Compliance

Continuous Compliance — Continuous Compliance is used by an Organization to maintain internal compliance year round. Evidence is automatically gathered and applied to various Control Frameworks to always provide up-to-date proof that Security Controls are being operated Effectively

• Set up Continuous Compliance for an Organization — How to configure an Organization’s Continuous Compliance module.

Evidence — An Evidence Artifact represents an Item that shows that Security Controls(s) are in place. E.g. “Anti-Virus Monitoring Report”

• Evidence Uploads
• Create an Evidence Item — The user can create an Evidence Item. Evidence can be linked to one or more Controls for the Continuous Compliance cycle.
• Assign Evidence Owners — A User can assign a Point of Contact as the owner of an Evidence. During the Continuous Compliance cycle, assigned Points of Contact are responsible for uploading artifacts to verify Controls are in place.
• Evidence Activity — A User can view all actions that have taken place for specific Evidence item, such as Evidence uploads or expiration dates. Any new resources linked to the Evidence item will be accessible through the Evidence Activity feed as well. The option to record Evidence is available through the Evidence Activity display.
• Setting an Evidence Item's Frequency — A user can set and update the Frequency of Evidence. The Frequency determines when emails will be sent to an Evidence’s assigned Points of Contact. The frequency can be edited down to the time of day that the email will send, along with how many days, months, or quarters between emails.
• Automatic Evidence Gathering
• Validating an Evidence Artifact — Evidence validation is one of the last steps in the continuous compliance cycle. In order to keep an evidence status as “In Place”, points of contact which are assigned to an evidence submit artifacts that would confirm that all associated controls are active. An artifact is defined as any data such as documents, or resources from the platform (Meetings, Reports, etc) that represents the evidence information. Once evidence artifacts are submitted the evidence resource in the platform gets the status of “Pending Validation”. All evidences that are marked “Pending Validation” are ready to be reviewed by a security expert. After the validation process is complete the evidence status will go to being in place again or expired depending if the evidence satisfies the requirements.
• Enable/Disable Automatic Evidence Gathering — A User can toggle whether an Evidence has Automatic Evidence Gathering ongoing.
• Link Evidence and Controls — Controls and Evidence are associated in a Many-to-Many connection. For example: Control: “An information security program is in place” Evidence 1: “Information security program policy” Evidence 2: “Meeting minutes for information security meetings” Evidence: “Information security program policy” Control 1: “An information security program is in place” Control 2: “Policies are kept up to date regarding information security” Control Statuses are automatically updated based on associated Evidence status. If a single associated Evidence is ‘expired', then a Control is ‘Not in Place’. Likewise, if all associated Evidence is ‘In Place’, then a Control is ‘In Place’ as well.
• Attaching Risk Controls To An Evidence — Attach an Evidence to a Risk Control to automatically update Implementation Levels
• Attaching KPIs To An Evidence — Automatically adjust the status of an Evidence based on Metric performance thresholds.
• How Evidence triggers Risk Changes — Automatically dispatch Risk Changes based on current Evidence status
• Evidence Triggered Risk Changes — Trigger Risk Control changes using evidence.
• Linking A Phishing Test To An Evidence — Select a phishing test to support the validation of an evidence.
• Linking A Training Campaign To An Evidence — Select a training campaign to support the validation of an evidence.

Controls — A Control represents something that an Organization must do to be secure. E.g. “Anti-Virus is ran daily”

• Create a Control — The user can create a new Control based on a Control Framework. A Control can have associated Evidence.
• Using Control Tags — A User can add Tags to Controls for organization purposes. The Control list can be sorted or filtered by a specific Tag.
• Importing Control / Evidence Linking
• Exporting Control Mapping

Control Frameworks — A grouping of controls for a certain standardization. E.g. “ACET”.

• Create a Control Framework — A User can create a new Control Framework in the Platform. A Control Framework allows the User to establish information security Controls.
• Editing Control Framework Custom Fields — A User can add Custom Fields to a Control Framework. These fields can be different types (String, boolean, etc.) and will apply to every newly added Control to the Framework.
• Export Control Framework — A User may export an entire Control Framework to a Spreadsheet file.

Audits — A point in time evaluation of an Organization’s security Controls

• Starting an Audit — A User can begin an Audit for a Control Framework to evaluate all Controls within it.
• Setting Audit Control Notes, Compliance, Observations — A User can add notes, edit the compliant status of Controls (within the Audit only), and create Observations/Recommendations based on the results of the Audit.
• Starting an Audit with Existing Control Data — A User can create an audit and upload a CSV file containing existing ‘Compliance’, and ‘Notes’ data for existing Controls.