The Problems with Compliance
Information Technology has made companies more efficient and effective in delivering their products and services. The advent of the internet was a great equalizer – where small companies could compete with large companies with almost no overhead. For years, companies in every industry have implemented new technologies to attract and retain customers with ever-more sophisticated services without fully understanding the associated risks. Even as costs from cyber-security attacks mounted to billions of dollars, most companies continued patching holes in their information systems without a disciplined approach to governance.
In recent years, larger organizations have received mandates from government, partners, or customers to prove the existence of a robust security management system. Some of them quickly realized that obtaining certifications that prove compliance with a security framework gave stakeholders and prospective customers confidence, and differentiated the organization in the marketplace.
Preparing for and passing a compliance audit is just the beginning. Organizations must maintain compliance and perform regular activities to assure continual compliance with the standard. Larger organizations easily expanded existing internal audit departments and related programs to support ongoing compliance activities and external audits. Small and Medium Enterprise (SME) organizations are reluctant to absorb the cost of a full-time Chief Information Security Officer, Internal Audit department, and Project Management teams to manage the governance, risks, and compliance posture of the organization. Further, enterprise-level software such as RSA Archer and ServiceNow is costly to implement and often requires a team of developers to maintain. The certifications and attestations have provided larger organizations with an advantage.
The purpose of the Layer 0 Security Compliance-as-a-Service (CaaS) software is to provide organizations all the advantages of a Chief Information Security Officer and a robust Governance, Risk, and Compliance program at a fraction of the cost. The CaaS will also provide clients with confidence that they will not fail the periodic external audits required to keep the certification they have worked hard to achieve.
Clients would access a web portal where they can manage assets, risks, identify security requirements, apply controls, and assign control owners. Compliance activities such as risk assessments, audits, vulnerability scans, penetration tests, and others would process information in the client portal and output test results back to the portal. Clients would have a dashboard that shows the progress and results of various activities. Control owners would receive a notification from the system reminding to execute their duties related to periodic controls and link back to the system to provide a response. Those owners would answer questions about the control, assert completion, and upload the relevant supporting evidence into the portal, such as screenshots, reports, system output, and meeting notes. The client internal audit team or Layer0’s team would review the evidence to determine if it is supports the control owner assertion and then mark it as “accepted”. External auditors or other third parties could be granted access to obtain and/or enter information into the portal. Eventually, APIs would be added to integrate the application with other commercial business tools.