No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Automating Multiple Compliance Frameworks: Is It Too Complex?

Why Implementing Automation is More Manageable Than It Seems

by Adam Salerno
June 28, 2019
in Compliance, Featured
interlocking cogs in a light bulb on orange background

Coalfire’s Adam Salerno discusses the process, effort and rewards of designing and implementing an automated compliance environment, as well as what organizations can do to automate security controls to meet specific compliance framework requirements.

Enterprises serving multiple highly regulated industries – and those overperformers wishing to demonstrate “above and beyond” security statures – can juggle 15 or more compliance frameworks. Many are dipping their toes in some level of security automation and others are diving right in, but few have taken the step of orchestrating automation throughout a coordinated compliance program. Perhaps this appears to be a complex undertaking — and in fairness, initially, it is. Each framework has a different set of environmental focuses, control parameters and requirements, so finding efficiencies means taking the time up front to fully understand each framework and the enterprise infrastructure and then architecting the optimal set of controls, automation approaches and tools to achieve the most efficient path forward. But is it worth the effort?

In many ways, enterprises must ask themselves, “can we afford not to?” Compliance frameworks are not going away. On the contrary, recent trends show an increase as more global and state-level privacy regulations (a topic that continually heats up and will not go away anytime soon) and IoT, AI and other industries join the regulations fray. Today, penalties can vary from an inconvenience to a loss of market access, heavy fines and jail time for responsible parties. Generally, the more frameworks one adds, the direr the consequences of not complying.

With the perennial cyber skills gap, enterprises should look to technology and better process to remove redundancies, manual work and unnecessary costs – all while improving both security and continual compliance – to meet current and future regulatory demands.

So how can technology help us achieve this? There are many powerful software suites that help with scanning environments for “current state” posture, tools that constrain technical configurations (e.g., configuration management and Group Policy Objects) and monitoring solutions that can provide visibility and response (e.g., SIEM and serverless functions). We can do so much when combining these building blocks into a cohesive solution; but the question remains, how do we begin?

When undertaking a build of a multi-regulatory environment, we must first understand the challenges and ultimate target. If the compliance team introduces a new regulation halfway into a build, it has a cascading effect on architectural decisions and individual tool configurations and sometimes calls into question whether a tool is even viable. So, the first step is deciding if the design must meet two, four or 10+ regulations.

Then, we must review the controls of these various regulations to determine which controls are technical and which are best handled by processes and procedures. Set the latter aside for now.

Once we have a better understanding of the controls environment we need to support through our build, we are in a better position to choose the building blocks. Understanding the underlying bare metal, hypervisors and public or private clouds is important to get a feel for the APIs that can be used to automate our system and make our lives easier. It’s beneficial to choose a base that has mature APIs that are actively supported.

Rising up the stack, we then look toward operating systems and software suites. These will eventually work hand in hand with security tools to handle compliance. For example, if I choose an antivirus product that doesn’t support heuristics monitoring on the key operating system I’m running, that negates the aim of my endpoint protection goals.

Layer on Security Tools: They Will Help Hold Everything in Check

Once all the tools are chosen and implemented to meet those compliance targets, we’re left with five or more different security vendor toolsets to manage. Many can be architected in a highly available configuration and are stable on the vendor-recommended operating system; free versions often neglect this feature. It’s not prudent to try to generate reports from each tool individually, so we should gather them in one place.

Monitoring Tools Will Allow for Quick Notification and Response

We can feed our logging solutions with all the necessary data to start to paint a live picture of our asset health. Syslog data from network devices, multifactor login successes and all other security posture data can be analyzed and displayed.

Automation at Work

Automation gets fun in a couple of ways: first, we can use our aptly chosen toolsets to auto-heal our environment. SIEM tools have tie-ins with orchestration suites that can reconfigure environments on the fly. Serverless functions, such as AWS Lambda, which can trigger off of many API-driven events to take actions or call custom scripts, are common in public clouds. These can then be displayed on a dashboard for your SOC team to consume in (near) real time.

Compliance Gets Easier

Now that we have our environment built and many tools in place to keep things running smoothly, we can focus on reducing our audit fatigue. Here are a few examples of how automation helps us:

Auditors will ask how changes to the environment are tracked; we can point to our infrastructure as code (Terraform, CloudFormation, etc.) to show them our source code repository for the running environment.

We can also show how configuration management tools are holding our servers in compliance with benchmarks via SIEM dashboards that are ingesting logs. I’ve seen clever dashboarding that even displays that data by a NIST control family to simplify even further for auditors.

As I stated earlier, automation helps us with the technical controls. I haven’t addressed policies and procedures, which still must be written to ensure your staff is following the letter of the regulation. These policies are often custom, based on potential overlap in policy or procedural requirements. We can consider ways technology may still help with the use of an ERP workflow that aligns with those developed procedures.

Overall, building and sustaining an environment that meets several laws, regulations or standards is not a simple task and often requires several staff to complete an audit lifecycle, yet you don’t need to do it all yourself. There are professional service provider firms that can help from the assessment through deployment. The long-term payoff is significant once you consider how much of this work may currently be conducted manually, redundantly and inefficiently. Technology can help us address many of the heavier lifts associated with compliance, and since regulations will only become more burdensome, it may well be time for many organizations to consider removing much of the manual lift.


Tags: Automation
Previous Post

Cyber Risk: The Target That Never Stops Moving

Next Post

Finally! An Alternative to Risk Matrices

Adam Salerno

Adam Salerno

Adam Salerno is Senior Director of Cyber Engineering practices at Coalfire, where he leads technically complex projects and professional staff for the Security Architecture team. He currently focuses on cloud security, network architecture and IT compliance strategy. He has experience in hypervisors, storage and mobile/wireless defense-in-depth solutions. Adam has 15 years of information technology experience. Adam joined Coalfire in 2009 and brings significant cyber experience in both commercial and public-sector enterprises. An experienced technical leader, Adam is adept at advising both technical engineers and C-level executives. He holds a Bachelor of Science degree in Electrical Engineering from Pennsylvania State.

Related Posts

QA logo_bailey leslie

Q&A: For Effective Financial Crime Prevention, Build a Better Mix of Machines and Humans

by Bill Millar
May 3, 2022

To police financial crime, more businesses are incorporating artificial intelligence — machine learning, in particular — into monitoring, prevention and...

How H&R Block Used Quick Wins to Build a Modern GRC Program in Onspring

by Corporate Compliance Insights
March 9, 2022

Migrating your compliance programs from legacy tools to modern platforms may seem like an impossible hill to climb. But as...

LogicGate’s Risk Cloud Adds CUBE RegAssure Integration for Regulatory Process Automation

LogicGate’s Risk Cloud Adds CUBE RegAssure Integration for Regulatory Process Automation

by Corporate Compliance Insights
February 3, 2022

LogicGate’s Risk Cloud platform has enabled integration with CUBE’s Reg Assure AI-powered regulatory compliance management tool, the companies announced. The...

Onspring: 5 Advantages of Automating Your Business Processes

Onspring: 5 Advantages of Automating Your Business Processes

by Corporate Compliance Insights
January 26, 2022

Automation is changing the face of business; don't leave your compliance and risk functions behind. No matter the size of...

Next Post
risk meter

Finally! An Alternative to Risk Matrices

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT