Simplify cross-framework compliance management

Create a single source of compliance truth

August 25, 2020 12:00 PM

Disconnected point solutions make compliance management painful. Using spreadsheets, documents, Jira tickets, and sharing tools — or a traditional GRC software — your controls and policies are strewn across many files and locations. When you're working towards multiple compliance frameworks (SOC 2, HIPAA, ISO 27001, etc), mapping a control to a policy to a framework becomes an exercise in frustration.

Join this episode of Compliance Corner to learn:

  • Current challenges faced by organizations managing multiple compliance frameworks
  • A demo of Comply GRC, a software which gives you a single source of compliance truth
  • 10 minutes of Q&A where we drill down into specific audience questions

If you're a security, compliance, or risk professional who likes to dive deep and see technology in action, this is the event for you.

Presented by

Chris Gomes
Product Management


Rebecca (00:00):

Thank you, everyone, so much for coming today. My name is Rebecca, and I run demand generation at Aptible. I'm just going to do a really brief intro here at the beginning, and then I'm going to hand it off to Chris to take you through the presentation. We'll try to keep it pretty brief today around 30 to 45 minutes, and we will definitely want it to be interactive so feel free to ask questions through the Q&A, if you have any, and we'll leave time for that at the end, or if it makes sense to answer questions as we go, we'll be sure to do that.

Rebecca (00:35):

As I said, Chris is going to take us through our presentation today. We'll be talking about cross framework compliance management. For a lot of the companies that are online today, and a lot of the customers that we talk to, regardless of size or industry, they're managing multiple from a compliance framework. So, SOC 2, ISO 27001, PCI, etc, and there's a lot of challenges that go along with that. Chris is going to dive into some of those today and we'll be taking some polls as well, just to make sure we're keeping it to what resonates with the folks on the phone. Then we're going to go into a live demo of Aptible Comply, which is our GRC platform, which helps with managing cross framework compliance.

Rebecca (01:15):

I'll just give a brief little plug here. For those of you who may have heard of SaaStr, SaaStr is the biggest SaaS conference in the industry, and it's obviously, this year, going virtual. It's going to be next week, September 2nd and 3rd, and our CEO and co-founder, Chas, is going to be presenting on the 2nd at noon Pacific Time. Our session is called three secrets to supercharge your sales cycle. So, we'll be talking about how compliance can actually help speed up the sales process, especially towards that later stages of sales security questions. If you would like to attend and you don't have a ticket, feel free to email us at growth@aptible.com, and I'd be happy to set you up with a free pass to SaaStr. With that, I'm going to hand over to Chris to take us through the presentation.

Chris (02:05):

All right. Thank you, Rebecca. My name is Chris. I see some companies and some names on here that we've worked with before, and it's great to see some familiar faces or names rather on the list and some new ones. For those of you who don't know me, I am a product manager here at Aptible. I've been with Aptible for about a year and eight months. I work on the Comply product, which as Rebecca mentioned, is our compliance management tool for B2B SaaS teams to ensure you are always in compliance and ready for your next audit. I'm excited to talk about the challenges around managing a compliance program that maps to multiple frameworks and how we can help with that.

Chris (02:51):

A little bit of background. When we say multiple frameworks, what exactly do we mean by compliance frameworks? I've listed two here on this slide, ISO 27001 and SOC 2, your kind of bread and butter information security audits that you might be compliant with in order to build trust with customers. But then there are those privacy regulations that you are likely needing to comply with. For example, if you do business in Europe, or if you have any customers from Europe, you're complying with the GDPR, CCPA in the United States. If you handle personal health information, then of course, you're thinking about HIPAA.

