If we’d been given a penny for every time we heard this complaint, we’d be very rich. Audits tend to be very tedious and time-consuming, where tons of evidence has to be gathered from many different systems.
For an auditor this typically is seen as a proof of having an ad-hoc process organisation, resulting in a lower score than you would have liked to have.
But when you think about it realistically: if you really have to dig through so many systems, just to be able to answer an auditor question, how can you steer your company in a controlled and governed manner? Are you really demonstrably in control of your business? We’ve not seen many companies that are, regardless of their size or how much money they throw at it.
The fact of the matter is that different information resides on different systems and the correlation between the data is something someone has to do, but never does.
It may sound a bit strange coming from us, advocating security being about people and not technology, but in this instance its about security automation and repetition. If you can automate, automate! Gathering information needed for compliance controls is a typically repetitive job that can and should be automated.
It is not uncommon that company policies prohibit the usage of certain websites, technologies etc. History shows though that enforcing these policies is a whole different ballgame. Torrent technologies are notoriously hard to block, people find ways around filesharing blocks and preventing email clients like Hotmail or Gmail to be used seem impossible due to various privacy laws.
The information needed to demonstrate technical compliance is the type of information that bluedog will gather for you from all of the technical modules we have deployed throughout our solution. As we have a variety of data we gather, we help your company validatethe factual compliance state of your company’s network.
Once you have all of the information needed to answer the auditor’s questions, where do you store this data and how to you guarantee its integrity?
Data received from various systems must be stored and exchanged with the compliance department or auditors. But, this data is usually in the form of excel documents, csv files or another format that allows alteration of data.
When a compliance audit for SOC2 type 2 is done, a broad variety of data requests are performed. Auditors expect a predictable way of getting information. The more differences that are seen in supplied information, the less likely it is that a good score is given.
This is where bluedog can help. The compliance monitoring modules in the dashboard allow you to pull extracts of the required data in a uniform format, which cannot be altered. This givesthe third-party assurance on data integrity that your auditor and compliance officer will love!
Combining technical proof with compliance questionnaires for the theoretical parts of the compliance standards, completes the governance control bluedog offers. Requesting proof to be uploaded while answering questions in recurring interval demonstrates that you are in control. The bigger the time gaps between supplying evidence the less likely it is that a company is truly in control.
Typically an audit occurs annually or once every 2 years. For most companies, this is the only true time that they are being compliant with the assessed guidelines.
It’s a few weeks of hard work, gathering everything that proves that processes have been written down and that procedures actually exist. What is often missing though is the proof that these processes and procedures are being controlled on a continuous basis.
At bluedog we have a way that helps you to show how well your company is doing on the parts that we have our eyes on. By combining technical data with given answers for the policy related sections, bluedog is able to give you clear insight on where you stand compliancy wise. No more surprises and no more playing catch-up.
Audits and ‘being compliant’ to a certain standard seems like a lot of work and is often considered a burden. The intention of these compliancy standards is to help you guide your company to a controllable and predictable state. Once you know what to expect, you can correct if you go off track.
However, this should not be a once a year exercise for any company. Compliance should be a natural and continuous state for the business, having information available at all times, so that adjustments can be made before things really go wrong.
Bluedog use available technical data to demonstrate control, combining this with matching processes, procedures and policies. Having this available inside
one system allows a trusted third party to maintain the compliance state and present the results for an auditor without breaking the data integrity chain.
This is exactly what bluedog can do for your company so you can focus on what you do best: running your business.