Here are two reasons that an IT Department will strive for Compliance:-
- More Visibility - Any organization's success in troubleshooting IT issues, finding the root cause of security events and/or planning effectively, can be directly correlated to the level of visibility they have into their IT infrastructure.
- More Business - More and more business, from tenders and other competitive sales opportunities, has become dependent on organisations having a growing range of compliance certifications and accreditations to qualify to bid.
Whatever the reasons, compliance with regulatory standards, best practices frameworks, service level agreements and/or internal policies is fast becoming a very big part of everyday operations for IT teams.
Many organisations face an even bigger challenge because they need to demonstrate compliance with more than one policy. For example, needing ISO27001 because they deal with public sector business and also PCI-DSS because they deal with credit card payments. Add SLAs and internal audits to this and compliance tracking can quickly become a full time role for more than one person.
All of the main regulatory standards and policies published today have one thing in common - the are "Controls-based". This means that the standards body who created the policy has defined a series of Controls or Requirements that organisations and departments have to prove they comply with. Controls can cover a vast range of requirements, from creating and maintaining documentated policies to ensuring all passwords are a minimum length. All Controls however can be categorized into one of the following two types:-
- Technical Controls - These controls are very specific technical requirements that can be automatically audited with the right technology. For example, the password length setting for all local and domain Windows users is something that can be collected and audited using technology.
- Logical Controls - These controls cannot be audited by technology. They require an attestation of compliance from somebody authorized to do so and may, in most cases, require documentary evidence. For example, both ISO27001 and PCI-DSS require an organization to have an Information Security Policy document. This is not something that technolgy can automatically audit, a senior manager must attest to the documents existsance and then show a copy of the document as evidence.
The number of monitoring systems that will claim to be able to "make you compliant" is truly staggering but the reality is that a monitoring system will only address the Technical Controls and each system, depending on the data types it gathers, will only address some of these Technical Controls. For this reason, multiple monitoring systems need to be installed to collect all of the data types required. Some of the monitoring systems required include, but are not limited to, the following:-
- Availability & Network Discovery
- Log Management/SIEM
- Configuration Auditing/Management
- Asset Auditing/Management
- Flow Analysis
- Vulnerability Analysis
The process of internally evaluating compliance with a particular policy is complex, the person responsible must request, collect, organize and score hundreds of peices of information from multiple departments. When tracking compliance with multiple policies the complexity increases significantly. Even though there is a very high degree of overlap between most policies the controls are worded so differently that the similarities are often overlooked.
Pervade Software have created an industry first - our platform combines the ability to gather data for Technical Controls (ALL Technical Controls!) with a user friendly portal-based interface to gather information from individuals for Logical Controls, such as answers to questions, documentary evidence and attestations of compliance. That's not all however, it can do so much more...
The Compliance Tracker component of the Pervade platform, which contains all of the main compliance related functionality, is a very easy-to-use portal-based solution that allows compliance policies to be broken down into more easily manageable questions and tasks.
The Data Collector is a very small, light-weight application which can be installed as software or as a pre-configured virtual appliance or as a physical appliance. The setup requires just 3 input fields to be completed and, once installed, the Data Collector is 100% controlled and updated by the Central Controller, vastly reducing the management overhead you will see in some traditional systems.
The Compliance Tracker and Data Collector components of the Pervade platform work together to collect all of the data required for the Technical and Logical Controls of a compliance policy. Once that data is collected, dashboards and reports can be produced to demonstrate compliance status and progress to contributors, managers and of course, the Auditor, using the System Analyzer.
The System Analyzer is built on a unique, object persistent database that allows all data types - whether they are 1,000 line configuration dumps or individual properties of performance data - to be correlated, aggregated and stored securely for an unlimited period of time.
The Pervade platform is the only system available today that allows organizations to track compliance with both Technical and Logical controls. It comes with an integrated tamper-proof document store and the ability to collect technical data directly from devices on the network.
The Compliance Tracker component of the Pervade platform is an easy-to-use, flexible and secure repository for all compliance data, whether it is personal attestations of compliance, documentation uploaded directly into the system or technical data collected by the Data Colletcor component of the pervade platform. All of these data will be automatically audited against every policy being tracked using the unique Unified Control Framework to map data between policies.
The System Analzyer component allows compliance managers to produce reporting, and graphical user interfaces for every contributor, from operational staff to board directors. The advanced analytics and correlation engine provides the most flexible and comprehensive tools to report on every compliance metric as well as isolate the root cause of compliance issues much more quickly.
For further information or to find a partner please contact our team.