The future of compliance is continuous. Since the beginning of technology auditing, auditors have had to rely upon spot-checking to validate whether the entity being audited was in compliance with their policies and procedures, or some standard framework, due to the scope and complexity of the technology they audit. However, as technology evolves, so will how auditors can verify compliance with standards, policies, and procedures.
Random spot checks are very effective at ensuring something is being done most of the time. However, they are prone to errors both in targeting and timing. The entities under audit can sometimes have an undue influence on selecting targets for those spot checks, and the timing can sometimes be either very representative or unrepresentative. Essentially, it's a best-effort gamble. Occasionally the entity being audited wins (especially if they're compliant), and sometimes they have a bad day which gets spot-checked.
Why is continuous compliance important? This boils down to the underlying concept upon which compliance is built - if you're doing what you claim you're doing then you're compliant. Add to that an actual security standard such as SOC2 or CIS or any other, and you have a prescriptive set of controls that tell an organization how to be secure. In other words, if you are compliant with an industry security standard, then you can prove beyond a reasonable doubt that your organization is actually secure. This benefits the organization as well as their customers, partners, and suppliers.
Moving Beyond Standard Compliance Spot Checks
There is a better way to perform technology audits now. Continuous compliance is the idea that the trends in a company's adherence to a standard is more important than a singular point in time. Just because you onboard a few new employees that don't sign off on the Acceptable Use policy the first day doesn't mean you aren't compliant as long as the evidence shows that trend moving in the right direction. In a continuous compliance scenario, the auditor could ask for all records from a certain day, or some records from a number of different days, or all records from the scoped period. In the past, this would represent an unachievable standard and an unreasonable burden on those technology companies to maintain such exacting and vast records for so many moving pieces.
The people, companies, and governments that want validation of compliance with a standard are only going to be satisfied with spot-checks until something better comes along. The evolving capabilities of technology mean that this capability is now possible to achieve without spending more money than the compliance audit is worth, or more time than the company has in order to prove their compliance. Which means that soon, those entities that want to know if your company is compliant with a certain standard will want a continuous view of that compliance assessment.
This is good for the companies, the auditors, and the entities that need assurance that those companies are complying with the requested standards. Auditors will have the ability to state with 100% confidence that a company is compliant, rather than stating "they seem to be compliant based on the spot-checks that were performed." The former statement is much more compelling than the latter for those entities that require proof of compliance.
For the companies being audited, this is an opportunity to find the gaps in their compliance before an auditor does and fix them long before their next assessment, with less stress, more time, and low risk. And continuous compliance makes life easier and less stressful for the auditors, since they can actually verify everything they need to and can provide such a high level of assurance (and therefore maintain their reputation) to those entities that want to verify compliance.
The Future: Centralized, Continuous, and Automated Compliance
Example view of the Compliance App in the JupiterOne Platform
Example Compliance Overview and Status in the JupiterOne Platform
With tools like JupiterOne, it is now possible for companies to enable continuous compliance without breaking the bank and investing countless hours into building their own systems within a single platform. JupiterOne allows for the linking of standards to controls, policies and procedures for a clear view of how they all relate to each other, as well as providing queries that answer the evidentiary requirements that are continuously evaluated.
Getting an alert whenever a portion of your infrastructure goes out of compliance so that you can immediately fix it, or getting automated policy review notifications makes compliance a process that's easy to maintain and audits easy to pass. Hundreds of work hours and immeasurable stress can be eliminated through the use of continuous compliance tools like JupiterOne.
The future is here, and now - continuous compliance in JupiterOne. Coming soon to an auditor near you.