Chris (03:34):

Then, if you're thinking about HIPAA and you're doing ISO, at some point, you're going to face the question of, well, should we just do HITRUST? Because a lot of our customers are looking for that next level of reassurance about how trustworthy we are. Then at this point, you might as well just start talking about FedRAMP so that you can close those important government customers. If you handle any credit card information, then we need to be talking about PCI. All the while you're still thinking about, I just want to run a safe program and ensure that we are secure. I want to benchmark ourselves to the CIS 20. What implementation groups do we map to? Or NIST 800-171, 800-53, the CSF, the Privacy Framework, all of these across this wheel of fortune here.

Chris (04:26):

These are all the frameworks that you may be thinking about as you run your compliance program and as you go about your day to day. We use the term frameworks to refer to these and that includes audit protocols, that includes government regulations, but these are all just basically different lenses through which you need to design your program, design your people processes and technologies in order to be compliant. With that definition out of the way, of what do we mean by frameworks, we wanted to ask a question of the group, which is, how many frameworks do you currently manage? When we say currently manage, we're really referring to you're either currently compliant with them, or it's a regulation that you are bound by today, or maybe it's an audit that you're preparing for in the very near future.

Chris (05:22):

But don't even include, in this poll, the stuff that you're thinking about a year away or two years out. Just in your day-to-day today, we want to know how many frameworks do you currently manage? We should be opening up a poll on that in just a minute, so go ahead and give your answer there and we will circle back and report out what we found. What is the pain of running a compliance program across these different frameworks? Well, I could not have put it better than a particular customer of ours here. There's that poll, so make sure you vote on that. We'll keep that open for a minute or two. I could not have said it any better than a customer of ours, who I will not attribute, but I will borrow their language here.

Chris (06:09):

When you're doing just one framework, it's not that hard. SOC 2, okay, a hundred controls. But when you're pulling out the cloud security matrix to see where ISO goes to NIST, and then it goes to the next one, you're like, okay, I'm ready to jump out a window now. Couldn't have said it any better myself. Once you're dealing with two or three of these frameworks, there is a lot of pain of just understanding, how does the design of my program map to these different frameworks? This diagram here, Rebecca gave me this great analogy just before kicking off this webinar. It's like, all of these different frameworks are recipes.

Chris (06:50):

Some of them call for a little more sugar, some of them call for a little less salt, but there's a lot of overlap in the ingredients, and just understanding, how does the design of my security program satisfy requirements of these different frameworks, that's one of the important pains of managing a compliance framework across multiple of these protocols. Yeah, that first problem, documentation, the policies, the procedures are all over the place and they sometimes are duplicative in terms of how they ultimately are describing the same thing, but they're just, hey, here's our SOC 2 policy or here's our CCPA policy. They're all maybe saying the same thing just to satisfy requirements that are really overlapping in multiple frameworks.

Chris (07:37):

The second problem that we see, and we hear from our customers who are running a compliance program that cuts across multiple frameworks looks and feels kind of like this. This is what an audit feels like. You are pulling data from ticketing systems, from spreadsheets, from your cloud service provider, from your version control and change management system. You're issuing tickets in JIRA to collect evidence, you're looking into your mobile device management software, you're looking into your antivirus software to satisfy audit requests, and you're likely feeling deja vu. When you're doing this multiple times a year for different audit frameworks, you're going to have that feeling at some point of, didn't we just pull this for our PCI audit? Didn't we just pull this for a SOC 2 audit? I feel like I'm going back to my engineering team for the same requests.

Chris (08:32):

If you're not hearing that voice in your head, you are hearing it from your engineers. They are getting very similar requests, multiple times a year. If they haven't already, they're working on scripts to automate the requests that you are making of them, because there is so much overlap in what these different frameworks are looking for, and there is so much pain every time you go and try to drink from the well and pull evidence to satisfy an auditor. The problem here is that deja vu experience of, "didn't we just pull that evidence for our blank audit, for this audit, and now we're going through a different audit?" The overlapping audit experience of these frameworks is what makes managing multiple of them difficult. They're all very similar, but slightly different in terms of the evidence that you need to provide in an audit.

