Data-Driven RMF Series – Part 4: Assess

In part 4 of this series, we explore the Risk Management Framework Assess step, using a data-driven approach.  The main objective of the Assess step is to “determine if the controls selected for implementation are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security and privacy requirements for the system and the organization.[RMF] To achieve this, you apply a combination of examine, interview and test methods throughout the system lifecycle.

The 3 steps to Assessing

Per NIST SP 800-53A: “The examine method is the process of reviewing, inspecting, observing, studying, or analyzing one or more assessment objects (i.e., specifications, mechanisms, or activities). The interview method is the process of holding discussions with individuals or groups of individuals within an organization to once again, facilitate assessor understanding, achieve clarification, or obtain evidence. The test method is the process of exercising one or more assessment objects (i.e., activities or mechanisms) under specified conditions to compare actual with expected behavior”. As you can imagine, each of these steps takes time, teamwork, and a variety of tools and resources.

With traditional approaches, control assessors rely heavily on reviewing implementation statements and interviewing developers and other technical staff to determine if the controls are implemented and operating properly. Some manual interviews and examinations may still be required to provide a “white-box” approach to understanding and evaluating the control implementations.

The Data-driven approach using Q-Compliance

However, a data-driven approach reduces the reliance on such techniques which are labor intensive and don’t provide timely results.  Instead, a data-driven approach automatically collects machine data and applies analytics to observe the behavior and outcomes of each control. Furthermore, the data-driven approach uses these analytics to assess if the controls are providing the required levels of protection. Q-Compliance supports this data-driven approach to control assessments with a high performance Control Analytics Data Model. Q-Compliance achieves this by collecting the machine data and displays it in hundreds of out-of-the-box control analytics (described in Part 2: Select and Part 3: Implement of this series) to help you monitor and assess that controls are implemented and operating properly.

To support control assessments, Q-Compliance provides a Control Compliance Hub dashboard, shown in Figure 1, below. The Control Compliance Hub is a “one-stop-shop” to collect and review all of the evidence required to assess controls.  Traditionally, you would log into different hosts, access different tools, and/or send out multiple data calls and perform your assessments using potentially months-old data.  We recognize that this is neither efficient nor does it add security value. Also, not all controls are technical in nature and thus may require manually collected evidence and assessment actions. However, the Control Compliance Hub supports multiple evidence types! These range from control records capturing human activities performed on the control, to machine data for technical evidence, to files and documents for policies, procedures, screenshots, etc.

Assess using Q-Compliance’s Control Compliance Hub

Figure 1: Q-Compliance’s Control Compliance Hub

Technically, how does Q-Compliance Assess accurately?

Of course, where Q-Compliance really shines, is its technical evidence indicators on the Control Compliance Hub. The Hub allows you to examine and/or test assessment objects (i.e., specifications, mechanisms, events, or activities). All of this is achieved using near real-time machine data that is centrally and automatically collected by the underlying Splunk instance on which Q-Compliance is deployed.  The technical evidence indicators are built on top of the high-performance data model. The model computes using the control analytics and presents the data using rich and intuitive visualizations which are easily understood.

Behind the scenes, time and event driven alerts fire, detecting events/conditions, automatically passing or failing the control’s assessment.  The comprehensive set of indicators and analytics within Q-Compliance range from monitoring account management, authentication, access control, privileged access; to asset management, configuration management, vulnerability scanning and patching; to endpoint protection, perimeter defense, incident response; etc. – covering all the technical security domains represented by the NIST 800-53 control families.  For more unique requirements, you can easily customize the analytics and visualizations using your own custom-built ones or from any of the thousands of third-party apps available on Splunkbase, Splunk’s marketplace for community-developed applications and technical add-ons.

The benefits of using Q-Compliance’s data-driven approach for Step Four – Assess:

  • Reduced reliance on manual methods and outdated data
  • One-stop shop dashboard to collect and assess all evidence types for each control
  • Hundreds of out-of-the box analytics and visualizations to help you assess controls with real-time machine data
  • Robust alerting mechanism to automatically detect compliance issues in near real-time
  • Easily customizable dashboards that allow you to configure custom or third-party control analytics and visualizations to support any unique requirements

Explore the other RMF steps.