Are you spending a lot of time on manual control testing? Do you find it increasingly challenging to stay on top of your testing work as the volume of controls within your organization increases year after year?
You’re not alone if you answered yes to the questions above. Many Hyperproof customers who work at fast-growing companies are trying to figure out how to scale up their compliance operations – including evidence collection, control testing, risk assessments, and more – to keep up with an ever-growing list of new regulatory requirements and new vendors working with their organizations.
As an organization matures, cybersecurity and product reliability become essential ingredients for business survival. Company executives and board members start to ask their compliance team for greater assurance that they are actively managing critical risk factors. Naturally, rigorous controls testing has risen in importance among compliance and internal audit professionals.
Yet, testing controls consistently and thoroughly is a tall order for most organizations. Without a well-defined process, the evidence collection work that precedes control testing takes way too long – leaving compliance professionals rushing to finish the bare-bones testing work they must do for the next audit. This ad-hoc approach to control testing leaves room for gaps, error, and neglect, which can lead to costly problems for an organization.
More than ever, compliance professionals need automated control testing capabilities that save them time and empower them to increase control testing coverage.
Here at Hyperproof, we’re excited to share that we’re releasing a Continuous Controls Monitoring (CCM) functionality for our compliance operations platform. With this new capability, we expect to alleviate the burden of manual controls testing, help those in the second and third lines of defense drive accountability for controls management to the first line of defense while maintaining oversight, and provide senior management teams with greater assurance that they are actively managing critical risk factors.
How Continuous Controls Monitoring works In Hyperproof
For clarity’s sake, we define Continuous Controls Monitoring (CCM) as the application of technology to allow continuous or high-frequency monitoring of controls to validate the effectiveness of controls designed to mitigate a wide range of risks. Continuous monitoring of controls is only possible when control testing can be automated.
Being able to automate a control test means that after initial set up, all activities, including the extraction of relevant data and evidence for testing, initiating the test, generating the test result, and triggering follow-on communication based on the test result (e.g. Assigning a task to a control owner to do something about a control) are all automatically performed by software.
Hyperproof’s CCM capability is possible because we’ve already built certain foundational features, namely, (1) Automated Evidence Collection, (2) Tasks, and (3) Reporting.
Hyperproof has been working to automate evidence collection since day one, and we made major strides in this area last year by releasing Hypersyncs – data connectors our users can leverage to automatically pull normalized data on control activities from the systems in their tech stack into Hyperproof.
Hypersyncs eliminates the need for users to manually gather data on controls related to access control and review, change management, device management, application monitoring, and more. At this time, Hyperproof supports nearly 30 cloud-based applications across domains and all major infrastructure as a service (IaaS) platforms.
Learn more about Hypersyncs
In the beginning of 2022, we also rolled out smart Tasks – which empowers users to set up manual tasks and automatically-generated tasks triggered by specific events in their Hyperproof account. For instance, anytime a control status changes from “healthy” to “at risk”, Smart Tasks automatically creates a task to notify someone to review that control. Tasks can be automatically routed into a user’s preferred ticketing system (e.g., Jira) through our native integrations.
Lastly, Hyperproof’s built-in dashboards and configurable reports make continuous controls monitoring quite simple.
CCM builds upon these core features while introducing a brand new feature to the mix: a flexible Testing Engine that lets users define testing conditions and pass/fail criteria through an intuitive user interface. This Testing Engine will:
- Ingest normalized evidence and proof gathered by a Hypersync connection
- Apply the test script to the evidence and run tests based on a user-defined cadence or anytime new evidence is pulled in
- Generate detailed test results and aggregate the results on the control level.
Once a test script is written in the Testing Engine, a control owner or a compliance professional can configure a control so that the test result automatically updates the task’s health status. They can also set up a Task Template that automatically generates and routes a task to a specific user based on a failing test result. Users can also see aggregated and filtered views of controls by testing status, results status, and control health.
