(archive)

[Blog] Addressing Compliance Issues with an Automation Solution

Compliance is not an option anymore, it is a must. We are governed, guided and regulated upside-down in every industry ranging from public services to aircraft or missile manufacture. The question is how businesses can get and keep compliant in the most efficient way.

Implementation, management, and control take a lot of effort and resources. Every business has more than one standard to comply with. For instance, ISO 27001, ISO 27002 for Information Security Management Systems are usually accompanied with some industry-specific standards like ASPICE or HIPAA. Thus, the task becomes rather hefty as well as unrealistic in terms of handling all compliance-related processes manually. Hence, automation is the key.

What can we gain?

Even for many technologically advanced companies, with paperless technologies and every possible automation in business administration in place, compliance management is still an issue. Needless to speak about non-tech, less technologically equipped companies. Some are still relying on standards publications, spreadsheets and text records kept and distributed manually. When a company grows in size and implements more standards to comply with, the difficulty of compliance management grows to a nightmare.

Today, technology offers a variety of automation solutions (e.g., Infopusle SCM). Compliance management applications include features ranging from simple workflow management tools to sophisticated systems engaging artificial intelligence (AI).

The core idea standing behind compliance automation is to consolidate all related processes under one control center. Running automatically, the apps provide a toolset for continuous status monitoring and audits, security self-assessments, risk analysis, etc. with no need for making occasional spot checks manually.

Compliance monitoring tools take control once the organization feeds appropriate requirements in accordance with its security policies into the system. Those can include any industrial regulations, standards, system configurations, IT asset inventories, procedures, etc. The software stores multiple requirements and related conditions to create a live knowledgebase, which is continuously updated. When monitoring feature is enabled, the system provides real-time indicators displaying the compliance and security status of separate divisions or organization as a whole.

Automated solutions not only replace manual work sparing resources but also leave no chance for human errors. It is especially important for organizations processing sensitive information. Modern legislation puts a large emphasis on the protection of personal data. Penalties for privacy breaches are severe. The new regulations like GDPR seriously affect every industry far beyond the EU. Given that regulatory requirements are prone to continuous change, automation of compliance processes is especially beneficial for financial, public, and healthcare service providers.

Benefits of Compliance Automation:

  • Saving time and cost for compliance implementation, which allows staff to focus on more strategic initiatives;
  • Monitoring compliance status through configurable dashboards;
  • Making decisions based on real-time risk assessments;
  • Establishing uniform compliance requirements and policies across the entire organization, regardless of the platforms or infrastructure types in use;
  • Providing all-encompassing control of the organization and third-party risks including alerts about potential vulnerabilities;
  • Eliminating manual operations bound for risks;
  • Minimizing compliance violations and data breaches;
  • Clearing away data inconsistencies and double entries;
  • Generating comprehensive compliance audit reports.

Anticipated Pitfalls

It is hard to imagine any downsides of automation at first glance. It is a great way to delegate redundant processes to machines, save cost and streamline compliance data management reducing the likelihood of human error. However, there are some unexpected implications. In areas like compliance, automated solutions cannot run 100% independent of human control.

A lot of effort is required at both the implementation and management stages to continuously verify that all tools and the related processes are running as expected. Because even the best software solutions still have the potential for error due to wrong input, personnel attention is required. The fact that every organization can have its own unique set of regulatory requirements, is a proof that we should not exclude the probability of an error.

Keep in mind these alerts while building your automated compliance system.

  • Regularly making sure that automated controls work properly;
  • Verifying that automated processes go exactly the way they were designed;
  • Having to collect and store much more data than an organization usually did;
  • Selecting proven vendors due to dependence on their service and timely updates, when the legislation changes.

Clearing the Path to Automated Compliance

No automated solution is completely infallible, but the benefits are obvious. By eliminating human interaction from compliance workflows, it saves costs, enhances efficiency, and mitigates risks.

Some solutions include sets of pre-integrated standards. In the first place, the ones related to information security and privacy, for instance, ISO 27K series and GDPR. Standards best suited for automation are regulations, which precisely outline data management processes with regard to how the data are to be collected, maintained, and utilized.

