Overview:
Scale security and compliance automation approach to streamline compliance efforts through automated evidence-collection routines and proactively identifying non-compliance events by increasing compliance monitoring frequency.
To enable the continuous compliance monitoring strategy, a rules engine automation platform is essential to automate evidence collection, auto-assigning tasks, and frequently testing control effectiveness; three key strategic goals include:
- Continuous Controls Monitoring: Unlike manual testing, which is performed on historical data, automation can perform control testing on near real-time data, providing ‘live’ feedback and insights to key stakeholders.
- Improved Controls Assurance: Automation allows testing on the entire population rather than a limited sample of data. This increases the coverage and eliminates the risk of failing to identify anomalies outside of a sample.
- Increased Operational Efficiency: By increasing the use of automated controls, we can enforce structure, continuity, and accuracy.
The platform uses the microservices-oriented architecture designed to reduce mutual dependence between essential services and enable differential treatment for each functional service concerning availability, scalability, performance, etc. At the core lies the Rules/Policy Engine, which is primarily responsible for handling large-scale automated rule execution. These functionalities can be consumed via web and RESTful API interfaces.
Key Activities:
The ongoing development activities in motion to fine-tune the critical components/functionalities of this platform –
- Controls-as-code
- For certain critical areas within the control domain, particularly those with technical complexities and higher risk profiles, translate controls into a machine-readable automation framework.
- This involves converting traditional checks into automated scripts and extracting data directly from systems without human intervention.
- The standardized data is processed through a rules engine to assess compliance against desired control requirements.
- The automation team will utilize this established channel to deploy a continuous control monitoring system.
2. Enabling a deeper layer testing approach
- Rules-engine automation enables scale and allow to examine security posture one step deeper to get more clarity on the risk that may exist.
- Example – In a traditional assessment, the check is done to determine whether the access was removed within a certain amount hours or days post-termination date. A deeper layer of testing examines additional Workday flags, distinguishing between voluntary and involuntary terminations.
- For involuntary terminations, where inherent risk is higher, further flag if any logins occurred post-termination to gauge potential access risk (unauthorized access).
3. Streamlining compliance using ChatOps:
- Leveraging chatbot capability to meet users where they are rather than expecting users to learn a new platform, its navigation, and features.
- Chatbot allows users to run continuous monitoring tasks through WebEx/Slack/Teams chat.
- Audit artifacts can be collected at varying frequencies, and self-assessments can be launched and managed.
- Users can also upload information through the chat. In the later stages, users can launch actions through the chat using the chat-bot action events (two-way integration), as applicable.
- For example, in a User Access Review (UAR) scenario, launch a ticket in ServiceNow indicating modification in user entitlements.
4. Actionable Metrics:
Below types of metrics are being defined based on outputs coming out of each automated control:
A) Generic (measured for each control) –
i. Compliance rate: This is the percentage of events where a control is followed correctly or works as expected, compared to the total number of instances where it should be applied.
ii. Time to detect/respond: This metric assesses how quickly the control detects or responds to deviations. It measures the time elapsed between an event’s occurrence and its detection by the automated control check. This metric will be used to determine the efficacy of the rules engine platform’s output.
B) Control-specific metrics for continuous effectiveness determination:
This paper has explored the potential of compliance automation to significantly enhance organizational security and compliance posture. By leveraging advanced technologies such as rules engines and machine learning, organizations can achieve continuous monitoring of controls, identify and mitigate risks proactively, and improve overall operational efficiency. This approach empowers organizations to adapt to evolving regulatory landscapes and maintain a high level of compliance assurance. Future research could delve deeper into the specific impact of compliance automation on various industries and regulatory frameworks, as well as the potential challenges and limitations of implementing such solutions.