
It usually starts with an email. Your cyber-insurance broker forwards a renewal questionnaire, and somewhere on page two there’s a question like: “Do you enforce multi-factor authentication on all remote access and administrative accounts?” You check the box. Of course you do. Then a bigger client sends a 60-question security assessment before they’ll sign the contract, and now you’re staring at words like “immutable backups” and “documented incident response plan,” wondering whether the honest answer is yes, no, or “I think so.”
Here’s the uncomfortable truth we run into constantly with Houston small businesses: most owners are compliant on paper and exposed in reality. The boxes get checked because checking them is easy. Proving them is the hard part — and proving them is the part that matters when an auditor, an underwriter, or a breach investigator comes asking.
This is a self-audit you can run yourself before your next renewal, client questionnaire, or regulator inquiry. Work through it honestly. If the list feels overwhelming by the end, that’s not a flaw in the checklist. That’s the point.
1. Which Rules Even Apply to You?
Before you can pass an audit, you need to know which audit you’re even taking. Most Houston SMBs are subject to more than one framework and don’t realize it. Answer these quick questions honestly — a single “yes” pulls you into a framework with real teeth.
- Do you create, store, or touch anyone’s health information? Even handling it on behalf of a clinic or insurer can pull you under HIPAA — and that means a signed Business Associate Agreement is mandatory.
- Do you take credit or debit cards — in person, online, or over the phone? Then PCI DSS applies, regardless of how few transactions you run.
- Do you prepare taxes, handle financial data, lend, or broker? The FTC Safeguards Rule now reaches a surprising range of businesses “significantly engaged” in financial activities, including accountants, tax preparers, and many auto and mortgage finance operations.
- Do you sell to the government, a defense contractor, or anyone in the federal supply chain? You’re likely heading toward CMMC and the NIST controls underneath it.
- Do you collect personal data on Texas residents? The Texas Data Privacy and Security Act (TDPSA) applies broadly to businesses operating in Texas — and the small-business carve-out is narrower than people assume.
Notice that almost every Houston business answers “yes” to at least one of these, and many answer yes to three or four. We are not your attorney and we don’t give legal opinions on which laws bind you — that’s a conversation for your lawyer and your insurance carrier. What we can tell you is what actually applying these rules looks like in your network. That’s the territory our compliance service lives in.
2. The Universal Controls Every Framework Expects
Here’s the good news buried in the complexity: the frameworks overlap heavily. HIPAA, PCI, the FTC Safeguards Rule, CMMC, and TDPSA all circle back to roughly the same core security controls. Get these right and you’ve covered most of what any auditor or underwriter will ask. Walk down this list and mark each one honestly — fully in place, partial, or not really.
- MFA everywhere — not just on email. On VPN, remote desktop, admin accounts, your line-of-business apps, and anywhere data lives.
- EDR on every endpoint — modern endpoint detection and response on all workstations and servers, not consumer antivirus on “most” machines.
- Tested, separated backups — backups that are isolated from your live network (so ransomware can’t encrypt them too) and that you have actually restored from in a real test.
- Encryption of devices and data — full-disk encryption on laptops and phones, and encryption for sensitive data in transit and at rest.
- Least-privilege access and unique logins — every person has their own account, nobody shares passwords, and people can only reach what their job requires.
- Logging and monitoring — you are collecting security logs and someone is actually watching them, not just generating data nobody reads.
- Patch management — operating systems and software get updated on a defined schedule, with proof of what was patched and when.
- Security awareness training — recurring, documented training so staff can spot the phishing email that starts most breaches.
- Vendor management and signed agreements — you know which vendors touch your data and you have the right contracts in place, including Business Associate Agreements where HIPAA applies.
- A written information security policy (WISP) — an actual document that says how you protect data, who owns it, and how it’s enforced.
- An incident response plan — a written, current plan for what happens in the first hours of a breach, with names and phone numbers, not a vague intention.