Chris (09:23):

So, you're trying to avoid having to go back to your team for a lot of the same stuff again and again. The last problem, I don't have a pretty image for, but it's basically comes down to not having a crisp answer to, what if we did want to target another framework? Hey, we're doing ISO, we're HIPAA compliant, what if we did want to get HITRUST certification? What would that look like? How much extra work? How much of what we're doing today gets us toward that outcome? This question, which you may be fielding from management, you may be fielding from execs, or even the board, it can be difficult to answer this question crisply if you don't have a consolidated view of everything you're doing and what a net new framework would look like to your existing compliance program.

Chris (10:10):

We're going to start another poll. We're going to close out the last one, and we're going to kick off one additional poll here, which is, which of these problems resonates most with you? Yeah, we're going to close out that last poll, and then for this new poll, we'd like you to vote on which of these is most painful for you. I think you'll be able to select multiple, but yep, there we go. Yeah, pick whichever of these is most resonant. Is it, I've got documentation all over the place of how my program fits into all these different audit frameworks? Is it that deja vu feeling when pulling evidence or the engineer's telling you, hey, we just pulled this? Or is it that inability to kind of see, hey, what would a net new framework look like for us? What would it look like if we did want to add HITRUST, or something else?

Chris (11:04):

If it's something else, select other and just type it into the Q&A form, and so that we can see that, and in a little bit, we're going to report out the answers to all these polls of what people submitted. We could have listed plenty more. These are just the three that we hear most commonly, but we wanted to end this meeting sometime today, so we didn't want to just list everything on all the slides. Feel free to use the other option there. We will keep that poll open for a minute or two, and we will give folks a chance to answer. But in the meantime, I'll proceed right along here. Aptible Comply, I've called it the compliance monitoring platform for B2B SaaS teams that ensures you're always in compliance and ready for your next audit.

Chris (11:51):

If I had a nickel for every time I said that, I've got the spiel down, but what does that actually mean? It is your single source of compliance truth to organize your compliance program, regardless of what frameworks you are satisfying, that you are currently compliant with. Aptible Comply helps you organize all of your people processes, technologies and evidence, and look at it through the lens of all these different frameworks when you need to answer to them. That could be when you're going through an audit, that could be when you're just doing regular assessments of how our ISO controls are performing, say you're doing an objectives and metrics review.

Chris (12:31):

It just basically gives you a different prism through which to examine everything that you're already doing. It is your single source of compliance truth for companies that are managing two multiple audit standards, multiple regulations and multiple frameworks. What are the frameworks that we support today? I've glossed over this wheel of fortune image. I want to come back to it. Short answer is all of them. That may come as a surprise for some folks who are on this call, who are existing customers of ours, who haven't heard us really promote or talk about some of these, but every framework you see listed here is something that we support.

Chris (13:08):

FedRAMP is something that we are actively working with customers on. It's one of our newest, and so if you are interested in FedRAMP, that process isn't quite out of the box as some of these other ones, but we're looking to get that experience to be just out of the box, just like all of other frameworks, very soon. But all of these other ones, and we have NIST here. NIST 800-171, 800-53 NIST CSF, and this privacy framework. Let us know if you're interested in those.

Chris (13:37):

We support them. Then these other ones are also really our bread and butter and have been for a while. I'll also call out HITRUST here. If you are interested in HITRUST, let us know. We have a webinar later this week on Thursday, co-hosted with the HITRUST Alliance and with NCC Group, who's an assessor, that we've partnered with in order to develop our HITRUST support, to make sure that it is the best experience possible when you're going through one of those HITRUST audits, which is a high bar. That's why you'll want to join that webinar on Thursday to see how we did it. All these frameworks are in scope, and we are constantly adding to the frameworks that we support, our expert team of compliance leads called the data protection advisors, the DPAs.

