When ATS started evaluating solutions to help us improve (from good to better) the management of our compliance efforts, I wanted to find an application that would decrease the amount of time spent on tasks related to our compliance efforts and improve the efficiency of the interactions with our examiner. We ultimately chose to work with Hyperproof because the tool provides the out-of-box features we need, helps us save time from the audit process and gives us real-time feedback on where we stand in terms of our audit preparedness.”
Manager of Compliance and Security Services
Keeping up with compliance and audit requirements
Too much time spent on collecting evidence for each audit
Lack of visibility on where the organization stands in terms of audit preparedness
Why ATS chose Hyperproof
Decrease the amount of time spent on tasks related to their compliance efforts
A single source of truth for all compliance efforts
Out-of-box compliance templates for programs such as SOC 2, GDPR and NIST 800-53
Hyperproof provides the medium for ATS to help clients build their compliance programs and collaboratively manage them in the long-term
The Search: “We Need a Single Source of Truth for All of Our Compliance Efforts”
As a trusted partner to many clients in the government sector, ATS takes information security and compliance seriously.
ATS believes in the good, better, best methodology and continual service improvement. When Bill Rankin, Manager of Compliance and Security Services, started evaluating solutions to help the company improve (from good to better) the management of their compliance efforts, he wanted to find an application that would decrease the amount of time spent on tasks related to their compliance efforts and improve the efficiency of interactions with their SOC 2 examiner. He needed something that could be a single source of truth for all things related to their compliance efforts.
Rankin generated a list of criteria and and ranked them as must-haves, should-haves, and nice-to-haves. Must-Have criteria for compliance software include:
1. Ability to Manage Everything in One Place
Prior to Hyperproof, Rankin and his team had a difficult time managing all the proof for their SOC 2 program, because the proof resided in multiple systems (e.g. Microsoft Team, email). Rankin wanted to have a central location where all SOC 2 requirements, controls and proof can be stored and managed, so that their examiner can look at everything in a streamlined system. The team wanted to be able to quickly answer questions such as, “Where are we with our evidence collection?”, “where are all of our artefacts?”, “what do the examiners need to see?”
“The more I can bring in-house into a single solution to solve the problem, the happier I’ll be,” says Rankin.
2. Ease of Use
Rankin wanted an application with an intuitive interface so his team can hit the ground running with minimal training.
3. Collaboration Capabilities
Prior to Hyperproof, preparing for each audit consumed an inordinate amount of time from Rankin and his team. The team exchanged many emails and phone calls with their examiner to complete the required workstreams. Rankin wanted an application that would improve the collaboration process and bring efficiencies to the ways in which team members interact with one another and with their auditor. In this regard, features to help with the ongoing management of controls are key.
4. Out-of-Box Compliance Frameworks
“Hyperproof comes out-of-the-box with a robust set of compliance frameworks. For instance, they have a SOC 2 framework with requirements and illustrative controls. We can use that to speed up our SOC 2 audit. We can also use Hyperproof’s NIST and GDPR frameworks in our client engagements,” says Rankin.
5. Ability to Leverage Hyperproof as the Medium for Supporting Clients
In addition to internal use, Rankin also sees value in Hyperproof because Hyperproof provides the medium for ATS to help clients build their compliance programs and collaboratively manage them efficiently long-term. “As a compliance consultant who assists clients with compliance needs related to, for example, NIST SP 800-171, GDPR, CCPA, PCI DSS and other established frameworks, I need a solution to help me effectively manage these engagements and serve as the portal into what each client is doing. Hyperproof’s multi-tenancy capabilities and features made me quickly realize that this was the tool for us.” says Rankin.
At this point, Rankin has finished the migration of their internal SOC 2 program (from Microsoft Teams into Hyperproof). All contributors to the project have access to the program within Hyperproof. All controls have been mapped to the requisite requirements, and all proof files have been linked to the correct controls. By completing all of these activities, ATS is close to being ready for their 2020 SOC 2 exam.
Prepare for an audit in a fraction of the time
One of the most time-consuming tasks in the SOC 2 audit preparation process is to associate the right evidence files (also known as “proof”) to the right controls. While it takes seconds to associate one proof file to a single control, it becomes time-intensive when an individual has to to associate hundreds of proof files with hundreds of controls within a program, one at a time. Some of the work is redundant because certain types of proof can satisfy multiple controls.
With Hyperproof’s out-of-box SOC 2 compliance framework, “labels” and bulk upload features, Rankin was able to move his existing SOC 2 framework into Hyperproof and complete this process in a fraction of the time. The “Labels” feature played a major role in speeding things up:
“Hyperproof’s ‘labels’ are invaluable! These ‘labels’ function in a similar way as labels in Gmail or tags in other software applications. I can use labels to organize numerous pieces of proof with the correct controls. This feature saves me a lot of time, because it eliminates the need for me to manually attach every piece of proof to every control, ” says Rankin.
With Hyperproof serving as a single source of truth for all compliance-related data and tasks, the compliance team no longer needs to rely on email to send proof to their examiner. “For a single audit, sending proof to my examiner and the back-and-forth process usually takes up two full days worth of time. By using Hyperproof, I will be able to eliminate this task completely,” says Rankin.
Ability to review controls on a regular basis and make control evaluations an on-going process
Many of us are already well aware of the fact that maintaining strong security requires on-going vigilance. Even the most well-designed control will fail if the control operator fails to execute the control they’re supposed to perform. It's easy for someone to forget to do one thing when there are a hundred things on their to-do-list. As a seasoned IT security and compliance professional, Bill has personally experienced this challenge. He is optimistic about Hyperproof’s ability to solve this problem through its “Freshness” feature.
“Hyperproof has a concept and feature known as ‘Freshness’. I can set a ‘Freshness’ policy on each control or label within my SOC 2 program -- to remind myself and my team to review controls on a cadence and ensure that all controls are appropriately evaluated throughout the year. I am looking forward to using this feature so that no one will forget to do what they are supposed to do, which ultimately makes our entire organization more secure and resilient, ” says Rankin.
More time to devote to other strategic projects
At ATS, Rankin and his team members have multi-faceted roles. For instance, Rankin not only leads the compliance team through the annual SOC 2 assessment process, he also advises clients on GDPR, CCPA, NIST compliance and information privacy best practices, and supports the creation of new service offerings firmwide. With Hyperproof, Rankin and his team can reduce the amount of time spent on compliance and redirect that precious time towards engaging with clients.
At this time, Rankin and his team are in the middle of developing new compliance service offerings; they look forward to helping clients build out their compliance programs and manage these programs on an ongoing basis, using Hyperproof as the medium.