Continuous Compliance™
I want to bring up the idea I have been hinting at and that is of Continuous Compliance.
Traditional Compliance Models fix a compliance state at the time of the capture and proofing of the data in the client’s evidence pool. The pooling of the data mandates synchronization between systems is provable because of Sequence Of Event (SOE) errors which are created in computer reports which potentially misrepresent data in its temporal attestation. Because of that security and strong practice controls are necessary and these are very expensive. They require continuous human review which is very expensive since it requires the production of a new model statement for each process state or control area, Once the testing and audit is complete traditional risk models state that the effective trust decays until it reaches its lowest which is the time that the next review and attestation is made.
AI meets Information Assurance
Computing and Artificial Intelligence offer a new possibility which is making immediate changes in how secure and provable systems so some legally provable attestation (not assertion) can be made. Probabilistic modeling is used to create real data integrity constraints for each component in the workflow. This new model is based on a deterministic approach to the evidence produced from each stage such that it functionally provides inline attestations for each data object or element being represented as ‘proof of something’ or ‘evidence’. The system is tightly monitored in its deployment and its controls provide direct testimony as to the events which flow through it.
The idea is that the machine itself can in fact deliver a set of application specific automated controls so that the computer is in fact testifying as to the events within it. Machine based Testimony is real finally. The opportunity is to add extra integrity control data which travels along with the content data to validate the information in the content stream as well as a set of tracking agent datum which also completes the evidence model for the system event. MITRE CEE, OASYS XML, Syslog and other representational models provide transports for interoperability with other log and event control interfaces.
ContinuousCompliance™
The ContinuousCompliance system then forms a telemetry-based information assurance process which provides for a fully solvable (through mathematical formulas for each workflow) the status of any of the event stages within the chain-of-custody of the content stream for the attestation and supporting evidence.
Continuous Compliance fully automates the controls within a hierarchy to provide a business practice audit which can be proven through periodic review of the system logs and proof models. By proving the formula for each workflow continuously the system is monitored through telemetry based dashboards which provide a continuous assurance as to the actual operating state of the system and its transactions in real-time for most all uses.
Continuous Auditing Benefits
The benefits of deploying system’s which boast the ContinuousCompliance system are substantial to Audit and Risk Processing . The output of each stage can be tracked to provide a continuous logging stage for each event stream in the workflow.
The telemetry controls provide a dash-board reporting model with hierarchical alarm capabilities for systems and application contexts which maintain their own time service (as in Cloud virtual instances). What this means is that the business practice can itself can be audited in a mostly automated manner. Auditors can review the system continuously which reduces the time to complete ongoing audits and allows more of the review work to be done remotely. System anomalies and security incidents are tracked and can be undone much easier and with less cost-to-make-right than traditional human operated search and testimony process.
Immediate ROI
The immediate and ongoing ROI of such a process isl relative to both reducing risk practices by automating large parts of the Entity’s audit and compliance verification. Automated controls are self-auditing, so the code is what is reviewed with the results). This means if all the reports do not point out alarms then the entity’s compliance is in place.
Telemetry-based content assurance
Telemetry based content assurance systems and knowledge representation controls are the perfect addition to Cloud and SaaS technologies. Because controls of this type can be fully telemeterized they a workflow tracking process which can be used to provide control information (sensors) at each and every stage meaning that once the expected evidence from each stage can be ‘defined’, the verifying of that data is easily performed through this formula process with the result being provable through the reports themselves. This will reduce the cost of a SOX ongoing 302 compliance to almost nothing and provides for continuously available information on the integrity of the transaction system itself. The core of this process is the digital timestamps which can be read and carry cryptographically asserted consequence in the legal sense.
Continuous Compliance is then the next step in high risk digital accounting. Systems watching systems…
Applying Continuous Compliance architecture concepts to existing systems generally increases the data store to represent the event streams by about 300%. The proofing and integrity telemetry provides the envelope of trust to make the content contained in this practice model reliable. With ContinousCompliance workflows are predefined such that they always produce known results and the precursor stage passes context state data with the content itself such that its functional integrity has a forensic proof for each event stored. The evidence mode is predictable and solvable for each event captured this way.
for more information about CountinuousCompliance contact our sales department at sales@certichron.com or call us at 800−511−2301 in California.