Evidence collection and management can consume weeks of work when a compliance team uses manual processes and ad-hoc tools (e.g., email, file storage system, and spreadsheets) or haven’t kept meticulous records from previous audits. How do you know what to collect? How do you know when you’ve got everything you need?
At Hyperproof, our goal is to make evidence management easy. To do this, we created a new function called Labels in our compliance operations software.
How to Use Labels to Save Time
Labels in Hyperproof are similar to labels in Gmail or tags in other project management software. Think of them as file folders each containing a list of files, but with some additional bells and whistles that make them work for compliance workflows.
As a rule of thumb, if your auditor is going to ask for a piece of proof at audit time, you should label it to make things easier for you over time. Additionally, you can apply multiple labels to a single piece of proof — for instance, organize your evidence by team, location, etc.
Below, we’ll discuss two examples of how you can use labels to save time.
1. Apply a label to any piece of proof that can be used to validate multiple controls.
What’s useful about labels is that you can link a label to a set of controls once and immediately make all proof associated with that label accessible to the control owners and compliance manager.
For example, “Signed employee agreements” is a typical label. This evidence often applies to several different controls because it covers the employee’s responsibilities around information security, confidentiality of customer data, workplace code of conduct, etc. It’s not uncommon for HR managers to keep getting asked over and over for this same piece of evidence. This repetition leads to “compliance fatigue”: Employees get frustrated enough that they just stop responding all together.
In Hyperproof, whenever a new employee agreement is signed, the individual responsible for maintaining that label (e.g., an HR Manager) can upload a PDF to the label and the file becomes instantly available in all the controls and programs that need it. Here’s a example label linked to three controls across two different compliance frameworks:
Automate reminders to people to review proof on a cadence
In Hyperproof, labels have a freshness feature. An individual can set a freshness policy for each label that will quickly tell every participant in a compliance program whether the evidence is up to date. For example, a compliance manager can set a freshness policy of 30 days on the “Signed Employee Agreement” label. Every time a new employee agreement is uploaded, the HR manager could mark the label as “Fresh”. If no employee agreements have been uploaded for 30 days,, the label will expire.
In this example, Hyperproof shows that the “Signed Employee Agreement” label is not fresh – it expired 24 days ago.
This tells control owners and compliance managers that they should check in with the HR manager to find out why they haven’t uploaded any signed employee agreements in the past 30 days. Is it that the company didn’t hire anyone in the past month, or are there some signed employee agreements that our HR manager hasn’t gotten around to uploading?
With Hyperproof, compliance managers no longer need to send emails to their HR manager to ask for up-to-date signed employee agreements. Instead, they can take advantage of the collaboration feature within “Labels” to get the job done faster.
This feature allows users to add the team members that need to participate in a label, such as compliance managers or people from HR. Any label members can view the activity feed to see who uploaded what documents and when, and can @mention people to start a discussion or to ask them to provide evidence.
In this example, we can head into the activity feed and ask our HR manager to upload the latest batch of signed employee agreements from the last 24 days since that label expired. And once she has done the job, we can mark the label as “fresh” again.
As you can see through this example, we’ve used a label to simplify an HR manager’s job. Instead of having to respond to random emails from the compliance team, the HR manager’s simply has to keep one label “fresh”. Whenever a new employee is hired, she just needs to upload the signed employee agreement to this label. This not only makes the HR manager’s job easier, but also takes repetitive administrative work off the compliance team’s plate.
2. Apply Separate Labels to Evidence Files That Have Different Update Cycles
Another use case for labels is around managing different types of proof needed to validate a single control.
For example, let’s say you need to show 1) A security policy and 2) background checks for all users who have access to production servers to validate a single security control. These two types of evidence need to be updated on different cycles: Your employee handbook should be reviewed annually, and the background checks should be updated monthly.
If you just added all the proof to the control directly, the employee handbook might get lost within the continual update of background checks. You can use labels to keep those two groups of files separate.
Labels provide enhanced visibility into work that needs to be done
From the compliance manager’s perspective, labels solve a lot of problems. They can easily see what evidence is needed for a particular control, and whether it is fresh.
Additionally, they have access to all the proof in the labels:
Finally, compliance managers can browse the full list of their labels, filter by person, freshness, etc., and easily see which labels need attention and updating. When everything is fresh, they know they are ready for whatever audit is coming up.
This function provides another tool to help you ensure that at audit time, labels match up with the auditor’s document requests. Hyperproof makes it easy to tie document requests to labels, and then re-use them for audit after audit, making it simple to find the evidence your auditor is asking for. Once you have your labels all set up, audits will be easier for your team to prepare for and carry out.
To learn more about how Hyperproof can help you manage compliance projects more efficiently and effectively, sign up for a personalized demo.
The post How to Use Labels in Hyperproof to Save Time on Audit Preparation appeared first on Hyperproof.
*** This is a Security Bloggers Network syndicated blog from Hyperproof authored by Bob Heddle. Read the original post at: https://hyperproof.io/resource/labels-in-hyperproof/