In part 4 of this series, we look at how the Assess step of the Risk Management Framework is implemented using a data-driven approach. The main objective of the Assess step is to “determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.” To achieve this, you apply a combination of examine, interview and test methods throughout the system lifecycle. Per NIST SP 800-53A: “The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The interview method is the process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior.”
With traditional approaches, control assessors rely heavily on reviewing implementation statements and interviewing developers and other technical staff to determine if the controls are implemented and operating properly. While some manual interviews and examinations may still be required to provide a “white-box” approach to understanding and evaluating the control implementations, a data-driven approach reduces the reliance on such techniques which are labor intensive and don’t provide timely results. Instead, a data-driven approach automatically collects machine data and applies analytics to observe the behavior and outcomes of each control. Furthermore, the data-driven approach uses these analytics to assess if the controlls are providing the required levels of protection. Q-Compliance supports this data-driven approach to control assessments with a high performance Control Analytics Data Model. Q-Compliance achieves this by collecting the machine data and displays it in hundreds of out-of-the-box control analytics (described in Part 2: Select and Part 3: Implement of this series) to help you monitor and assess that controls are implemented and operating properly.
To support control assessments, Q-Compliance provides a Control Compliance Hub dashboard, shown in Figure 1, which is a “one-stop-shop” to collect and review all of the evidence required to assess controls. Traditionally, you would have to log into different hosts, access different tools, and/or send out multiple data calls and perform your assessments using potentially outdated data that you get back. We also recognize that not all controls are technical in nature and may require manually collected evidence and assessment actions, thus the Control Compliance Hub supports multiple evidence types, ranging from control records capturing human activities performed on the control, to machine data for technical evidence, to files and documents for policies, procedures, screenshots, etc.
Of course, where Q-Compliance really shines with its data-driven approach is with the technical evidence indicators on the Control Compliance Hub that allows you to examine and/or test assessment objects (i.e., specifications, mechanisms, events, or activities) using near real-time machine data that is centrally and automatically collected by the underlying Splunk instance on which Q-Compliance is deployed. The technical evidence indicators are built on top of the high-performance data model, computed using the control analytics and presented with rich and intuitive visualizations that allow you to easily determine if your controls are operating as intended. Behind the scenes you can configure time and event – driven alerts that detect events or conditions that should automatically pass or fail the control’s assessment. The diverse and comprehensive set of indicators and analytics included with Q-Compliance range from things to monitor account management, authentication, access control, privileged access; to asset management, configuration management, vulnerability scanning and patching; to endpoint protection, perimeter defense, incident response; etc. – covering all the technical security domains represented by the NIST 800-53 control families. For more unique requirements, you can easily customize the analytics and visualizations using your own custom-built ones or from any of the thousands of third-party apps available on Splunkbase, Splunk’s marketplace for community-developed applications and technical add-ons.
The benefits of using Q-Compliance’s data-driven approach for Step Four – Assess include:
- Reduced reliance on manual methods and outdated data
- One-stop shop dashboard to collect and assess all evidence types for each control
- Hundreds of out-of-the box analytics and visualizations to help you assess controls with real-time machine data
- Robust alerting mechanism to automatically detect compliance issues in near real-time
- Easily customizable dashboards that allow you to configure custom or third-party control analytics and visualizations to support any unique requirements