GRC Destroyer #5: What is GRC automation? How do we do GRC automation??
GRC can mean a lot of things. Automation can mean a lot of things. This post I'm going to explain how I think about GRC automation.
This blog is just my opinion, not my employers. I do not get paid by any company to make this content.
What are GRC Automation Deliverables?
Audit Evidence - Depending on the company this might fall into GRC or internal audit. Audit evidence is how you prove the design and effectiveness of your controls.
Sometimes it’s policies/documentation
Rawer forms are literally screenshots of system configs and settings
Report outputs like a user access listing or managed device listing
Work done in tickets from a ticketing system (testing changes, approving access, etc..)
Most control effectiveness is tied to a population of occurrences (can you see a list of all new tools that have been added to your environment in the last year? Do you have a way to show every time privileged access was granted to AWS?, etc..)
Compliance Monitoring Metrics - All that evidence above ^^^ is going to prove out your controls. Now you need data showing which controls you’re monitoring and how this gives ya’ll coverage over your broader compliance posture.
This is where compliance management tools come in handy (Think Drata, Vanta, Anecdotes, Secureframe)
Do you have a way to define all the requirements of the security/GRC program? Can you search for a control and easily get corresponding info and evidence?
What frameworks does your company follow? CSA CCM, SOC 2, HIPAA, PCI DSS, NIST 800-53, GDPR. Do you have a way to show how many controls currently have evidence tied to them for each?
Dashboards are pretty huge because no one except for you (GRC guy/gal) is going to give a shit what’s under the hood until your auditor rolls around. The executive team would like to see a nice chart with a really good percentage so they only have to think about this for 5 seconds.
NICE CHART ALERT! - pre-baked into the Anecdotes compliance management platform (no, they do not pay me to do this)
There’s probably 100 more GRC deliverables but let’s move on.
You can automate evidence collection at many places. Automating a whole control process from beginning to end is harder to figure out - but it’s possible.
Beginner Automation
Using Anecdotes, they make it easy to automate controls. The example shows how to glue your systems via API to evidence a password policy control.
System → API Call → Relevant Data → Requirement (building block)
Requirement Blocks → Make Up Controls
Link requirements to the control ONCE. Monitor forever.
Automation Legend Status
Eventually, if you give a shit, you’ll want to really dial it in. At Swimlane, we want to build control automation outside of a preconceived box. This is more complex but could ultimately yield better results for the whole business. When you abstract the requirements in compliance controls, each component can offer hidden value to business. We do this in Swimlane Turbine. We don’t yet have a compliance mapping component in the tool, which is why I use Anecdotes to organize evidence after the fact. We do, however, have a powerful automation platform that allows us to build whatever we want to see and monitor using just about any tool we have (with an API).
When you figure out what data you want from your tool stack, you can glue the data into a case record - heck, you can even glue together several system’s data into one record. In the simplest form, we take our third-party asset management tool and ingest each vendor record into Swimlane every few days via their API. We built out a dashboard that shows our CISO and Security team the metrics they care about. The dashboard shows visuals based on filtered data records. Using this method, you can start to prove out an array of compliance controls very easily. If you need audit evidence, you can simply click on the chart graphic and it will take you to the underlying records (population of control). Each record looks like a case that has a ton of additional information (could be used to evidence the design or “example of 1”). See the dashboard below which shows how several controls are now monitored by just a few simple automation moves.
