Friday, February 26, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Automating Multiple Compliance Frameworks: Is It Too Complex?

Why Implementing Automation is More Manageable Than It Seems

by Adam Salerno
June 28, 2019
in Compliance, Featured
interlocking cogs in a light bulb on orange background

Coalfire’s Adam Salerno discusses the process, effort and rewards of designing and implementing an automated compliance environment, as well as what organizations can do to automate security controls to meet specific compliance framework requirements.

Enterprises serving multiple highly regulated industries – and those overperformers wishing to demonstrate “above and beyond” security statures – can juggle 15 or more compliance frameworks. Many are dipping their toes in some level of security automation and others are diving right in, but few have taken the step of orchestrating automation throughout a coordinated compliance program. Perhaps this appears to be a complex undertaking — and in fairness, initially, it is. Each framework has a different set of environmental focuses, control parameters and requirements, so finding efficiencies means taking the time up front to fully understand each framework and the enterprise infrastructure and then architecting the optimal set of controls, automation approaches and tools to achieve the most efficient path forward. But is it worth the effort?

In many ways, enterprises must ask themselves, “can we afford not to?” Compliance frameworks are not going away. On the contrary, recent trends show an increase as more global and state-level privacy regulations (a topic that continually heats up and will not go away anytime soon) and IoT, AI and other industries join the regulations fray. Today, penalties can vary from an inconvenience to a loss of market access, heavy fines and jail time for responsible parties. Generally, the more frameworks one adds, the direr the consequences of not complying.

With the perennial cyber skills gap, enterprises should look to technology and better process to remove redundancies, manual work and unnecessary costs – all while improving both security and continual compliance – to meet current and future regulatory demands.

So how can technology help us achieve this? There are many powerful software suites that help with scanning environments for “current state” posture, tools that constrain technical configurations (e.g., configuration management and Group Policy Objects) and monitoring solutions that can provide visibility and response (e.g., SIEM and serverless functions). We can do so much when combining these building blocks into a cohesive solution; but the question remains, how do we begin?

When undertaking a build of a multi-regulatory environment, we must first understand the challenges and ultimate target. If the compliance team introduces a new regulation halfway into a build, it has a cascading effect on architectural decisions and individual tool configurations and sometimes calls into question whether a tool is even viable. So, the first step is deciding if the design must meet two, four or 10+ regulations.

Then, we must review the controls of these various regulations to determine which controls are technical and which are best handled by processes and procedures. Set the latter aside for now.

Once we have a better understanding of the controls environment we need to support through our build, we are in a better position to choose the building blocks. Understanding the underlying bare metal, hypervisors and public or private clouds is important to get a feel for the APIs that can be used to automate our system and make our lives easier. It’s beneficial to choose a base that has mature APIs that are actively supported.

Rising up the stack, we then look toward operating systems and software suites. These will eventually work hand in hand with security tools to handle compliance. For example, if I choose an antivirus product that doesn’t support heuristics monitoring on the key operating system I’m running, that negates the aim of my endpoint protection goals.

Layer on Security Tools: They Will Help Hold Everything in Check

Once all the tools are chosen and implemented to meet those compliance targets, we’re left with five or more different security vendor toolsets to manage. Many can be architected in a highly available configuration and are stable on the vendor-recommended operating system; free versions often neglect this feature. It’s not prudent to try to generate reports from each tool individually, so we should gather them in one place.

Monitoring Tools Will Allow for Quick Notification and Response

We can feed our logging solutions with all the necessary data to start to paint a live picture of our asset health. Syslog data from network devices, multifactor login successes and all other security posture data can be analyzed and displayed.

Automation at Work

Automation gets fun in a couple of ways: first, we can use our aptly chosen toolsets to auto-heal our environment. SIEM tools have tie-ins with orchestration suites that can reconfigure environments on the fly. Serverless functions, such as AWS Lambda, which can trigger off of many API-driven events to take actions or call custom scripts, are common in public clouds. These can then be displayed on a dashboard for your SOC team to consume in (near) real time.

Compliance Gets Easier

Now that we have our environment built and many tools in place to keep things running smoothly, we can focus on reducing our audit fatigue. Here are a few examples of how automation helps us:

Auditors will ask how changes to the environment are tracked; we can point to our infrastructure as code (Terraform, CloudFormation, etc.) to show them our source code repository for the running environment.

We can also show how configuration management tools are holding our servers in compliance with benchmarks via SIEM dashboards that are ingesting logs. I’ve seen clever dashboarding that even displays that data by a NIST control family to simplify even further for auditors.

As I stated earlier, automation helps us with the technical controls. I haven’t addressed policies and procedures, which still must be written to ensure your staff is following the letter of the regulation. These policies are often custom, based on potential overlap in policy or procedural requirements. We can consider ways technology may still help with the use of an ERP workflow that aligns with those developed procedures.

Overall, building and sustaining an environment that meets several laws, regulations or standards is not a simple task and often requires several staff to complete an audit lifecycle, yet you don’t need to do it all yourself. There are professional service provider firms that can help from the assessment through deployment. The long-term payoff is significant once you consider how much of this work may currently be conducted manually, redundantly and inefficiently. Technology can help us address many of the heavier lifts associated with compliance, and since regulations will only become more burdensome, it may well be time for many organizations to consider removing much of the manual lift.


Tags: automation
Previous Post

Cyber Risk: The Target That Never Stops Moving

Next Post

Finally! An Alternative to Risk Matrices

Adam Salerno

Adam Salerno is Senior Director of Cyber Engineering practices at Coalfire, where he leads technically complex projects and professional staff for the Security Architecture team. He currently focuses on cloud security, network architecture and IT compliance strategy. He has experience in hypervisors, storage and mobile/wireless defense-in-depth solutions. Adam has 15 years of information technology experience. Adam joined Coalfire in 2009 and brings significant cyber experience in both commercial and public-sector enterprises. An experienced technical leader, Adam is adept at advising both technical engineers and C-level executives. He holds a Bachelor of Science degree in Electrical Engineering from Pennsylvania State.

Related Posts

woman looking at horizon from mountain top

What’s on the Horizon for Anti-Corruption Enforcement?

February 25, 2021
cannabis leaf on $100 bill

The Intersection of EDD and Banking Cannabis

February 24, 2021
gold cup award on red background with stars

Ethisphere Announces the 2021 World’s Most Ethical Companies

February 23, 2021
illustration of hand holding flashlight illuminating hidden stairs

The Corporate Transparency Act: Pulling Back the Veil

February 23, 2021
Next Post
risk meter

Finally! An Alternative to Risk Matrices

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights