Home  /  Empower and Protect  /  Controls Inheritance – Easing the burden of compliance and reducing audit fatigue

Controls Inheritance – Easing the burden of compliance and reducing audit fatigue

By Rick Tracy •  May 5, 2020

Many organizations today struggle with the burden of achieving and maintaining compliance as audits can be time-consuming, resource-intensive processes.  Audit fatigue is all too real and, unfortunately, there is no magic cure-all. However, there are some ways to help relieve it. The concepts of control mapping, controls inheritance, and automation in terms of audit fatigue reduction were discussed by Telos VP of Strategy and Cloud Steve Horvath in our recent audit fatigue webinar.

As Steve pointed out in the webinar, setting up a controls inheritance model is an incredibly valuable process that can be intensive at the onset, but a huge time saver in the long run.

Where control mapping allows you to test once and comply with many different but similar controls, controls inheritance reduces the time and effort associated with how controls are implemented within an organization/environment as new systems are deployed and pre-validation audits take place. Sharing of control implementation narratives, validation results, artifacts, and Action Plans are the key components that make controls inheritance such a big time saver.

In a well-implemented control inheritance model, the overarching organization (enterprise system or cloud provider) provides data for:

  • Fully inherited controls: implementation narratives, control validation results, artifacts, and Action Plans;
  • Inheritable portion of shared controls: implementation narratives, validation results, artifacts, Action Plans;
  • Recommended implementation for system specific controls and non-inheritable portion of shared controls: suggestions for how controls should be implemented by the receiving system – also known as RCI (Recommended controls implementation).

As you can see, the inheritance model provides an opportunity to share work that has already been done to save others’ time and effort needed to properly document the security controls for their systems.

This lets any new system that’s added to an established boundary inherit, rather than reinvent, the wheel.  Providing recommended configuration information for any shared controls and building general support systems into boundaries that can be inherited, ultimately reduces the burden and the associated audit fatigue.

When your compliance and cybersecurity activities are based on a well informed and well-established boundary, you then have the ability to inherit. This reduces the burden by order of magnitude. A good example is a multi-factor identity and access management system. By building your boundary around an all-access compliance function, you allow anyone standing up another capability within the organization to inherit the recommended controls without experiencing access issues.

RCI guidance enables organizations to establish the required controls for system configuration in order to inherit them. Because of this guidance, many organizations have been extremely successful in moving secure information to the cloud. And, many cloud service providers have created a security-focused standardized architecture solution to help managed service providers, cloud provisioning teams, developers, integrators, and information security professionals inherit configured controls, again, saving both time and effort.

Using automation and inherited data, you can base your organization’s risk management and compliance activities on a single baseline and build an inheritance model that makes sense. These practices will significantly reduce the impact on your security operations team.

Solutions like Xacta can help you inherit the pre-vetted security controls and RCI of the on-prem and cloud services you use, and can streamline the multiple steps involved in validating the compliance for your workloads.

If your organization is struggling with audit fatigue, I encourage you to watch the on-demand webinar, “Combatting Audit Fatigue in IT Risk Management,” where, among others, the concepts of controls inheritance and RCI are discussed further.

Rick Tracy

Rick Tracy

Rick Tracy is the senior vice president and chief security officer at Telos Corporation. Follow him on Twitter: @rick_tracy See full bio...

The Empower and Protect Blog brings you cybersecurity and information technology insights from top industry experts at Telos.

Leave a Reply

Your email address will not be published.

sixteen − fourteen =