Top 5 capabilities GRC needs in a Continuous Controls Monitoring tool
April 09, 2020
In this blog, we want to take a look at how Continuous Controls Monitoring (CCM) can support Governance, Risk and Compliance (GRC) teams. There are certain capabilities that a CCM tool for GRC needs to have in order to work optimally.
To address regulatory requirements, Governance Risk and Compliance teams today find themselves gathering and manually analysing large amounts of detailed, quantitative data about their assets and the state of the controls on them. Yet many GRC teams are not always capable of meeting regulators’ demands in a timely fashion.
Although most companies are awash in technical security controls, such as vulnerability scanners, endpoint protection, SIEM, IT authentication systems and much more, GRC teams do not have ready access to comprehensive and reliable data from these tools.
While GRC teams have GRC tools that manage policies, these tools are ill-equipped to take advantage of existing data from security controls to demonstrate that these policies are being followed. Bringing control data into GRC tools requires cybersecurity experts to capture and input data manually. This approach is error-prone and takes cybersecurity experts away from keeping organisations secure from cyber threats.
What to look for in a CCM tool for GRC
CCM provides an automated process that makes it faster and easier for GRC teams to access the accurate IT asset and control data they need to address regulators’ demands. It also enables GRC teams to feel more confident in the information they are providing.
Here are five critical capabilities to look for in a CCM solution to enable you to meet regulatory demands.
1. Comprehensive integration with security controls
Most organisations have a large number of security solutions and controls in place already. To answer regulators’ questions about these controls in a comprehensive manner, the CCM solution needs to integrate with existing security, IT, and business tools in order to obtain consolidated information on security control posture.
To achieve this objective, the CCM solution should sit above existing tools and integrate with APIs to provide access to all of an organisation’s existing controls, whether they’re in the cloud or on-premises, across security, IT and business domains. The CCM tool must integrate all areas of security, including:
- Asset management
- Vulnerability management
- Endpoint security and management
- Privileged access management
- Identity and access management
- Application security
- User awareness
- Patch management
With these integrations, the CCM tool can ensure a 360-degree view of all controls and business context at an asset level, efficiently providing assurance that all controls are fully operational, and all assets are protected.
For example, CCM can perform cross security domain analysis by analysing and understanding the interrelationships between assets and security areas in order to understand the business context and thereby prioritise risk.
2. The power of Entity Resolution
No one data source can claim to be comprehensive. There is always some missing or inaccurate information. The tool should ensure that organisations have accurate and complete data about their assets.
CCM should sit on top of existing tooling and ingest data from across security, IT and business tools. It should then use an entity resolution process to clean, normalise, and de-duplicate data and then correlate aggregated data to particular entities. This process of pulling in data from multiple sources and triangulating entities enables organisations to uncover previously unknown assets.
Entity resolution can be challenging to implement without an automated tool. Powerful data engineering is required to ensure the process of entity resolution is reliable. If done manually, this process will be labour intensive, time-consuming and error-prone.
Manual processes also create challenges around speed-to-comply with request deadlines, and the ability to substantiate findings with the details required. Without platforms that can unify the data for reporting, teams spend their time tabbing between tools and updating their own dashboards.
3. The ability to identify and remediate gaps in controls
Regulators have shown that they’re willing to be lenient with companies that have experienced security breaches if they can demonstrate that they had reasonable security controls in place and were taking due care in protecting their customers’ personal information.
That means organisations need to know what assets they have, whether those assets have the appropriate controls, whether those controls are operating properly (i.e. the control is switched on and is appropriately configured given the company’s risk appetite and policies), and align security with framework standards. With this information, organisations are equipped to address any gaps. They also need a retroactive view to demonstrate that reasonable security controls were in place at any point in time to help substantiate due care through continuous compliance.
To meet these requirements, a CCM solution should uncover gaps in controls coverage across all asset types, including devices, applications, people, accounts and databases—both on-premises and in the cloud. It should then align security controls with framework standards, track and report on as well as ensure adherence to information security policies, SLAs, KPIs. It should provide automated security metrics and stakeholder reporting to substantiate regulatory compliance, as well as help stakeholders prioritise risk remediation and track improvements. CCM should do all this while reducing requirements for scarce headcount and lowering costs.
3. Reliability of self-service reporting
Requests from regulators today are often urgent. For example, the head of GRC at an American bank told us that a Middle Eastern regulator recently asked them to fill out a 200-point questionnaire in just two days.
Without a Continuous Controls Monitoring solution, GRC teams would need to rely on the security and tools teams, which are often short-staffed and maxed out addressing pressing cybersecurity concerns, to manually address the request.
A CCM solution should provide GRC teams with self-service reporting capabilities that enable them to access data from a common repository containing real-time data and build reports that address any questions from regulators in minutes without having to rely on the security team.
4. Risk prioritisation based on the business context
Organisations must prioritise risk remediation based on business criticality. Yet while technology powers all facets of the enterprise, it can be difficult to relate the relevant security risks to different areas of your business.
To properly identify risk, the CCM solution should enable security teams to isolate and identify applications associated with particular business processes, as well as the interrelationships between assets – including the infrastructure that supports the applications (devices, databases) and the people and accounts that interact with them.
For example, every organisation will want to prioritise risk associated with payment systems over the risk associated with systems used by the marketing team. Thus, if a person who has access to a payment process application is using a laptop without the latest anti-virus update, CCM should help the organisation prioritise that remediation over that of the same issue on a laptop used by the marketing team.
5. Learn how your organisation can benefit from CCM
Panaseer offers a Continuous Controls Monitoring tool that integrates with all of an organisation’s security controls, normalises and aggregates control data into a single version of the truth, and helps identify and remediate gaps in controls. Organisations can thus ensure that they comply with regulatory demands and demonstrate that compliance to regulators.