the risks within the risk appetite.

A great understanding of risks and understanding about effectiveness of controls can add value to an organization. VComply’s risk management software provides a centralized system to determine and maintain a register of potential risks for the organization, and evaluate the impact of the risks, and implement controls for the treatment and mitigation of risks. Contact us to learn more about how VComply can help you manage your risks.


Devi Narayanan
Read More
Accountability Issues in Corporate Governance
Mar 30, 2021
4
Minutes

The importance of good corporate governance for an organization's success has been a topic discussed across. However, even though organizations keep in mind the principles, the different models and all the aspects of good governance, there is always scope for error and that is why issues in corporate governance are in abundance. Especially accountability issues. By now, we know how important accountability and transparency is in corporate governance. Let us look at some of the steps you could take against potential issues that you may have to face.

Choosing the right board

It is now well established that the board in any corporation plays a pivotal role in its governance, which is why care should be taken to not put undeserving, inexperienced people who are incapable of handling crucial situations and forming suitable solutions. So that everyone’s point of view is represented in the board, it is important to have a diverse group of people in the group with a healthy mix of ethnicities and men and women. Besides the board managing everything, it is important that the seriousness of the entire corporate governance business is ingrained in the corporate culture.  Complying on paper is not enough; there should be visible, tangible compliance and subsequent results. Board appointments should be done by voting only and on the basis of talent and experience and not because of family contacts or influence. This will make sure that the board comprises of people who are dedicated towards working for the company’s cause and not just there for the sake of it.


Evaluation of Directors

The board also needs to be evaluated on the basis of their performance. The performance of directors as a group as well as individual performance need to be considered by elaborating on both qualitative aspects and quantitative aspects how they achieve objectives, how they handle ethical issues. Usually, these evaluations are called to be made public such that the results actually have an impact on the directors. However, such evaluations can become sensitive in nature and full public disclosure may turn out to negative impact on the organization.

Handling of Independent Directors

Independent directors are accused for maintaining a passive stand regarding the board’s decisions. However, in cases where these directors have protested against promoter decisions, they have been removed for non compliance with the promoter and this is by law as it is stated that an independent director can be easily removed by promoters or majority shareholders. This inherent conflict has a direct impact on independence. Therefore, to make sure that directors are not just simply removed from the board, there needs to be a better evaluation system in place to justify the removal and the decision of the majority should be taken into account.

Accountability towards Stakeholders

Directors have duties not only towards the corporation that they head and its stakeholders but also towards its employees, the community and the environment’s protection. These general duties need to be carried out by all directors, however the independent ones come across as complacent. This may be due to the lack of actual implementation. Therefore, to further propagate accountability, the entire board must be mandated to be present for all meetings with stakeholders to incite healthy camaraderie.

Control in the hands of the Founder


In some countries, the founder’s identity is often merged with the company’s identity in the sense that they identify as one and the same. The founder has immense control over the working of the company and can make or break any aspect of governance. There is a lack of succession planning and founders keep exercising their power to influence crucial decisions regarding the company. It is important that the founders chalk out a succession plan and implement it.

Managing Risks


A risk management policy has always been imperative and has gained more importance over the years, especially in today’s world where big businesses are under the scrutiny of the media and other competitors. A proper risk management strategy needs to be chalked out and inculcated in the day to day workings of the company. The independent directors are mandated to assess the risk management systems of the company.

Data Protection and Security


Today, everything is digitalized, and as much as it has an immense number of advantages, it also poses a great risk to the privacy of data. The board must be familiar with at least the basics of cyber security to protect the company against a potential data scandal. The board must invest a reasonable amount of time and money in order ensure the goal of data protection is achieved.

Corporate Social Responsibility and the Board

Companies that meet the specific criteria/thresholds are required to constitute a CSR committee from within the board. This committee goes on to frame a CSR policy. Companies are required to spend at least 2% of the average net profits of last three financial years on CSR activities. In case the expenditure is not carried out, proper justification needs to be provided. CSR is important and CSR projects should be managed by board with as much interest and vigor as any other business project of the company.

In Conclusion

A good corporate governance system ensures transparency, fairness, and accountability. VComply offers a complete GRC management solution to help you streamline everyday compliance processes with a centrally managed, cloud-hosted system.


VComply Editorial Team
Read More