Rethinking the Role of Compliance

General Availability of Q-Compliance V4.2.0 and Q-Audit V3.4.0

Qmulos is pleased to announce the general availability of Q-Compliance V4.2.0 and Q-Audit V3.4.0. These versions add capabilities to streamline the configuration of organizations and systems with complex shared responsibility (i.e., control inheritance) models, manage tasks on the Control Compliance Hub, support external reporting of audit activities, and enable more granular investigation of events on the ISSO Audit Review dashboard.

Shared Responsibility Models (i.e., Control Inheritance) in Q-Compliance

Large organizations often have shared enterprise services that provide common capabilities to other systems across the organization. Oftentimes those services, i.e., “common control providers” also provide security capabilities for common controls that can be inherited by the dependent systems from a compliance standpoint. In many cases, multiple systems will inherit the same set of controls from these control providers, as shown in Figure 1.

Figure 1: Control inheritance relationships in large enterprises

With the recently added capabilities to define and import/export overlays with multiple control inheritance relationships, organizations can define reusable templates to easily apply these inheritance relationships across multiple systems in Q-Compliance. For new deployments, Qmulos’ compliance experts from our customer success team can help analyze your shared responsibility relationships and create overlays to quickly get you up and running in Q-Compliance. System owners can quickly inherit controls or parts of controls from multiple providers to accurately describe their shared responsibility models to auditors. Then with the click of button on the Control Compliance Hub auditors can navigate directly to each control provider’s hub to monitor the compliance posture of that provider’s control using real-time technical evidence.

Managing Tasks on the Control Compliance Hub in Q-Compliance

The Control Compliance Hub, shown in Figure 2, is the heart of Q-Compliance. It is where system owners and ISSOs collect and manage the different types of evidence (e.g., human activity evidence, automatically collected technical evidence, and policy and procedure evidence) that is needed for each security control. It is where other artifacts such as implementation statements, test procedures, and Plan of Actions and Milestones (POAMs) are produced and reviewed. It is where assessors and auditors utilize all of this information to determine if the system’s controls are implemented correctly and operating effectively.

Figure 2: Managing Work Activity on the Control Compliance Hub

To streamline the management of all the work and activity that occurs on the Control Compliance Hub, we’ve added the ability to create and manage tickets directly on the Control Compliance Hub. Now users can create tickets to assign tasks to themselves or other users to perform work on each control of a given system. This also works in conjunction with Q-Compliance’s control automations where tickets can be automatically created to work on issues that are detected by technical evidence analytics. With the ability to search for tickets and filter by status, creator and assignee, users can quickly get to the tickets they care about to ensure that critical control tasks are completed in a timely manner.

Exportable Audit Reports in Q-Audit

The ICS 500-27 auditing standards (as well as most other standards) not only require that organizations log critical events on their assets and network, but they also require that those logged events are actively reviewed by staff to determine if there is malicious activity going on. When organizations get audited, auditors will usually ask for evidence that demonstrates that the logged events are being reviewed. Q-Audit automatically generates audit records when the events are reviewed on each of the event family dashboards. These audit records are presented on the Audit Record Summary dashboard, shown in Figure 3, allowing system owners to demonstrate to auditors that review activity is occurring. In some cases, auditors are external to the organization and may not have access to Q-Audit. To enable system owners to provide audit review evidence to external auditors, we’ve added the ability to export the audit records from the Audit Record Summary dashboard.

Figure 3: Exporting audit review records on the Audit Record Summary dashboard

Granular Drilldown of Events on the ISSO Audit Review Dashboard

The ISSO Audit Review dashboard was recently added in V3.2.0 of Q-Audit to provide information system security officers to easily review the events that they are most interested in across the ICS 500-27 event families.  These include events such as: failed login attempts, deletion of privileged accounts, external media connections to devices, tampering of audit policy configurations, positive malware detections, user account changes, etc.  To better support the analysis and investigation of these events, we’ve added an additional level of drilldown in the visualizations to show a more granular distribution of activity across time, as shown in Figure 4.

Figure 4: Additional level of drilldown into events on ISSO Audit Review dashboard

As can be seen by the example in Figure 4, this additional level of drilldown provides more clarity into when certain activity is occurring throughout the day, enabling ISSOs to thoroughly investigate if the activity is malicious.

Others have also read ...

Blog

What is ISO 27001 Compliance?

ISO 27001 compliance involves adhering to the international standard for information security management systems (ISMS). This standard provides a systematic approach to managing sensitive information and ensuring data security.

Qmulos’ platform supports ISO 27001 compliance by automating the processes required to implement and maintain an ISMS. Our solutions provide real-time visibility into compliance status, ensuring that organizations can continuously meet the requirements of the standard.

Read More »
Press

Qmulos Recognized in 2024 Splunk Regional Partner Awards

Qmulos Named 2024 Regional Partner of the Year Winner for Outstanding Public Sector
Partnership – Qmulos, a next-generation compliance, security and risk management automation provider, announced today it has received the 2024 Regional Partner of the Year award for exceptional performance and commitment to their Splunk partnership.

Read More »
Blog

What is Continuous Authority to Operate (cATO)?

Continuous Authority to Operate (cATO) is a dynamic and ongoing process for maintaining the authorization to operate IT systems within a federal agency. Unlike traditional ATO processes, cATO involves continuous monitoring and assessment of security controls to ensure compliance.

Qmulos supports cATO by providing continuous monitoring and real-time reporting capabilities. Our platform enables federal agencies to maintain their ATO status by continuously assessing and addressing security controls and compliance requirements.

Read More »
Blog

What is M-21-31 Compliance Automation?

M-21-31 compliance automation refers to automating the processes required to comply with the U.S. Office of Management and Budget’s (OMB) memorandum M-21-31. This memorandum outlines requirements for federal agencies to implement zero trust architecture and modernize cybersecurity defenses.

Qmulos offers solutions that help organizations automate M-21-31 compliance, providing real-time visibility and reporting capabilities. Our platform ensures that organizations can efficiently meet the requirements of the memorandum and enhance their cybersecurity posture.

Read More »
Blog

What is Compliance Workflow Automation?

Compliance workflow automation involves using technology to automate the processes and tasks involved in managing compliance. This includes automating data collection, reporting, and monitoring to streamline compliance activities and reduce manual effort.

Qmulos provides comprehensive compliance workflow automation solutions that enhance efficiency and accuracy in compliance management. Our platform automates key compliance processes, enabling organizations to focus on strategic initiatives and maintain continuous compliance.

Read More »
Blog

What is IT Risk Management?

IT risk management is the process of identifying, assessing, and mitigating risks associated with an organization’s information technology systems. This includes managing risks related to data breaches, cyberattacks, and system failures.

Qmulos’ IT risk management solutions integrate risk assessment and management into our broader compliance platform. Our approach ensures that organizations can effectively identify and mitigate IT risks while maintaining compliance with regulatory requirements.

Read More »

Request a Demo

Learn how QMULOS can help your company grow by scheduling a demo with our team.