Making Continuous Controls Monitoring Work for Everyone

Jingcong Zhao
Author: Jingcong Zhao, Senior Director, Product Marketing at Hyperproof
Date Published: 13 June 2022

Editor’s note: The following is a sponsored blog post from Hyperproof.

As a security assurance professional, you know the importance of controls testing. After all, only organizations that thoroughly test and prove their controls’ effectiveness can be confident that they’ve sufficiently mitigated their security and data privacy risks.

Unfortunately, controls testing tends to become exponentially more time-consuming as a firm scales up and its managers implement more controls to keep up with new regulations and third parties. Security assurance and IT audit professionals often face tight constraints that keep rigorous control testing out of reach despite their best intentions. Many compliance and internal audit teams end up testing only the controls examined in the next external audit.

But this ad-hoc approach to control testing has hurt organizations. For instance, Hyperproof’s 2022 IT Benchmark Compliance Survey found many organizations have gaps in their controls around managing third-party risk: 90 percent of all respondents reported that they’d been negatively affected by a third-party incident in 2021. 

Fortunately, continuous controls monitoring (CCM) can go a long way in helping security assurance professionals become far more productive in their control performance evaluation efforts and increase control testing coverage.

CCM is the application of technology to allow continuous (or at least high-frequency), automated monitoring of controls to validate the effectiveness of controls designed to mitigate risk, including combating cyberattack attempts and ensuring business continuity and regulatory compliance.

Deploying CCM can benefit multiple stakeholder groups and IT auditors at CPA firms across an organization. CCM can:

  • Increase the productivity of security assurance/internal audit teams. By testing a more significant number of controls in a given timeframe, issues are more likely to be identified earlier, preventing them from becoming more expensive problems. CCM also frees up time for compliance and internal audit professionals to focus on higher-value tasks, such as evaluating controls that require manual testing or developing new controls over high-risk processes.
  • Keep business unit stakeholders accountable for managing the risks associated with operating systems and control processes. We’ve all heard the saying that security is everyone’s job. Yet too often, compliance professionals have no consistent way of knowing whether their colleagues in the business units – IT staff, engineers, and sales operations managers – are doing their part to protect an organization’s assets. By automating control testing and setting up an alerting system based on test results, assurance professionals can push compliance and risk management responsibilities to the first line of defense while retaining a mechanism to validate the performance of control activities.
  • Streamline audits (preparation and execution) and reduce the cost of an audit. When evidence of key control activities is collected automatically according to designated policies, compliance professionals no longer have to scramble to gather evidence and evaluate controls right before an audit. After implementing CCM, an auditor can quickly review complete records of control processes – including test results with times and dates linked to the records – all in a central location. Properly configured CCM helps cut down the volume of questions that typically come up during an audit, expediting the process and cutting costs.
  • Improve a company’s standing in the eyes of regulators, customers, and auditors because the organization has readily available evidence of risk mitigation, protection of valuable assets, and an ability to meet its legal obligations.

How to Implement CCM
Implementing CCM in some cases can be as simple as turning on specific settings in the source operating system and using its built-in reports for monitoring. But to have a comprehensive CCM system in place that monitors a wide range of controls across business domains, an organization needs to have a single repository that documents and manages its controls and gathers evidence of their effectiveness. This type of system, commonly known as a compliance operations platform, is built to test and monitor controls at scale.

A compliance operations platform has connectors to common business applications across IT, development, security, HR, sales, and finance – and can automatically pull relevant data about many controls processes into its platform for streamlined controls assessment/validation. Next, a compliance professional can define a test with pass/fail criteria and a frequency for the test, and set up automated workflows to manage alarms, communicate, investigate, and correct the control weaknesses. 

While building your control testing system from scratch is an option, it’s relatively easy to take advantage of third-party compliance software that comes with CCM out of the box.   

Regardless of the option you choose, here are the critical steps to setting up CCM:

  1. Select controls for testing: Good candidates are control processes that occur at high frequency (continuous, daily, weekly, monthly, etc.) and those that generate well-structured data for testing. Here are some common security controls that benefit from CCM: 
      1. Change management: ensuring that a designated approver consistently reviews new code before deployment into the production environment
      2. Application security: ensuring that the important branches in your Github account are protected
      3. Access control: ensuring that any terminated employee has access revoked within X hours of termination
      4. Vulnerability management and incident response: validate patched critical vulnerabilities in accordance with an internal Service Level Agreement
      5. Database security: Verify encryption of all of your cloud databases according to the company’s encryption policy.
  1. Determine the evidence and the test case for each control. To set up automated tests, you’ll need to connect your testing system – which can be built internally or leveraged directly within a compliance operations platform – to a live data feed of your control process. Creating this connection typically involves connecting your control testing system to the source application associated with a control (such as a version control source code management system). Read-only data can then be extracted and fed into the testing engine. For instance, if you want to validate that your change management controls were operating effectively, you’ll need to connect your testing system to Github to pull commit histories and approval logs to test. 
  1. Determine what should happen if a test fails. Once you’ve written a test, determine what type of response is appropriate when a test fails or the result is unexpected. For instance, you may choose to set up an automatic notification and send it to the control operator when the control fails.
  1. Set up a report for easy monitoring of automated controls.

CCM is a crucial aspect of Governance, Risk, and Compliance. With the intuitive GRC software and platforms available today, even small organizations can utilize CMM in their compliance operations.