Modern applications can drastically improve and simplify compliance maintenance, streamline related processes and reduce operational cost, from implementation to certification.

Get advice from Infopulse experts on how to efficiently address compliance issues, relieve the pain points and bring up the entire system on a new level.

Read more

[News] Successful team vs. business objectives

Every day we move forward trying to answer the most common HOWs:

  • How to succeed?
  • How to stand out from competitors?
  • How to expand competencies and become better?

But what are the main indications of productive teamwork and delivery of extraordinary results? The first things that come to mind are:

  • Setting and focusing on common business goals, and
  • “Do what you do best!” incorporating the wishes and strengths of each team member while distributing work.

The role of feedback culture is crucial during all stages of development and post-production process as well. The goals will serve as a starting point to build a united team and help businesses reach the objectives. Only PEOPLE who are satisfied with their job, thanks to constant communication with their colleagues, will be able to solve the task of any complexity.

Recent studies show that high-performing agile software development teams are critical. However, any development process (even modern agile methods) doesn’t cover all pain points, and in practice, software development teams can be easily distracted from the main business objectives. That’s why to achieve significant business goals, any team needs coordination.  It will improve the process in general not allowing doing wrong things or the right thing but at the wrong time.

Big Room Planning

Infopulse SCM team is always ready to try out new practices into the development process. We decided to experiment with Big Room Planning to think on the next release deliveries.

What differs Big Room Event from the standard meeting?

The main purpose of conducting this open meeting for Infopulse SCM was to bring all engaged specialists together. Business owners and stakeholders, subject field specialists and development team had a chance to align business strategy with the development process. 

The meeting started with the presentation of business vision and objectives for the next release. It followed with the explanation of Feature Backlog priorities and feature requirements.

Outcomes

Majority of time is set aside for the scrum teams. They were working together to create product development plans clearly defining sprints work for the next Product Release.

Agile Manifesto tells “Individuals and interactions over processes and tools.” This phrase expresses the uniqueness of the planning where all participants communicate with each other face-to-face, sitting in one Big Room.

Read more

[Blog] BSI IT-Grundschutz: Meet 2019 Edition

Infopulse Standards Compliance Manager BSI IT-Grundschutz Compedium 2019
Infopulse SCM 5.0 supports BSI IT-Grundschutz 2019

The 2019 edition contains 94 modules, 14 of which are completely new ones. 25 modules have been substantially revised. Major novelties refer to Mobile applications, Cloud solutions, embedded systems, and extended platform support (MacOS, PBX, SAP, IBM Z, etc.).

What are the BSI standards?

The BSI standards provide recommendations on methods, processes, and procedures, as well as approaches and actions on different aspects of information security. Organizations can use BSI standards to make their operations, processes, and data safer.

  • The BSI standard 200-1 defines general requirements for an Information Security Management System (ISMS).
  • The BSI Standard 200-2 provides a foundation for building an ISMS based on IT-Grunschutz methodology.
  • The BSI Standard 200-3 covers risk-related issues. The standard provides a clear path to gear the IT-Grundschutz analysis to the risk assessment process.

New Modules of BSI IT-Grundschutz

The IT-Grundschutz Compendium 2019 contains 94 modules – blocks of recommendations covering specific information security areas. Following the holistic approach, the modules take into account technical, infrastructural, organizational and personnel aspects.

The new IT-Grundschutz modules appeared in the following sections

  • Applications: APP.1.4 Mobile Applications; APP.2.3 OpenLDAP; APP.4.2 SAP ERP System; APP.4.6 SAP ABAP Programming; APP.1.4 Mobile Applications; APP.2.3 OpenLDAP; APP.4.2 SAP ERP System; APP.4.6 SAP ABAP Programming.
  • Networks and communication:NET.4.1 PBXs; NET.4.2 VoIP; NET.4.3 Faxes and Fax Servers.
  • IT systems: SYS.1.7 IBM Z System; SYS.2.4 Clients under MacOS; SYS.3.3 Mobile Phone; SYS.4.3 Embedded Systems.
  • Industrial IT:IND.2.7 Safety Instrumented Systems;
  • Infrastructure:INF.6 Volume Archive;
  • Business:OPS.2.2 Cloud Usage.

