Audit fatigue continues to be a hot topic in the world of regulatory compliance. As countless organizations struggle with the time-consuming, resource-intensive processes of achieving and maintaining compliance, many are on a mission to find relief. While there is no magic cure-all, there are ways to help relieve it, as Telos VP of Strategy and Cloud, Steve Horvath, outlined in our recent webinar, “Combatting Audit Fatigue in IT Risk Management.”
One such topic discussed in this webinar was automation, and in my opinion, genuinely useful automation comes down to using the right tools. Fortunately, Telos’ flagship product, Xacta, excels in this area. In fact, Xacta’s use of automation begins before you even get to the auditing stage of the compliance process.
From the Beginning of the Compliance Effort
Early on, when you are establishing your compliance effort, features such as automated control selection through the use of criteria questions and impact levels take a large bite out of the time required to tailor your initial baseline security controls.
Xacta also uses automated techniques to populate your asset, OS, and software libraries (as well as maintain them) to ensure an accurate and manageable test plan — for both on-premises and cloud assets. Scheduled imports, as well as scanning capabilities through third-party software or Xacta’s HostInfo utility, make all of this possible.
During the Audit Process
Once it’s audit time, this is where Xacta shines.
When you’re ready to validate your controls (whether it’s a self-validation or a third-party assessor), Xacta can automatically generate a concise test plan to validate every control you need to be compliant with.
From within this test plan, technical controls can be automatically executed through the use of scripting or by importing test results from other third-party validation software.
For those controls that are non-technical – which make up a majority of the assessment process — you can rely on a compartmentalized test plan that can be used for manual entry; or you can use Xacta Compliance Campaign Manager to streamline the process in the form of qualitative surveys and questionnaires.
For those organizations that require compliance with multiple regulations, Xacta can predictively map similar controls together while still allowing user control through the use of confidence factors. This allows for the much–sought-after, time-saving concept of “test once, comply with many.”
For organizations that employ control inheritance, Xacta’s inheritance questionnaire allows for the seamless and automatic inheritance of pre-validated controls from other systems – both on-prem and in the cloud. This feature also comes with an automated approval process to ensure that only valid systems are inheriting controls.
What about after the assessment? Xacta continues to automate the auditing process by automatically calculating the risk of the system through the generation of specially grouped risk elements (based on test failures) that simplify the risk mitigation process. Instead of addressing potentially hundreds of individual risk instances, users can analyze their risk by categories and save time through efficiency.
Once analyzed, Xacta can automatically generate the elements for your Action Plan or Plan of Action and Milestones (POA&M), as well as the report itself, for any residual risk. In fact, all reports and documentation in Xacta – no matter how unique – are automatically generated with the touch of a button through the use of extensible publishing templates. These reports can be entirely customized by modifying the template to fit your organization’s needs.
After the Auditors are Gone
Automation in Xacta continues once the initial audit process is complete. In order to ensure each subsequent audit goes smoothly, you must adhere to the concept of continuous monitoring. Xacta supports this crucial phase by allowing you to set automated, recurring evaluation intervals on your controls (also known as periodicity). Users can take this a step further by employing the same automated scanning features utilized in the testing phase.
These two attributes, combined with powerful dashboard capabilities and notification features, will ensure your organization is ready for your next audit.
Intelligent Workflow Throughout
While automating individual pieces of the auditing and assessment process is highly beneficial, it goes without saying that efficient workflow throughout the entire process is also invaluable. With large amounts of personnel involved, keeping things organized and moving can quickly become a challenging aspect of any audit.
Xacta has a robust workflow and approval process based on a strict hierarchy of projects, tasks, and process steps. Users can be assigned data entry and/or approval roles, and time limitations can be set to ensure an effective workflow from the onset of a compliance effort all the way through the auditing and continuous monitoring phases.
Furthermore, Xacta’s workflow is intelligent and data-driven. It can be controlled through expression-driven tasks based on high-level criteria (such as pre-requisites and control selection) or low-level details that are entered into a single field in the application. When fully utilized and deployed, Xacta’s intelligent workflow can automate an assessment project at a level unseen in the compliance industry.
The bottom line is, when it comes to audit fatigue, there are a variety of strategies that allow you to automate one or many parts of the compliance process. Having one platform that does it all is invaluable for relieving you of the time-consuming tasks and mechanics that compliance reporting requires.
If your organization is struggling with audit fatigue, I encourage you to watch the on-demand webinar, “Combatting Audit Fatigue in IT Risk Management;” and if you feel Xacta can assist you with your automation efforts, please reach out for a demo from one of our qualified sales representatives.
The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.