TruComply: Easy-to-use, affordable GRC
Business Objectives Met by TruComply
TruComply Software-as-a-Service Description
Given ever growing regulatory burdens and more complex business and IT environments, organizations need a common technology platform for managing compliance, risk, and governance activities to eliminate duplication of effort, facilitate collaboration and communication, provide enterprise-wide visibility into risks, and ensure optimal resource allocation based on strategic business priorities.
TruComply is an easy-to-use IT governance, risk and compliance application which can be fully implemented within a few weeks. Clients can use TruComply to manage compliance and risk in their internal environment and in their extended vendor supply chain.
TruComply is generally used to meet six business objectives:
Identify and track regulations and internal standards that apply to your organization
While there is no authoritative, comprehensive source, organizations should start with the best available. For security and privacy-related regulations, the best is undoubtedly the Unified Compliance Framework (UCF). The UCF covers nearly 500 global regulations, giving organizations a great starting point for identifying the regulations with which they must comply.
TruComply provides access to the UCF and its reference links to applicable standards, all organized topically, greatly facilitating research efforts.
Create an organizational control framework from these regulations and standards and apply it to organizational entities, business processes and assets
Once an organization has identified the regulations it must comply with, it must then translate these regulations into a meaningful set of requirements for the organization. Since regulations and the organization’s business and IT environment change, the organization must review and update these requirements from time-to-time.
TruComply simplifies this process significantly. Once an organization has identified which regulations impact the business, a user can translate this understanding into a harmonized control framework in minutes. Further, clients receive updates on a quarterly basis, eliminating the need to track regulatory changes and update internally developed controls.
Finally, TruComply provides a flexible entity, business process, and asset structure, allowing organizations to specify what elements of their environment must meet particular requirements.
Develop, document, and communicate appropriate policies, procedures, and standards which are in alignment with the organizational control framework (provided in TruAware module)
The organization’s management team must provide clear guidance as to what is acceptable and unacceptable. This guidance must be translated into effective policy, procedure, and standard documentation and effectively communicated to the rest of the organization. Finally, it is a best practice and is required by some regulations (e.g. PCI DSS 1.2) to have employees formally acknowledge the policies, procedures, and standards relevant to their role in the organization.
TruComply’s TruAware module, combines policy lifecycle management with eLearning, allowing organizations to:
Perform assessments/audits to identify control deficiencies
Most organizations have siloed compliance efforts where compliance with each regulation is assessed and managed independently. Further, without the proper tools, organizations typically only focus on a small subset of their compliance requirements because assessing a new regulation means spinning up a new team who must start from scratch.
TruComply makes it easy to cost-effectively scale compliance efforts. For example, using TruComply, an organization can go from managing PCI DSS compliance to managing compliance against PCI plus 76 state privacy and breach notification laws with a few mouse clicks. In this case, a 7,700% increase in regulatory coverage only results in a 60% increase in the number of controls which must be assessed.
Prioritize deficiencies based on a consistent risk methodology
Most organizations have more control deficiencies than they do budget. Since perfection is out of reach in the short run, the organization must prioritize deficiencies. Ideally, this prioritization should be done based on a consistent risk methodology, ensuring that control deficiencies on critical assets are addressed before those impacting less important assets, that control deficiencies related to risks which are likely to occur and high impact are dealt with prior to those that are rarely experienced, and so on.
ANX has extended the UCF with over 200,000 proprietary data elements to empower a sophisticated risk management methodology. The result is a powerful out-of-the-box risk management capability that allows the organization to quickly identify which control deficiencies represent the greatest threat to the organization and prioritize them for remediation.
Manage remediation activity and chart progress towards organizational objectives
One common failing of IT Governance, Risk, and Compliance programs is turning assessment results into action. From a liability perspective, the only thing worse than having a serious vulnerability is having knowledge of the vulnerability and not remediating it within a reasonable period of time.
TruComply provides organizations with an excellent starting point for planning activity. ANX has developed default remediation tasks, with budget estimates, for all 2,700 controls in the UCF. As a result, clients can quickly review these estimates, adjust them as required, and then proceed to prioritization and scheduling, all supported within TruComply.