Asset compliance and on-boarding can be a complex process within any business. Simplifying and automating the process is the end goal the customer is looking to achieve. Currently, these processes are often managed in time and resource-consuming spreadsheets, configuration management databases (CMDB’s) and other manual processes.
Our experience working with businesses in the communications industry shows the impact of the NIS Directive shows they have a greater obligation and need to demonstrate awareness of risk. That is the awareness of risks that their technology assets are exposing their businesses to, before committing them into production.
Asset Compliance Challenges:
The challenge in asset compliance is finding a solution that would not only store the asset information, but support all the asset on-boarding activities. This could include asset detail gathering, compliance checks, risk analysis and on-going BAU management of the assets.
Far too many businesses are managing assets via CMDB’s which brings about limitations. For example, not being able to view the asset through the security lens of how the business has decided to secure the asset. However, it is fair to say that this may be a stretch too far for most businesses out there.
Current GRC and Asset Management solutions aren’t capable enough to provide a holistic picture without being too time and effort-consuming for the end customer, especially when it comes to making the links between the assets, controls and risks. Often, it is an afterthought to have a security lens to look through for each asset, therefore being retrofitted to the process at great cost to the customer.
Asset Compliance Solutions:
There is a steer in industry for businesses to define; policies, standards, controls and procedures for securing their assets. We recognise that it is critical for businesses to demonstrate a secure by design approach in their architecture and the ability to track changes should be a part of BAU.
With this in mind, we have developed and enhanced our GRC offering (SYNERGi), to include an asset on-boarding module which compliments and integrates with an already established Governance, Risk & Compliance module.
Here’s a bit more information about how the process in SYNERGi works.
Creation of Asset Groups and Assets by leveraging SYNERGi’s Business Modelling Engine:
- Create an asset container by providing an asset name and owner.
- Issue a details capture form to the asset owner in the form of a questionnaire, this would automate the links between assets and create the relevant scope objects (people & processes, buildings & networks and technologies) that directly impact the asset.
Threat Identification and Control Application to Scope Objects:
- Issue compliance questionnaires aligned to regulatory standards and internal controls, in order to obtain the compliance posture and the applicability of those controls to a given asset.
- Threats are automatically applied to the objects by virtue of selecting the controls that mitigate specific threats to the asset
- Continuous assessments and audits of the controls bring to life the effectiveness and maturity of the controls associated to a given asset
Asset Risk Management and Remediation:
- Each asset has been risk assessed through defining the impact (Confidentiality, Integrity & Availability) and the likelihood of a threat being realised via the compliance activity, an automatic risk analysis has already been performed against an asset.
- A dynamic risk value is presented for an asset based on continuous assessment and audit of the controls linked to an asset.