Integration with automated solutions

Whatever the standards, their implementation is a highly time/resource-consuming task. Breaking down the silos and streamlining all compliance-related processes, automated solutions like Infopulse Standards Compliance Manager significantly reduce cost.

The recent Infopulse SCM 5.0 version integrates the updated IT-Grundschutz documentation. Besides a set of improved and added features, you will appreciate the opportunity of migrating to modernized IT-Grundschutz 2019.

Implementing IT-Grundschutz 2019 with Infopulse SCM

  • Build new concepts based on an IT-Grundschutz 2019
  • Migrate the existing security concept to the modernized IT-Grundschutz 2019
  • Get automatic updates of requirements and modules
  • Empower the security evaluation process with new modules
  • Use new roles to add flexibility to your ISMS 

Check out the new features with Infopulse SCM.

Read more

[News] Welcome SCM 5.0 with the complete lifecycle of Task Management!

Infopulse SCM 5.0

The SCM development team worked hard on the implementation of this important update as well as multiple other improvements.

The new and improved features of the SCM 5.0 release include:

Task Management

A new module that enables users to create tasks (or action items) for compliance management activities. This allows Compliance and Security personnel to effectively manage tasks within their compliance program and demonstrate a documented history of completed compliance activities.

The Task Management module is completely integrated with the SCM workflow engine and provides transparent linking of tasks to related data sets as a program(s), assets, requirements, and safeguards. Therefore, it’s easy to navigate through tasks lists, define priorities, due dates and responsible people.

Notifications enable users to automate their routine tasks while taking actions and following up on the task lists with the task responsible people.

SCM supports the complete lifecycle of Task Management: Planning → Assignment → Tracking → Reporting.

Other Task Management features include:

  • Attach documents to tasks;
  • Assign priorities, start/end dates to tasks;
  • Assign responsible people, including LDAP users;
  • Set email notifications;
  • Filter tasks basing on their attributes, e.g. by status, due dates, responsible people, etc;
  • View and edit task details;
  • Add comments to a task.
Task Management

Migration from Grundschutz 2018 to 2019

Infopulse SCM now supports a new edition of IT-Grundschutz 2019 published by BSI (German version).

The main changes in the new edition include:

  • 94 IT-Grundschutz Modules: 14 entirely new modules as well as the 80 revised modules from the edition 2018. Main additions: Mobile Applications, Cloud Solutions, Embedded Systems, extended platform support (MacOS, PBX, SAP, IBM Z, etc.).
  • 25 substantially revised modules including clarified requirements for Active Directory, Web application, Outsourcing, MDM. 
  • Requirements for Windows 10. (The adaptation was made to standardize the specifications with SYS.2.2.3 clients under Windows 10).
  • The threat model has not changed.
  • Operation Managers, Manufactures, Fax Managers are the newly created and added roles to the Edition 2019.

With the IT-Grundschutz 2019 implemented, Infopulse SCM enables users to:

  • Create a new concept based on an IT-Grundschutz 2019;
  • Migrate an existing security concept to the modernized IT-Grundschutz 2019;
  • Automatically update the requirements and modules;
  • Evaluate the newly added modules;
  • Use the new roles for modules and requirements evaluation.

Support of MS Edge browser

Support of Microsoft Edge web browser has been added.

Audit trail

Audit trail (or called Audit log) enables Security personnel, network administrators and IT specialists to trace the history of the changes and keep it for internal and external auditors. It also allows Infopulse SCM users to identify and catch up with problems before an auditor needs to be brought in.

Audit trail records contain details that include the date, time, and user information associated with the Requirements and Safeguards changes. The changes are stored and kept in the Log files in the server application directory.

Dashboards improvements

Various usability improvement to dashboards have been made:

  • Option to copy widgets;
  • Saving and restoring the dashboard changes (e.g. widgets changes and ordering).
Dashboards

Glossary and unified terminology in Infopulse SCM

Glossary of industry and/or SCM application-specific terms has been added to SCM tutorial. It provides SCM users with more consistency around key terms along with their definitions ensuring that correct terms are consistently used throughout the application.

More features, enhanced flexibility, better user experience.

Read more