To sum it up, setting up continuous controls monitoring in Hyperproof can be done in four quick steps:
- Select the controls to automatically test and monitor.
Good candidates include controls that run at a high frequency (i.e., multiple times per day, daily, weekly, or monthly). There is no need to do any data clean-up for testing, since the Hypersyncs automatically normalize the data collected and transform it into a format our Testing Engine supports. See the next section for some examples of security controls you can set up CCM for.
- Set up a test per control or per group of controls (via a Label).
Hyperproof’s flexible test builder allows you to write many types of tests using simple business logic. It works similarly to popular Excel functions like VLOOKUP(), HLOOKUP(), IF(), and more.
- Dictate what should happen when a test fails.
With automated control testing set up, you only need to address controls that fail. In Hyperproof, you can set up an automatic task/notification and route it to the control operator whenever a control fails a test or needs review.
- Set up your report
Hyperproof comes with useful reports that allow you to see control test statuses and remediation work items. You can link your controls to the risks in your Hyperproof Risk Register to monitor them in real-time and set up custom alerts on your reports so specific individuals are notified via email whenever certain metrics meet thresholds you’ve set.
Good candidates for CCM
Below are some common controls that should be continuously validated and monitored because they play an essential role in protecting an organization’s network and assets or in product security. Each of these systems and tests are already supported in Hyperproof and we plan to support additional control types and Hypersyncs in the future based on customer feedback. If you’ve got a use case in mind, please let your CSM team know.
Control type | Common systems |
Password policy enforcement: Ensure that the password policy in key systems conforms to the larger company policy. | Single-Sign On: Okta, Azure Active Directory, Jumpcloud, Auth0 Cloud infrastructure: AWS, Microsoft Azure, Google Cloud Platform CRM: Salesforce |
Key monitoring tools availability: Ensure that key monitoring tools are running and collecting logs (e.g. check that the firewall is configured correctly). Get reliable access to log files to demonstrate that logging requirements were met. | Monitoring systems: DataDog Web security: Cloudflare |
Change management: Validate that a designated approval process has occurred before new code is deployed into the production environment | Dev tools: GitLab, GitHub, Azure DevOps |
Vulnerability management: Validate that critical vulnerabilities are fixed in a timely manner, according to the service level agreement (SLA) within our company. | Vulnerability detection systems: Qualys, Tenable.io |
Data encryption/security: Verify that all of a firm’s confidential data is restricted to authorized personnel. Make sure that data is transferred in a secure manner. | Infrastructure as a service (IaaS): AWS, Azure, Google Cloud |
Data integrity: Test that there aren’t any data backup failures, or that the number of data backup failures per 100 of backups is below a certain threshold. | Infrastructure as a service (IaaS): AWS, Azure, Google Cloud |
An illustrative example
Compliance activity: Password policy control. Password policies are used to enforce a set of best practices around password security for every user.
Testing scenario: We can write a test to validate that the password policy in a key system like AWS conforms to the larger company password policy. The tests include ensuring that there is a minimum password length and determining whether or not the required special characters are enabled. We could also check whether special characters are enabled or not.
Example test cases:
- If [minimum password length] is less than {8}, the test fails.
- If [required symbols] is not {true} and [required uppercase characters] is not {true}, the test fails.
- If [password expiration] is more than {90}, the test fails.
Follow-up task: Create a triggered task based on failed test that alerts the key system’s administrator to revise the (tested) system’s password policy to conform to the larger company password policy.
Want to explore further?
To learn more about how to set up automated controls testing in Hyperproof, contact your Customer Success Manager for early access or book a demo. Or, take a look at our Automated Controls Testing Starter Kit.
Reading: Check out common use cases for continuous controls monitoring.
Webinar: sign up for our June 21 webinar Making Continuous Controls Work for Everyone to learn more about this how CCM can benefit compliance programs and how to implement it in Hyperproof.
Monthly Newsletter