Proofpoint Regulatory Technology and Compliance Specialist, John Pepe, JD, and Technically Creative CTO, Christopher Amatulli recently held a webinar on the best practices for moving to a new communications monitoring platform in 9 months or sooner. If your team uses a legacy monitoring platform, such as Veritas Compliance Accelerator or CA/Orchestria, here’s a summary of how to have a new system up and running in under the standard 12 to 18 months without gaps in regulatory compliance.
Top Items to Consider
There are a lot of things to consider when moving to a new monitoring platform. Some of the most important include:
- The monitored employees, also known as ‘hierarchy’ or ‘organizational tree’;
- The detection or sampling logic, also known as ‘policies’, ‘lexicons’, ‘rules’, or ‘detection scenarios’;
- Review workflows and procedures for actioning and closing alerts;
- Formerly reviewed message migration which involves the extraction and movement you’re your old monitoring system or archive to your new system;
- Review policy history migration: whom, what, when and comments; and
- Reports for the new system and from the former demonstrating productivity, proof of supervision, and general administration.
Build the Right Team and Plan
The first step is to gather your project team, system requirements, and project plan. Devote at least a month to these activities. Finalizing them will save you time and resources.
The project plan should only focus on the supervision work stream in case the larger project also calls for an archive replacement or the addition of a surveillance module.
The system requirements should focus on migrating the existing detection logic with not more than 20% new detection policy. An overhaul of the detection logic, if desired, can be a phased activity once the new system is ‘live’ and in production.
The final element of the system requirements should include a thorough documentation of current processes, hierarchy, detection rules, and workflows so that they can be mapped in the new monitoring system.
Identify the Right Partner
The second step when moving monitoring platforms is to select a new vendor. If not finalized by the time the project starts, organizations should devote at least a month to this activity. As a short-cut to what can be a lengthy search, choose the two top vendors based on references, industry analysis, and requirements fit and then require both to convert your current detection logic in two weeks or less.
Perform a two week ‘Proof of Concept’ (PoC) using your converted detection logic and evaluate content flagging, system accuracy, and ease of use. Then select the best vendor and use the PoC system as your User Acceptance environment which, in turn, can be promoted to a full Production system.
Generate a Plan to ‘Go Live’
Knowing when you are actually ready to roll-out into production is not easy. So, as general guidance, begin onboarding your smaller groups or divisions when message flagging is less than 5% of the messages archived per day, with no more than 5% of alerts being obvious and fixable false positives, and absolutely no false negatives as compared to your former system--or ‘one-to-one’ match between flagging in both systems.
Here is a graphic illustrating how to go live in nine months:
Source: Technically Creative
What’s Next?
So now that we know what’s involved in a move to a new monitoring platform and we also have some ideas on what the focus should be, what is the next step firms can take?
Begin by scheduling a free compliance assessment with Proofpoint and Technically Creative by contacting us here.
The assessment will include:
- A full review and documentation of the current monitoring system’s detection scenarios, hierarchy, and processes and workflows;
- An analysis of the existing policies, lexicons, and detection logic;
- An estimation of the amount and quality of data to migrate; and
- Sharing of project plan templates, migration plans, and system requirements worksheets.
For firms choosing to upgrade to Proofpoint’s Intelligent Supervision platform, planning and design workshops will be held covering:
- Policy Rules (Risk Detection Scenarios)
- Workflow
- Reporting
- Data Migration