Most of these live in the day-to-day plumbing of your IT environment — the kind of controls that only stay true if someone maintains them. That’s exactly what ongoing managed IT services and proper network security are for. A control you set up once and never touch again quietly drifts out of compliance within months.
3. The Evidence Test
This is where most paper-compliant businesses fall apart, and it’s the single most useful exercise in this whole audit. Go back through every control above and ask one question:
If someone asked me to prove this right now, could I produce dated, credible evidence — today, without scrambling?
Compliance you can’t evidence doesn’t count. Underwriters are increasingly denying claims when the security controls a business attested to turn out not to have been in place at the time of the breach. “We meant to” is not a defense. Run this evidence checklist:
- MFA — Can you pull a report showing MFA is enforced across all users and admin accounts, with the holdouts named?
- EDR — Can you show a console listing every endpoint, its protection status, and recent detections?
- Backups — Can you produce a dated successful test-restore log, not just “the backup ran”?
- Encryption — Can you show which devices are encrypted and confirm none are slipping through?
- Access control — Can you produce a current list of who has access to what, and evidence that departed employees were removed?
- Logging — Can you show logs are being collected and reviewed, with retention that meets your framework’s requirement?
- Patching — Can you produce a patch report showing what was updated and when across your fleet?
- Training — Can you show completion records with names and dates for the most recent cycle?
- Vendors and agreements — Can you put your hands on the signed BAAs and vendor contracts without a week of searching?
- Policies and IR plan — Are your WISP and incident response plan dated, reviewed within the last year, and acknowledged by staff?
If you answered “no” or “I’d have to dig” to more than a couple of these, your real exposure is bigger than your paperwork suggests. The evidence is the compliance.
4. Red Flags Your Compliance Is Theater
After fifteen years doing this in Houston, we’ve learned to spot “compliance theater” fast. Here’s what we see again and again. If any of these sound familiar, treat it as a warning light, not a passing grade.
- A template policy nobody follows. A WISP downloaded off the internet, filled with another company’s practices, that no employee has ever read. It checks the “we have a policy” box and protects nothing.
- A risk assessment with dust on it. If your last risk assessment was done years ago — or during setup and never again — it no longer describes the business you actually run today.
- Backups that have never been test-restored. Plenty of businesses discover their backups were silently failing, or that they couldn’t actually restore, on the worst possible day. A backup you’ve never restored from is a hope, not a control.
- MFA “on the important stuff.” Attackers go after the account you forgot, not the one you protected. Partial MFA is the gap that gets exploited — and the gap that voids claims.
- No real logging. If a breach happened last month, would you even know? No logs means no detection, no investigation, and no way to prove what did and didn’t get touched.
- No incident response plan — or one nobody could find at 2 a.m. A plan that lives only in someone’s head is not a plan. The middle of a ransomware event is the wrong time to start improvising.
If This List Feels Like a Lot — It Is
That’s the honest takeaway. Running every one of these controls, keeping the evidence current, and refreshing the documentation before each renewal is genuinely more than most owners can carry on top of running the business. It isn’t a weekend project; it’s an ongoing discipline. Compliance drifts the moment nobody is tending it.
This is precisely the work our compliance service exists to do: we put the technical controls in place, generate and maintain the evidence, keep the policies and incident response plan current, and make sure the day-to-day controls actually stay true through ongoing managed IT services. When the questionnaire, the underwriter, or the auditor shows up, you have real answers and real proof — not a checked box you’re quietly hoping nobody tests.
We’re not your attorney or your auditor, and we won’t pretend to be — talk to your lawyer, carrier, or assessor about which rules bind you. What we do is make compliance real. If your next renewal is coming and this list left you uneasy, book a free 15-minute discovery call at /discoverycall/ and we’ll talk through where you stand. To be clear: the discovery call is the only free thing — the actual work is professional, paid engagement, billed at our published rates. Start with the call, then see the full scope on our compliance page.
Aspendora Technologies provides cybersecurity, managed IT, and expert on-premise & open-source solutions to Houston-area small businesses since 2010.
