CTO’s Blog: Achiev­ing Con­tin­u­ous Compliance

Con­tin­u­ous Compliance™

I want to bring up the idea I have been hint­ing at and that is of Con­tin­u­ous Compliance.

Tra­di­tional Com­pli­ance Mod­els fix a com­pli­ance state at the time of the cap­ture and proof­ing of the data in the client’s evi­dence pool. The pool­ing of the data man­dates syn­chro­niza­tion between sys­tems is prov­able because of Sequence Of Event (SOE) errors which are cre­ated in com­puter reports which poten­tially mis­rep­re­sent data in its tem­po­ral attes­ta­tion. Because of that secu­rity and strong prac­tice con­trols are nec­es­sary and these are very expen­sive. They require con­tin­u­ous human review which is very expen­sive since it requires the pro­duc­tion of a new model state­ment for each process state or con­trol area, Once the test­ing and audit is com­plete tra­di­tional risk mod­els state that the effec­tive trust decays until it reaches its low­est which is the time that the next review and attes­ta­tion is made.

AI meets Infor­ma­tion Assurance

Com­put­ing and Arti­fi­cial Intel­li­gence offer a new pos­si­bil­ity which is mak­ing imme­di­ate changes in how secure and prov­able sys­tems so some legally prov­able attes­ta­tion (not asser­tion) can be made. Prob­a­bilis­tic mod­el­ing is used to cre­ate real data integrity con­straints for each com­po­nent in the work­flow. This new model is based on a deter­min­is­tic approach to the evi­dence pro­duced from each stage such that it func­tion­ally pro­vides inline attes­ta­tions for each data object or ele­ment being rep­re­sented as ‘proof of some­thing’ or ‘evi­dence’. The sys­tem is tightly mon­i­tored in its deploy­ment and its con­trols pro­vide direct tes­ti­mony as to the events which flow through it.

The idea is that the machine itself can in fact deliver a set of appli­ca­tion spe­cific auto­mated con­trols so that the com­puter is in fact tes­ti­fy­ing as to the events within it. Machine based Tes­ti­mony is real finally. The oppor­tu­nity is to add extra integrity con­trol data which trav­els along with the con­tent data to val­i­date the infor­ma­tion in the con­tent stream as well as a set of track­ing agent datum which also com­pletes the evi­dence model for the sys­tem event. MITRE CEE, OASYS XML, Sys­log and other rep­re­sen­ta­tional mod­els pro­vide trans­ports for inter­op­er­abil­ity with other log and event con­trol interfaces.

Con­tin­u­ous­Com­pli­ance™

The Con­tin­u­ous­Com­pli­ance sys­tem then forms a telemetry-​​based infor­ma­tion assur­ance process which pro­vides for a fully solv­able (through math­e­mat­i­cal for­mu­las for each work­flow) the sta­tus of any of the event stages within the chain-​​of-​​custody of the con­tent stream for the attes­ta­tion and sup­port­ing evidence.

Con­tin­u­ous Com­pli­ance fully auto­mates the con­trols within a hier­ar­chy to pro­vide a busi­ness prac­tice audit which can be proven through peri­odic review of the sys­tem logs and proof mod­els. By prov­ing the for­mula for each work­flow con­tin­u­ously the sys­tem is mon­i­tored through teleme­try based dash­boards which pro­vide a con­tin­u­ous assur­ance as to the actual oper­at­ing state of the sys­tem and its trans­ac­tions in real-​​time for most all uses.

Con­tin­u­ous Audit­ing Benefits

The ben­e­fits of deploy­ing system’s which boast the Con­tin­u­ous­Com­pli­ance sys­tem are sub­stan­tial to Audit and Risk Pro­cess­ing . The out­put of each stage can be tracked to pro­vide a con­tin­u­ous log­ging stage for each event stream in the work­flow.
The teleme­try con­trols pro­vide a dash-​​board report­ing model with hier­ar­chi­cal alarm capa­bil­i­ties for sys­tems and appli­ca­tion con­texts which main­tain their own time ser­vice (as in Cloud vir­tual instances). What this means is that the busi­ness prac­tice can itself can be audited in a mostly auto­mated man­ner. Audi­tors can review the sys­tem con­tin­u­ously which reduces the time to com­plete ongo­ing audits and allows more of the review work to be done remotely. Sys­tem anom­alies and secu­rity inci­dents are tracked and can be undone much eas­ier and with less cost-​​to-​​make-​​right than tra­di­tional human oper­ated search and tes­ti­mony process.

Imme­di­ate ROI

The imme­di­ate and ongo­ing ROI of such a process isl rel­a­tive to both reduc­ing risk prac­tices by automat­ing large parts of the Entity’s audit and com­pli­ance ver­i­fi­ca­tion. Auto­mated con­trols are self-​​auditing, so the code is what is reviewed with the results). This means if all the reports do not point out alarms then the entity’s com­pli­ance is in place.

Telemetry-​​based con­tent assurance

Teleme­try based con­tent assur­ance sys­tems and knowl­edge rep­re­sen­ta­tion con­trols are the per­fect addi­tion to Cloud and SaaS tech­nolo­gies. Because con­trols of this type can be fully teleme­ter­ized they a work­flow track­ing process which can be used to pro­vide con­trol infor­ma­tion (sen­sors) at each and every stage mean­ing that once the expected evi­dence from each stage can be ‘defined’, the ver­i­fy­ing of that data is eas­ily per­formed through this for­mula process with the result being prov­able through the reports them­selves. This will reduce the cost of a SOX ongo­ing 302 com­pli­ance to almost noth­ing and pro­vides for con­tin­u­ously avail­able infor­ma­tion on the integrity of the trans­ac­tion sys­tem itself. The core of this process is the dig­i­tal time­stamps which can be read and carry cryp­to­graph­i­cally asserted con­se­quence in the legal sense.

Con­tin­u­ous Com­pli­ance is then the next step in high risk dig­i­tal account­ing. Sys­tems watch­ing systems…

Apply­ing Con­tin­u­ous Com­pli­ance archi­tec­ture con­cepts to exist­ing sys­tems gen­er­ally increases the data store to rep­re­sent the event streams by about 300%. The proof­ing and integrity teleme­try pro­vides the enve­lope of trust to make the con­tent con­tained in this prac­tice model reli­able. With Con­ti­nous­Com­pli­ance work­flows are pre­de­fined such that they always pro­duce known results and the pre­cur­sor stage passes con­text state data with the con­tent itself such that its func­tional integrity has a foren­sic proof for each event stored. The evi­dence mode is pre­dictable and solv­able for each event cap­tured this way.

for more infor­ma­tion about Countin­u­ous­Com­pli­ance con­tact our sales depart­ment at sales@​certichron.​com or call us at 800−511−2301 in California.