Compliance

Improving Compliance Management with Mappings and Automation

Adam Shnider jpg

Adam Shnider

EVP, Assessment Services, Coalfire

November 21, 2023
Adobe Stock 200146313 1

Key takeaways:

  • Use automation to monitor controls required for compliance
  • Align evidence across multi-framework audit requirements
  • When these are done right, companies can see 50% reduction in compliance costs

Based on the research in Coalfire’s 2023 Securealities Compliance Report, the third blog in this series examines one of the top concerns of CISOs and compliance program managers: realizing the value of a platform to simplify compliance.

In the first two blogs in this series, we reviewed the state of cybersecurity compliance: costs and complexity are the problem, and human intelligence-driven automation is the solution. To crack the code of compliance management, decision-makers need to embrace the mission-critical compliance essentials of preparation, assessment, maintenance, and expansion. 

In addition, one of the top concerns derived from our research is that companies aren’t seeing the savings they expected from their compliance automation platforms. The problem? Most of these systems don’t take the full compliance lifecycle into consideration. They are not built with the outcome of successful compliance assessments as the foundation of their architecture and don’t have a comprehensive solution. 

Preparing for a compliance assessment 

In school, getting the answers before the test is considered cheating, with compliance assessments, it’s called preparation. The dilemma we hear from customers is that in order to truly prepare for an assessment, the governance, risk, and compliance (GRC) programs and/or compliance automation platforms companies use require teaming with compliance experts who know each framework and have been through multiple assessments.

These platforms fail to provide an adequate level of detail and leverage generic approaches to define the information used to prepare for the assessment. Knowing the appropriate level of detail and evidence that the assessor will request is fundamental to addressing the crippling cost and complexities of managing multiple frameworks.

Due to generic control language or frameworks, mappings are wildly “off” from what is actually needed to manage and prepare for the assessments that demonstrate a company’s security and alignment within each unique compliance framework’s requirements.

When evaluating a solution to support your compliance program, keep these key criteria in mind to enable your organization’s ability to use the platform with minimal customization at the framework level: 

  • Artifact-level mappings: Make sure the solution is mapping across frameworks at the artifact level. This means the specific evidence, or “things” that will be requested during the assessment, are being tracked and mapped for each framework. The granular nature and nuance of different frameworks and their specific assessment requirements are critical to the usefulness and value of any platform. If there is any chance the platform will meet your needs and help reduce the costs of compliance, understanding the specific level of detail that is used to collect information to manage your program is a great place to start.  
  • Fully managed frameworks: Many products on the market claim to have custom mappings. However, it’s good practice to ensure that the information is requested at the artifact-level, and also, that the mappings are fully managed and updated by experts. Are the mappings based on interpretation? Are they based on feedback from assessment teams and guidance from regulators? If the base is a generic starting point, it’s common for experts to tweak and augment the mappings. Make sure you understand what is under the hood when it comes to the mappings. Simply “tweaking” mappings from a commercial common control framework won’t drive efficiency.

Coalfire's 500+ compliance experts work within our proprietary platform day in and day out, feeding new information continuously, so that the latest mappings and guidance are consistently updated.

  • Custom capabilities: Expect that your chosen platform should have a robust set of frameworks that are fully managed and updated, but no platform will have everything preloaded. Each business has unique internal or customer requirements that must be made to order. Look into the platform’s ability to add custom frameworks. Map those into the existing framework architecture to take advantage of all the pre-existing mappings. This keeps everything integrated for a single source of truth for your compliance program. You should ensure that your platform has this capability and that you have the support you need to get the frameworks loaded. Your compliance team or vendor should do most of the heavy lifting for you to get all the frameworks added to the platform's catalog. 

 

In the first blog post, we discussed common compliance challenges. The second blog outlined the compliance lifecycle and why many solutions fall short of holistically addressing the above criteria. Coalfire succeeds at every criterion by envisioning a solution that brought “Actual Intelligence” (AI) to compliance programs by combining human experience and automation into one. Coalfire’s Compliance Essentials (CE) solution is the result. CE represents the largest comprehensive assessment services and platform built to maintain and expand compliance programs in the industry.

The Coalfire platform is based on direct experience regarding the information and artifacts needed to meet the compliance requirements of each standard. As a result, Compliance Essentials delivers granular mappings across more than 60 frameworks that are informed and updated daily through the by over 500 compliance professionals. 

Multiply the benefit with compliance automation 

In our recent research, over 55% of companies list “mapping controls” and “automation” as the primary means of managing compliance with multiple frameworks. To multiply the benefit of the platform, automation is a critical component.

To support automation, we recently announced a major partnership with anecdotes, one of the world’s leading security technology engineering firms. In conjunction with Coalfire’s Compliance Essentials compliance management solution, the partnership optimizes the automatic collection of evidence and audit execution.

As part of the integration, the automation collects and normalizes the data directly into the platform and maps it to the evidence requests to make it easier to monitor the related controls. Use cases show that up to 50% internal compliance cost reductions with the combination of compliance management and automation compared to manual evidence collection methods. 

Coalfire sees the problems companies are facing every day on the front lines of cyberwarfare and has the team and expertise to bring clients the answers.  

This three-part blog series focused on solutions to common challenges identified in the recent Securealities report. In the face of market realities, Coalfire continues to innovate and expand the capabilities that support our customers and simplify assessments.

We are continuing to expand automation capabilities and Generative AI (the “other” AI - Artificial Intelligence) to help our customers untangle compliance complexity and accelerate time to compliance.