Qmulos is pleased to announce the general availability of Q-Compliance V4.2.0 and Q-Audit V3.4.0. These versions add capabilities to streamline the configuration of organizations and systems with complex shared responsibility (i.e., control inheritance) models, manage tasks on the Control Compliance Hub, support external reporting of audit activities, and enable more granular investigation of events on the ISSO Audit Review dashboard.

Shared Responsibility Models (i.e., Control Inheritance) in Q-Compliance

Large organizations often have shared enterprise services that provide common capabilities to other systems across the organization. Oftentimes those services, i.e., “common control providers” also provide security capabilities for common controls that can be inherited by the dependent systems from a compliance standpoint. In many cases, multiple systems will inherit the same set of controls from these control providers, as shown in Figure 1.

Figure 1: Control inheritance relationships in large enterprises

With the recently added capabilities to define and import/export overlays with multiple control inheritance relationships, organizations can define reusable templates to easily apply these inheritance relationships across multiple systems in Q-Compliance. For new deployments, Qmulos’ compliance experts from our customer success team can help analyze your shared responsibility relationships and create overlays to quickly get you up and running in Q-Compliance. System owners can quickly inherit controls or parts of controls from multiple providers to accurately describe their shared responsibility models to auditors. Then with the click of button on the Control Compliance Hub auditors can navigate directly to each control provider’s hub to monitor the compliance posture of that provider’s control using real-time technical evidence.

Managing Tasks on the Control Compliance Hub in Q-Compliance

The Control Compliance Hub, shown in Figure 2, is the heart of Q-Compliance. It is where system owners and ISSOs collect and manage the different types of evidence (e.g., human activity evidence, automatically collected technical evidence, and policy and procedure evidence) that is needed for each security control. It is where other artifacts such as implementation statements, test procedures, and Plan of Actions and Milestones (POAMs) are produced and reviewed. It is where assessors and auditors utilize all of this information to determine if the system’s controls are implemented correctly and operating effectively.

Figure 2: Managing Work Activity on the Control Compliance Hub

To streamline the management of all the work and activity that occurs on the Control Compliance Hub, we’ve added the ability to create and manage tickets directly on the Control Compliance Hub. Now users can create tickets to assign tasks to themselves or other users to perform work on each control of a given system. This also works in conjunction with Q-Compliance’s control automations where tickets can be automatically created to work on issues that are detected by technical evidence analytics. With the ability to search for tickets and filter by status, creator and assignee, users can quickly get to the tickets they care about to ensure that critical control tasks are completed in a timely manner.

Exportable Audit Reports in Q-Audit

The ICS 500-27 auditing standards (as well as most other standards) not only require that organizations log critical events on their assets and network, but they also require that those logged events are actively reviewed by staff to determine if there is malicious activity going on. When organizations get audited, auditors will usually ask for evidence that demonstrates that the logged events are being reviewed. Q-Audit automatically generates audit records when the events are reviewed on each of the event family dashboards. These audit records are presented on the Audit Record Summary dashboard, shown in Figure 3, allowing system owners to demonstrate to auditors that review activity is occurring. In some cases, auditors are external to the organization and may not have access to Q-Audit. To enable system owners to provide audit review evidence to external auditors, we’ve added the ability to export the audit records from the Audit Record Summary dashboard.

Figure 3: Exporting audit review records on the Audit Record Summary dashboard

Granular Drilldown of Events on the ISSO Audit Review Dashboard

The ISSO Audit Review dashboard was recently added in V3.2.0 of Q-Audit to provide information system security officers to easily review the events that they are most interested in across the ICS 500-27 event families.  These include events such as: failed login attempts, deletion of privileged accounts, external media connections to devices, tampering of audit policy configurations, positive malware detections, user account changes, etc.  To better support the analysis and investigation of these events, we’ve added an additional level of drilldown in the visualizations to show a more granular distribution of activity across time, as shown in Figure 4.

Figure 4: Additional level of drilldown into events on ISSO Audit Review dashboard

As can be seen by the example in Figure 4, this additional level of drilldown provides more clarity into when certain activity is occurring throughout the day, enabling ISSOs to thoroughly investigate if the activity is malicious.