Continuous compliance as it sounds means attaining compliance and increased security across your IT and business environments, and then maintaining and retaining it on ongoing basis.
KV : ControlCase Compliance as a Service (CaaS) solution was built to address the problem that roughly seventy percent of the assets in every organization are non-compliant at some point in their annual lifecycle and that this weakness often goes undetected.
Our CaaS solution has been especially effective for SMB organizations, which prefer to focus on their core business and leave the specifics of maintaining and retaining compliance to the experts. Our CaaS solution focuses on accuracy and compliance by addressing common non-compliance situations that leave an organization vulnerable. These include in-scope assets not reporting logs, in-scope assets missed from vulnerability scans, critical overlooked vulnerabilities existing due to volume, risky firewall rule sets going undetected, and non-compliant user access scenarios not being flagged.
Our CaaS solution offloads the ongoing responsibility of monitoring and alerting against IT compliance. As your compliance and data security partner, the ControlCase team will deliver an automated GRC Evidence Collection platform that supports timely escalation letters, consolidated status reports, remediation guidance, and year-round support. All this is done through our ControlCase GRC framework using multiple API’s and other pathways to integrate within your business infrastructure.
EA : Let’s get into some detail. What specifically is automated in the process, and what needs to be done by the client. What is the relative mix of hardware, software, and services?
KV : As part of our CaaS and Continuous compliance offering, we use a mix of Virtual appliance, physical appliance (although not as much unless there is specific need), software solution such as software , security tools, SaaS, API’s and out delivery team of excellence to provide CaaS solution offering.
As an examples for one of the aspects for PCI DSS Compliance/Certifications, there would be a need to identify clear text card data and our combination of Software solution and Managed Services, can execute an agent less Card Data Discovery tool across the organization’s infrastructure to identify clear text card data within their environment and provide the reports in a concise format with specific location of the suspectable data to the organization to mitigate it.
The complete process is automated and can be executed as per the clients preferred schedule or compliance needs to be done quarterly or annually. This is just one such example of the service provided as part of the CaaS solution.
EA : Which compliance frameworks do you see as being the most important moving forward, especially for small business? Do you expect to see consolidation?
KV : As the industry heads to a direction where cyber threat and security lapses are a common news item and there are many different regulators and standards which come through by virtue and significance.
In today’s world, if you throw a dart on the list of Fortune 5000 organizations, it will land on an organization, which certainly will need one to four compliance/certificate requirements to meet regulatory standards, internal security standards, compete with peers in the market place etc. An organization will need one certification/standard more than the other one as their primary driver, but will certainly focus on many.
As you see standardization and consolidations in the marketplace with security products, there is same bound to happen with the standards, We do expect to see some consolidation with the prime focus on data loss prevention as related to specific data attributes.
EA : Your platform can find credit card and other sensitive data across an enterprise. How does that work?
KV : Card Data Discovery solution is available as a stand-alone software solution or as a “SaaS” solution, where we provide the service to identify credit card or other sensitive data across an enterprise network. ControlCase Card Data Discovery (CDD) software is one of the first comprehensive scanners to not only search for unencrypted and sensitive data in file systems, such as those produced from Office 365, but also in most commercial and open-source databases, Exchanger servers, desktops and drives.
The CDD software solution is fast, uses minimal resources and doesn’t require plugins or agents on target scanned machines. It enables to pinpoint PAN, track data, PIN, CVV and other unencrypted and sensitive data unknowingly stored within your network from one location. It also supports the exclusion/inclusion of test card data.
The remediation dashboard shows you exactly where the data lies, simplifying the mitigation process – from determining if appropriate storage controls are in place to implementing encryption and removing the data. ControlCase CDD scanning software is a core business intelligence and analytics tool that helps you reduce IT data-compliance risk and achieve industry regulations, including PCI DSS, ISO, GDPR and HIPAA. With our CDD scanner’s key features, you can improve your overall security strategies to gain valuable resource efficiencies.
KV : Compliance as a Service (CaaS) will be as common and prevalent as any other IaaS, SaaS, Managed Services, where company will look to hand over their compliance needs to subject matter experts and completely manage and provide the end results (certifications, attestations and report for Management).
As the cyber security threat vectors change, so will the parameters of CaaS change and adapt to the new needs from cyber threats and new/updated regulations.
In long term, with the effect of reducing operating expenses and hiring in house expertise to manage compliance, organizations will completely outsource their compliance needs and/or adapt to CaaS solutions, which will effectively give them their need and be cost effective, shift liability, less resource intensive and most importantly be timely in managing their compliance for regulatory or other needs.
KV : Continuous compliance as it sounds means attaining compliance and increased security across your IT and business environments, and then maintaining and retaining it on ongoing basis.
We have found, in many organizations and industry reports, a theme, in which companies faced with the concern or experienced a cyber-attack. They then rush to take major steps and change their security measures to counter the cyber attack with changes to their IT infrastructure or business processes, such as change management etc., but a few months after the event they often lapse into a comfortable state where no one is keeping a close eye on security procedures and compliance requirements on an ongoing basis.
This leaves them open to risks and unprepared for future threats. This is where we at ControlCase with experience have got the common thought of Continuous Compliance Service for Enterprise Organization. Continuous compliance is about developing a culture and strategy within the organization that continually reviews their compliance position to ensure that they are meeting industry and regulatory demands whilst maintaining secure systems. In short, continuous compliance aims to take IT teams away from responding reactively to audit requests and attacks through to being proactively prepared for future threats and data reporting requirements.
The first step, which essentially are three attributes the organization should take involves setting your security and compliance goals, scoping your environment which may be a hybrid environment comprising of spanning internally-housed IT systems, private clouds and public cloud services and SaaS applications, and defining the framework or regulation, where it is most important to maintain security and compliance.
KV : Continuous Compliance is a joint effort of people, process, expertise, and tools to achieve a state of continuous compliance with a regulation and framework which is monitored on a daily basis.
ControlCase Continuous Compliance is customized as per the client needs and is managed by experts to identify and provide the management a dashboard view of the current (today’s) state of compliance vis-à-vis their regulatory standard or industry framework as a single snapshot and a Compliance/Data security rating (CDSR). ControlCase Continuous compliance is using the best in class third party tools, ControlCase dashboard and plugins and experts with comprehensive coverage and 24x7x365 for incident reaction. ControlCase Continuous Compliance service fully integrates with leading SEIM products, granular management of identities and access, comprehensive monitoring of cloud platforms, OS, application and services.
From an IT perspective, continuous compliance practices could involve the monitoring of system logs, software configurations, licensing compliance, applications, user access and identity management, cloud platforms and services review, alerts for changes or unusual activity in your environment, and much more. All of the above is done using API’s, extended plugin, process and tools to provide a greater handling and reporting to compliance standards.
CERTAIN aspects of the cyber security obligation for companies have tended traditionally to be reserved primarily for larger companies. Compliance is one of these aspects, and its techniques and tools have tended to evolve consistent with the need of larger organizations. Governance, risk, and compliance (GRC) tools, for example, have tended to be expensive and feature-rich to deal with the complexities of large business processes and workflow.
More recently, however, small and medium-sized business have begun to experience an increase in compliance requirements for cyber security. This places considerable burden on organizations that have never considered such issues in the context of compliance. We recently caught up with Kishor Vaswani of ControlCase, to learn more about how they are now providing popular and effective cyber security compliance support via subscription solutions for small and medium sized businesses.