How Continuous Controls Monitoring addresses regulatory compliance demands

April 06, 2020

The Panaseer Team

As more privacy and security laws go into effect, many governance, risk and compliance (GRC) teams today are seeing an increase in the number and complexity of regulatory requests. They find themselves struggling to address these demands in a timely manner.

The lack of consolidated visibility into all assets across the enterprise and the lack of knowledge regarding whether the relevant controls are deployed and operating on all assets make it difficult for GRC teams to pinpoint control coverage gaps and internal policy adherence. GRC teams are also unable to create accurate and timely reports for multiple stakeholders to demonstrate continuous regulatory compliance.    

The answers to regulators’ questions lie in data scattered across the organisation. Currently, this data is collected and collated manually. Such manual data collection presents significant challenges. For example, if GRC teams want information about controls posture and risk exposure of all systems housing sensitive data, the security teams must isolate the infrastructure (such as devices and databases) that support applications that contain sensitive data as well as the people and accounts that interact with those applications. Isolating systems and segmenting data can be extremely time-consuming and error-prone.  

These tedious data collection and analysis processes can significantly distract scarce, expensive IT security resources from more pressing security issues. Even worse, they lead to a lack of confidence in the completeness and accuracy of the data GRC teams are providing to external regulators.    

Continuous Controls Monitoring comes to the rescue 

Continuous Controls Monitoring (CCM) makes it easy for GRC teams to access comprehensive and trustworthy IT asset and control data. This helps GRC teams address regulators’ demands in a timely manner without distracting the security and tools teams from pressing security issues. GRC teams can use the data provided by CCM to identify, isolate, and resolve risks associated with mission-critical parts of the business. CCM also gives them a view into all business processes, and the range of assets supporting them, including devices, applications, people, accounts and databases. 

How CCM helps GRC teams substantiate regulatory compliance 

Just as exercise and healthy foods can prevent health problems, cybersecurity controls and safeguards are designed to ensure that an organisation is well protected. As a result, many regulations demand that organisations place robust security controls on their IT assets and document that these controls are fully implemented and deployed in accordance with policy. 

Indeed, with regulations such as the General Data Protection Regulation (GDPR), regulators have shown that they’re willing to be lenient with companies that have experienced security breaches if they can demonstrate that they had reasonable security controls in place and were taking due care to protect the personal information of their customers.

For example, Simon Dougall of the Information Commissioner’s Office (a regulator that assesses companies) says that:
‘There are scenarios where organisations can have robust systems of controls and things still happen and we understand that. There are also times when controls are not as robust and it’s apparent when a breach occurs that things should have been done better.’ 

As a result, most organisations have a large number of security solutions and controls in place —everything from vulnerability scanners to malware defences to IT authentication to SIEM. Unfortunately, these disjointed tools and technologies make it difficult to aggregate data to give GRC teams the required insight into exactly what assets they have on their network as well as whether proper controls are in place and turned on for each asset. Providing regulators with answers to their questions often requires manual, error-prone effort.   

CCM provides a layer above the organisation’s security controls that delivers unified visibility into all their assets and can determine which controls each asset has deployed and whether those controls are switched on and operating properly. This gives GRC teams the information they need to answer regulators’ questions about which controls they’ve implemented in their business. GRC tools can automatically access this information and GRC teams can easily transform this data into the formats different regulators demand. 

Specifically, using CCM, organisations can do the following to support regulatory compliance: 

1. Create a comprehensive inventory of assets 

No single tool has complete information. Every individual data source is incomplete and inaccurate. The entity resolution processes involved with CCM take all available data from all cybersecurity-related systems in the organisation, correlate and normalise the data, and then store it in one place, creating a single version of the truth.

Organisations gain a comprehensive view of historical and real-time data about devices, applications, people, accounts, databases and other assets they can use to answer specific questions from regulators. For example, they can go back and say this was the situation in this part of the business in these control sets on July 17, 2019. 

2. Uncover gaps in controls 

A CCM solution can uncover gaps in control coverage across all asset types, including devices, applications, people, accounts and databases both on-premises and in the cloud. It can then align security with framework standards and track and report on adherence to information security policies, KPIs and standards as well as automate security metrics and stakeholder reporting. 

3. Isolate risks to mission-critical parts of the business 

GRC teams need business context to isolate risks that impact mission-critical parts of the business.  For example, organisations may need to report to a regulator that their organisation has all the right controls and processes in place to protect systems with sensitive information. Instead of relying on security teams, who must take considerable time to assemble information that is not readily available, a CCM tool can provide timely business context with the help of its Business Risk Perspectives capability.   

4. Automatically populate your GRC tools 

Security teams spend considerable time manually producing reports for use in GRC. Continuous Controls Monitoring allows organisations to automatically populate GRC tools with comprehensive information about asset inventory and controls on these assets for continuous controls and risk assessment. The asset inventories can include devices, applications, people, accounts, and databases.

CCM also provides insight into control coverage gaps, looking at whether or not controls have been deployed on the asset as well as how well the controls are performing. It can also provide business context for prioritising risk.   

5. Map data about controls to regulatory frameworks 

Once organisations have measurements from all their cybersecurity tools consolidated in one place, CCM enables them to map this data to different security frameworks to address regulator demands in the format they desire.   

Instant access to GRC data

GRC teams today have a difficult time addressing regulators’ demands for information about their controls because they often use manual processes to find data about their IT asset inventory and the controls on each asset. Manual processes also mean that organisations are not confident in the accuracy of the data they provide to regulators.

With CCM, GRC tools have instant access to the accurate data they need about assets, controls and risks. And GRC teams can easily format this data to comply with different demands to demonstrate regulatory compliance.

In the next blog post in this series, we’ll look at how to find the right Continuous Controls Monitoring tool to support GRC.