Continuous Controls Monitoring (CCM) is the application of technology to enable continuous monitoring and automated testing of controls – which empowers an organization to manage their risks proactively and maintain a continuously compliant posture.
From a functional perspective, CCM can help organizations reduce their exposure to cybersecurity risks and make compliance processes much more efficient and cost-effective. CCM can remove the burden of having to manually test controls from compliance professionals’ shoulders and allow them to focus on higher-value projects. The technology also provides compliance professionals a mechanism for holding employees who operate systems and business processes accountable for managing the associated risks.
CCM also provides senior leaders much needed visibility into their organization’s risk, security, and compliance posture and help them prioritize risks that need management. At the organizational level, CCM can help improve an organization’s standing in the eyes of its customers, auditors, and regulators.
Although CCM is not a new concept and many already understand its theoretical benefits, few organizations have implemented the technology to date simply because it’s still relatively new.
Are you interested in how CCM might make your job easier and deliver greater effectiveness to your organization’s risk management and compliance program? Below, we’ll show you some common continuous controls monitoring use cases that can be beneficial for virtually all organizations and industries.
Common Use Cases For Continuous Controls Monitoring
Malware Defenses
Every organization needs to control the installation, spread, and execution of malicious code at various points (e.g., end-user devices, email attachments, web pages, cloud services, user actions, and removable media). Modern malware can be designed to avoid defenses, or even to attack or disable them.
Key control processes organizations typically implement for malware defense include:
- Validating that systems are configured to enforce your password policy and knowing when a system is not configured in a way that enforces your company password policy
- Validating that encryption is “on” and properly configured for cloud-based resources in AWS, Microsoft Azure, or Google Cloud Platform, preventing data loss (e.g., avoid leaky S3 buckets), and checking that access to the encryption keys is restricted to authorized personnel.
- Validating that data is transferred in a secure manner and checking on the minimum TLS version for data transfers.
- Reviewing code changes and checking that new code was reviewed by a designated approver before it was pushed into production.
- Validating that monitoring tools (e.g., web application firewall, system availability monitoring via DataDog) are running all the time so that abnormal or malicious activity can be detected as early as possible.
With a modern compliance operations platform such as Hyperproof, control processes testing can be automated, meaning that data about control processes from various systems can be pulled into the compliance operations platform for testing. The tests, once programmed, can run automatically in the background on a cadence. When a test fails, an alert can be automatically routed to the relevant personnel to investigate further.
Identity and Access Management
Managing identity and controlling access to sensitive systems and data is a critical part of any security program.
Today, user access reviews are typically done manually in this order:
On a monthly or quarterly basis, a compliance specialist pulls a report from the company’s HRIS system with each person’s employment status and current role. This list is cross-referenced against another report showing employees’ level of access/role/permission for the target system under review (e.g., Salesforce). Someone needs to manually check to see if there are users who have a higher level of access than they’re supposed to have according to their job level/responsibility/employment status.
With a continuous controls monitoring system in place, software can automatically execute tests that compare these user lists and flag users whose access level do not match their current role, job level, or employment status.
Endpoints Configuration Management and Protection
Each organization uses a variety of hardware devices – ranging from laptops, desktops, smartphones, servers, and IoT devices – to power their business. The configuration is what makes their system work.
To reduce the risk of system outages, data breaches, and data leaks, IT managers and product developers must manage configuration carefully and keep track of configuration changes to ensure traceability. Endpoint devices need antivirus protection, compliance monitoring, security visibility, and security enforcement.
Many modern organizations have deployed device management (MDM and security) applications to make provisioning, deployment, patch management, and monitoring easier. But did an IT administrator remember to install the latest patch on company laptops – in every instance when a patch became available – within the last 12 months? Getting this level of detail still requires lots of digging through reports that come with the device management application.
Fortunately, once a compliance operations system is integrated with a device management system (e.g., JAMF or Microsoft Intune), detailed configuration data about those managed devices can automatically sync into a compliance operation platform. One could write a test that ensures that corporate devices have been configured correctly and protected according to designated policies.
Keeping Logs of Events/Incidents For a Designated Amount of Time
Monitoring isn’t just important for ensuring effective operations, reducing risks of outages and data breaches, and preventing malware threats. Being able to show that your systems are properly monitored over time is a must-have for passing IT audits. IT auditors want to see a paper trail that all monitors ran as they should and that incidents and events were identified and fixed according to established company policies and procedures.
With the move to the cloud, performance and security monitoring tools such as Datadog have (rightfully so) gained popularity.
Although a monitoring platform like Datadog is quite effective at its primary purpose – giving engineers and security teams visibility into infrastructure and network performance with breadth of coverage and minimal deployment effort — their logging, data retention, and auditability capabilities aren’t nearly as strong.
An auditor may want to see that a monitor was running as it should have six months ago. To be able to show this evidence (or to show the exact timestamp at which an incident was identified), a compliance professional would need to diligently capture screenshots from DataDog on a regular basis (or ask a colleague to do so) and keep them organized in a central location.
With a compliance operations platform that integrates with DataDog, a compliance professional could pull logs from DataDog and tie the evidence to relevant controls around system availability – eliminating the need to manually take screenshots for audits.
Vulnerability Management and Incident Response
During many IT audits, an auditor will ask a compliance team for evidence that tells them whether: the organization searched for vulnerabilities and addressed any critical vulnerabilities on a timely basis and whether they followed their own vulnerability management policy and incident response plan.
This type of evidence typically comes from a vulnerability management scanner tool and the tool used to track incidents, issues, and their resolution. With a compliance operations platform that integrates with an organization’s vulnerability scanner and ticketing tools, the organization can establish the chain of events and automatically execute logical tests to verify that control processes were conducted on time. The testing procedure and test results can then be packaged up to satisfy an auditor’s inquiry.
What’s Needed to Implement CCM
Implementing CCM in some cases can be as simple as turning on certain settings in the source operating system and using its built-in reports for monitoring. But to have a comprehensive CCM system in place that monitors a wide range of controls across business domains, an organization needs to have a single repository that documents and manages its controls and gathers evidence of their effectiveness. This type of system, commonly known as a compliance operations platform, is built to test and monitor controls at scale. Hyperproof is a pioneer in this category.
A compliance operations platform such as Hyperproof has connectors to common business applications across IT, Development, Security, HR, Sales, and Finance, and can automatically pull relevant data about many types of controls into its platform for streamlined controls assessment and validation. From there, a compliance professional can define a test with pass/fail criteria and a frequency for the test and set up automated workflows to manage alarms, communicate, investigate, and correct the control weaknesses.
Want to learn how to set up a Continuous Controls Monitoring System in Hyperproof?
Monthly Newsletter