Software for Compliance

What's the best way to leverage software for your compliance?

This is the hot topic that's shaping the compliance industry. 

We'll break down what types of software are used and where they work best. Let's start with defining the two categories of software that drive decision making and planning for compliance:

  1. General business software; and
  2. GRC Software.

 

General business software

 

General business software refers to the applications you use to manage your business operations and tech stack. That includes cloud-hosting products like AWS Guard Duty, Firewall Manager, and Key Management Service. It also includes version control software (Github), CI/CD (CircleCI), authentication (Okta), HR systems (BambooHR), and many other products you may use. The key note is these aren't designed to manage your compliance, but they implicitly DO address various aspects of your compliance program. Regardless of whatever other software you might use, this general business software always forms part of your compliance program.

 

GRC Software 

 

GRC Software is designed to centrally manage your governance, risk and compliance activities. There are three "jobs to be done" with differing approaches:

  • Readiness: Helping you prepare for compliance and audits (manual or automated);
  • Audits: Supporting the audit process to verify compliance (flexible or generic); and
  • Maintenance: Ongoing oversight and review activities (centralised or de-centralised).

A fourth aspect to consider, is the level of coverage. There are three diverging types of GRC software based on their design goals:

  • Traditional GRC Platforms: flexible, customisable, fit for any compliance standards, and any audit firm partner.
  • Security and Compliance Platforms: combines a generic approach and integrations for cookie-cutter compliance.
  • Integrated Audit Platforms: harmonises readiness, audits and maintenance with an integrated approach.

 

Type Coverage Readiness Audits Maintenance
Traditional GRC Broad Manual Flexible Centralised
Security and Compliance Narrow Automated Generic Centralised
Integrated Audit Broad Automated Flexible Centralised

 

How do you know which software is best for you?

 

When deciding on software, we recommend first completing a readiness assessment within your team, with a consultant, or in a free assessment solution like ours. That way, you can see what else is required to achieve compliance and where other software may provide return on investment.

 

Traditional GRC software is time intensive to set up. Security and compliance software is expensive and limits your auditor choices. And integrated audit software ties you to that auditor. So it's best to check it fits your goals upfront.

 

Part of that is looking at your existing software and how that supports compliance on its own. You'll find in many areas these enable your compliance by default, with minor adjustments, or at least have the tools and functionality you need without procuring additional software.

 

Here's an example with a common set of software, each which have many alternatives playing a similar role.

 

AWS (cloud hosting): By default applies firewalls, encryption, access control, system logging, audit trails, and server hardening and patching for serverless setups. You can add on AWS products like GuardDuty, Key Management Service, AWS Shield, and Security Hub to enhance network monitoring, encryption key controls, denial-of-service protection, and security and compliance monitoring, all directly within your environment. This alone can cover up to 40% of your compliance; close to the level of automation the security and compliance platforms offer in a separate platform.

 

GitHub (version control): By default manages software version control, rollback capability, and tracking code changes. You can also apply enforced peer reviews, static code vulnerability scanning, code quality checks, and track testing and approvals.

 

Azure Active Directory (SSO): Centralises and simplifies access control with unique user ID's, role-based access control (RBAC), segregation of duties, and access provisioning and de-provisioning processes.

 

BambooHR (HRIS): Provides various templates and workflows for employees including contracts, onboarding steps, storing the policies and acknowledgements, employee performance reviews, management meetings, and more.

 

Google Workspace (Mobile Device Manager): You can use Google's MDM to approve and track devices, enforce security policies, remote locate and wipe, email monitoring and blocking, and more.

 

 

Between these five types of software; 60-80% of your compliance can be systematically covered. The residual areas are defined policies, processes, and reviews that can be integrated with these systems but ultimately need some manual work to define as they relate to your business. Get in touch to see our practice guides that give you a good starting point with tips, references and content to help you find what fits your business. 

 

About AssuranceLab

 

AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). Our award-winning, free software has helped over 500 companies prepare for their compliance goals. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.

 

About AssuranceLab

 

AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2, and more!). Our award-winning, free software has helped over 500 companies prepare for their compliance goals. We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.

SOC Reporting ISO 27001 Consumer Data Right

Some additional information in one line