Beyond box-ticking: towards automated continuous audits


Why audits are necessary and beneficial?

There are multiple ways to look at compliance auditing. The first thing that comes to many people’s minds for the word “audit” is bureaucracy. Interviews, compliance sheets, checkboxes, evidence, analytic procedures - everything that can be described as burden and cost. What we often tend to overlook is the underlying objectives for having audits in the first place: security and subsequently trustworthiness.

Security, especially cybersecurity is a key requirement for business operations. Multi-factor authentication schemes, access controls, policies for data handling, etc exist to protect your and your customer’s data, your networks and systems. Auditing should provide independent assurance that such controls are working, and proper processes are followed.

Trustworthiness is a key business enabler. Your customers need to trust that you handle their data properly. Regulators need to trust that you are compliant, after all this is the basis they grant you a license to operate. Such trustworthiness is usually achieved by certification schemes - a trusted third party verifies (audits) that you do meet the set expectations.

What is wrong with only ticks in the right boxes?

Achieving these objectives with traditional auditing methods is often complicated and, in many cases, actually impossible. Tick-box auditing practices are useful to an extent (at least it helps to not miss important things) but only take you half-way. Even worse - they can create a false sense of security. 

Here is an example - an IT auditor inspects your access control list and finds it to be consistent with the set policy. What does it tell? Unfortunately, it just attests that at this given moment the right roles have the right privileges. Then this green tick sits in a drawer until the next audit (which is often only an annual process) and does not really tell you what has happened to the control list between the audits. Nor does it protect you from human errors or malicious manipulations.

Obviously, the growing number of systems to audit/monitor, increasing volumes, and blurred security perimeters in the cloud-era are adding to the challenge.

Are there better ways for compliance auditing? 

With Truetrail, we are tackling such challenges by introducing the concept of continuous auditing. Truetrail monitors the state of all digital assets and immutably records any changes to them, thus creating a chain of provenance of every node in the network, security control, database entry, etc. When you add pre-defined baselines of expected asset states, it gives you the capability to detect any discrepancies (near) real-time.

As a result, it allows you to independently verify that you are compliant with the defined policies at any point in time and prove that there have been no discrepancies. So instead of an annual tick-box bureaucracy, you have automated compliance proof on a continuous basis.  

Truetrail applies the following principles to assure true awareness and compliance: 

  1. Continuous controls monitoring. Truetrail monitors all parameters of your systems and continuously compares the values against defined baselines. The built-in rules engine allows you to prescribe, what to do in case of deviations - alert, rollback, remediate, etc.
  2. Continuous data integrity assurance. While control monitoring is the key, it is equally important to protect yourself against data manipulation by insiders and adversaries.
  3. Continuous reporting. The provenance of controls and assets states is verifiable (& presentable to third parties) in near real-time (as well as in a form of scheduled reporting).
  4. Black-box logging. Who controls the controller? Truetrail has an independently verifiable immutable audit log of its operations to protect against insider, auditor or management manipulations.

Interested in piloting?

By Q4/2020, the TrueTrail solution has reached technical readiness and has been successfully deployed in first projects in the critical IT-infra and operations domain. Besides ramping up the deployments in this domain, we are now looking for piloting partners from the finance and healthcare sectors to calibrate the TrueTrail’s value proposition, improve the implementation model, and design industry-specific compliance baselines. Get in touch with us to learn more about sales and piloting roadmaps.