Project Management for Audits is Now Available to All Tugboat Logic Users
One of the biggest frustrations about staying compliant is “audit fatigue” – meaning companies feeling like they are always going through some stage of an audit. Whether it is evidence collection, trying to track down documentation, or timely gap remediation, the worry is the same – missing a deadline and failing your audit. As a result, we are excited to share the launch of two very important features that will remedy “Audit fatigue”. Introducing the Compliance Calendar and Readiness Project Calendar. This new functionality is now available starting Tuesday, October 20, 2020 for all Tugboat Logic customers.
“At-a-glance” calendar views replaces outdated, ad hoc evidence collection
One of the more challenging aspects of getting ready for a security audit is collecting evidence. On average, there are about 70-100 evidence tasks in a SOC 2 audit. Each evidence task has the notion of “collection intervals”, which means you have to collect it multiple times per year in order to adhere to the security standards. Intervals can be weekly, monthly, quarterly, yearly or occurrence-based (ad hoc). As such, 70 evidence tasks quickly grow to hundreds of collection events to manage over the period of a year.
Collecting evidence ad hoc is the old way of doing things which consequently creates angst for most people. This is where “audit fatigue” starts creeping in with a flurry of questions like “What evidence do I need to collect for my audit? Did I miss an interval period that my auditor might sample? How do I spread out this work amongst my staff and across time in order to be ready when my audit begins?
An executive overview report of your entire InfoSec program
Tugboat Logic reduces this anxiety and prevents “audit fatigue” with the new Compliance Calendar and Readiness Project Calendar.
The Compliance Calendar will visualize the collection status of all the evidence tasks you need to complete for your Audit Readiness Project by interval, so you can see if you are ready for your audit in seconds, at a glance. Zero in quickly on gaps, address them, and feel confident you are ready to show your evidence to the auditor. Think of this calendar as an executive overview report of your entire InfoSec program for the C Suite, auditors and the head of InfoSec to know where things stand at all times.
A project management view of your evidence tasks
The Readiness Project Calendar view is similar to the Compliance Calendar but takes a project management view. The administrator can assign tasks to their staff by different due dates so they can spread out the evidence collection work over a period of time. For example, if you have twenty yearly evidence tasks due on December 31 to be compliant with SOC 2, you can assign a different “project management due dates” to these evidence collection tasks to spread them out to five tasks per quarter. This helps ensure you hit your goals, and always know how your project is tracking!
How these calendar views work
How to view my new calendars
Both new calendar views are additional tabs in your Readiness Project Page. Simply go to an existing readiness project, or create a new readiness project, and these two tabs will appear automatically.
How to set an observation period
We have also added a new concept of “Observation Period” to change what period of time you wish to view these calendars. The term observation period is an auditor term that explains the period of time they will sample evidence from, and attest to, during your security audit. You will want to make sure you are prepared prior to the audit evidence review stage by having evidence for the “universe” of time in your observation period.
For existing Readiness Projects, you will be prompted to enter an observation period when you navigate to one of the calendars. When creating a new Readiness Project you can specify the period there. Note: the observation period can be updated at any time; and the period only affects the visualization – your evidence is never deleted by the observation period settings.
How to change a due date
There are now two types of due dates.
- A “compliance due date” which is defined by the evidence task interval period and mapped to calendar periods (e.g. a yearly task will have a due date of 12/31, and a monthly task will have a due date of the end of the calendar month). The only way you can change this is by changing the interval period of the evidence task. This the date your auditor will care about, and will sample from, so we always keep track of this for you.
- A “project management due date” which is configurable by you, the customer. This is designed to give you control over when this task is completed by the assignee. It helps our super admins spread work across the period so they avoid missing the ultimate “compliance due date”. To change a date, simply select one or more evidence tasks by clicking on the checkbox next to the item(s), and then choose “Edit Due Date”. Note that end dates for the present interval and all future intervals will be updated for you. In the calendar, Tugboat visualizes the “project management due date” in relation to the end “compliance due date” to make it easier to see both at once.
How to view evidence details
Simply click into any evidence task from the Compliance Calendar or Readiness Project Calendar and you will be able to view the evidence files by interval period (see below).
How to get the new Compliance Calendar and Readiness Project Calendar
These features are available to all customers, and will appear in your instance of Tugboat Logic on October 20, 2020. If you have any questions, please contact [email protected] We hope this will take the misery and mystery out of evidence management for you! Not yet a Tugboat Logic user? Get your free trial and check out these new features today!