Continuous compliance requires continuous monitoring and validation of controls in the environment, as well as integration with governance, risk management and compliance (GRC) tools and platforms. A variety of stakeholders will need to be involved in
these projects, and most enterprise organizations prefer to “buy” versus “build” a central platform to help in accomplishing this goal. This piece explains the processes, tools, stakeholders and focus required for a best practice
continuous compliance program.
Common Tools for Continuous Compliance
In addition to a traditional best practices list of controls to meet compliance initiatives in the categories of network security, identity management, data security, vulnerability management and so on, continuous compliance requires an overlay of continuous
controls monitoring to ensure any changes/drift to controls are detected and remediated so compliance posture is maintained.
Continuous controls monitoring (CCM) is an integrated set of processes and techniques, enabled by technology, which is designed to help an organization:
- Automate the ongoing monitoring of the control environment.
- Identify control exceptions continuously (daily, weekly, monthly) based on pre-defined business rules.
- Monitor, track and report the effectiveness of controls.
- Identify root causes and improve related processes in a timelier manner.
- Reduce the cost of controls.
A continuous compliance program is desirable, but it requires a significant investment to build automated processes, develop dashboards and key performance indicators (KPIs), and ensure stakeholders are committed to controls and security posture in diverse
areas across the organization. In most cases, in addition to the existing controls mentioned earlier, continuous compliance is achieved with:
- GRC platforms for controls mapping across different regulations: A GRC platform such as RSA Archer should be more than adequate for this. It is a platform many enterprises use to document controls and map frameworks and requirements together.
- Scanning services or platforms: While most vulnerability scanners are traditionally configured to assess systems for vulnerabilities, most leading solutions can now also report on a variety of system/device/application configuration elements and assist
with asset discovery.
- Discovery/configuration management platforms, including a configuration management database (CMDB): Asset discovery and CMDBs are pivotal elements in a continuous controls monitoring design for continuous compliance.
- Dedicated continuous compliance platforms: Dedicated continuous compliance tools can be considered as each include some elements of the previous three solutions (and often have integration capabilities with existing tools), and they also provide the needed
process workflow engines, dashboards, metrics and KPIs organizations need to establish and maintain these programs.
Examples of dedicated continuous compliance tools include:
- ControlCase Continuous Compliance
- Chef Inspec
- SecurityScorecard
- AuditBoard CrossComply
- LogicGate
Continuous Compliance Program Stakeholders
A continuous controls monitoring program requires investment from stakeholders, but not necessarily equal investment across the organization. Figure 1 highlights some of the stakeholders that should be involved in this type of program, and their overall
alignment in terms of risk and value.
<Figure 1: Continuous Controls Monitoring Requires Focus from Key Stakeholders |
Stakeholder | CIO | Chief Risk Officer/Chief Compliance Officer | Chief Financial Officer/ Controller | Internal Audit Director | Business Process Owners |
RISK FOCUS |
Enterprise risk management | IT risk | Business risk | Financial risk | Control risk | Business process risk |
Regulatory compliance | Compliance with IT standards | Overall compliance | Sarbanes-Oxley (SOX)/ financial statement | Overall compliance | Impact on my business process |
Audit/compliance scope | IT controls | Efficiency and effectiveness | External audit/ External auditor reliance | Internal audit | Impact on my business process |
Controls monitoring | Controls dashboard | Compliance dashboard | Compliance and controls dashboard | Compliance and controls dashboard | Compliance dashboard |
VALUE FOCUS |
Process and control effectiveness | IT controls | Risk management controls | Financial statement controls | Overall controls effectiveness | Business process controls |
Cost of compliance (e.g., SOX 404) | Manual vs. automated controls | Regulatory compliance | Assurance and coverage levels | Assurance and coverage levels | Impact on my business process |
Business case/return on investment (ROI) | IT investment | Overall investment/ redeploying resources | Overall investment | Redeploying resources | Operational impact |
Business performance monitoring/ decision support | Controls dashboard | Compliance dashboard | Compliance and controls dashboard | Compliance and controls dashboard | Compliance dashboard |
KEY: | Primary Focus | Secondary Focus | Affected Stakeholder | |
Source: IANS, 2021 |
Continuous Compliance and Controls Architecture
Functional design of a continuous compliance and controls monitoring program requires that organizations put some work up front into the governance of controls analysis tools. This means they must:
- Determine ownership of controls analysis rules, including their design, maintenance and access.
- Determine how best to structure analysis rules, based on your business objectives.
- Determine the degree of analysis rule standardization required across the enterprise. Some organizations require more standardization than others.
- Determine how to manage analysis rules across multiple CCM instances (if applicable).
READ: How to Set Up a Strong GRC Program
Continuous Compliance Challenges
Organizations face a number of known challenges when implementing continuous compliance controls and solutions. Two of the most common are:
- Data acquisition. It’s critical to start planning for data acquisition and management up front by:
- Identifying systems to be queried for controls data.
- Determining how to populate non-automated data into tools and dashboards.
- Governance. This can be another sticking point if not organized and coordinated early. It’s important to:
- Start early: Involve business units, as well as internal and external auditors early in the process as needed.
- Tune up the monitoring: For any exceptions that exist, be sure to adjust the thresholds in the controls monitoring solution.
- Build an efficient exceptions process: Limit exceptions being routed to stakeholders and maintain a consistent process for exception response handling.
Continuous Controls Guidance
A continuous controls monitoring model will greatly facilitate a continuous compliance program that works in alignment with existing regulation mapping and GRC tools. While some organizations choose to build this themselves, depending on your organization’s
needs and available resources, acquiring an on-premises or cloud-based solution that includes data ingestion, monitoring and reporting/metrics may be a viable option.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.