Chris (14:27):

Folks like Joe Veroneau, folks like Michael Lyons, if you've been an Aptible customer for a while. They're the ones who make sure that we are watching these frameworks like hawks and always providing continuous support and growing the list of frameworks that we support. Without further ado, I'm going to jump into a product demo, and I'm going to show you how it all works. Give me just a minute here to pull up my screen, get my demo ready. This demo is going to encompass basically these three aspects. The first is One ISMS, one information security management system mapped to multiple frameworks. That way, that feeling of, hey, my policies and procedures, the design of my ISMS is all over the place, I don't have a central repository for storing it, and I certainly can't see how the same policy or the same control maps to a requirement of SOC 2 and ISO.

Chris (15:32):

The second is I'll show you how you can collect evidence for one audit and use it in another. The third is, how can you assess gaps to net new frameworks? That's what I'll focus on in the demo here. We do want to encourage folks, use the Q&A as I go through the demo, keep me accountable to keeping it interesting and relevant. As I'm going through this, if you want me to double click on anything, just drop it in the Q&A, I'm a horrible multitasker, so I might go through the demo in completion first, and then circle back to anything that got dropped in the Q&A. I'm going to aim for about a 15 minute demo here. After that, if there's no demo-specific Q&As, we'll just open it up to any questions from the audience. Okay, so jump in here.

Chris (16:32):

Okay. I'll look for Rebecca to wave her hands above her head if I'm screen sharing, like my Amazon shopping cart or something. Okay, cool. It looks good. This is Aptible Comply. This is what we refer to as our control dashboard. I'll explain why I'm starting here in a minute, but first, I just wanted to give you all a glimpse of the end state of what you're ultimately working toward by managing multiple frameworks in Comply. This is basically live evidence streaming into comply that is attesting to the state of your various internal controls. These internal controls in turn map to requirements of ISO 27001, and they map to requirements of SOC 2.

Chris (17:20):

Here's every single requirement of ISO, and you can see that these are also evidenced based on the inheritance through our internal controls, and similarly for SOC 2, every single requirement of SOC 2 and how you're performing, and where are the gaps? Where are the SOC 2 requirements where we don't have evidence or where we don't even have control mapped? This is ultimately where you're going. This is the end state of how, with a single compliance program, you can just rotate the viewfinder to see your Compliance program through the lens of the relevant framework that you care about when you're going through that audit or when you're reviewing your program through that lens.

Chris (18:04):

This demo account is just set up with ISO and SOC 2, but it would work exactly the same way if you added any of those frameworks that we referred to before. Do you want it to benchmark yourself to a CIS 20 implementation group? We could do that here, and we would just enumerate the different requirements of those implementation groups, and you can look at your compliance program through that. If you were compliant with HIPAA, it would be the same thing, the statute and all the elements broken out. Similar with HITRUST, that would just be a very long list, but we can do it. That's the end goal of where you're going. I'll say a little bit more about how it all works, and what is the relationship of your internal controls and the evidence to the requirements of the frameworks that you care about.

Chris (18:53):

To do so, I'm going to jump to another area of the app called the ISMS. For folks who are familiar with our product, they are intimately familiar with this screen. This is basically the control matrix that enumerates your internal controls and illustrates how each of them maps to requirements of the frameworks that you subscribed to like ISO 27001 and SOC 2. Here's where you can quickly see, what are all of my controls that are relevant for, say ISO, or I can just filter it to SOC 2. Again, this would be the overlap if you filter to both of them, and how you can just kind of quickly see, say for a given domain like encryption and key management, what are my procedures? What are my processes? What are my controls, and how do they satisfy requirements of different frameworks I care about?

Chris (19:46):

This view right here is essentially your store of controls and policies. If I jump into say, let's jump into our logging policy as an example. This is the logging policy, not the best example, but if we had something that was a little bit meatier, you'd be able to see, say for a storage encryption policy, how that policy maps to these different framework requirements. Every change to this control is stored in this activity panel. As we map evidence, as we go from draft to approved, all of your procedural and policy document management is stored in Comply and giving you credit for multiple frameworks at once, for ISO 27001 and SOC 2.

Chris (20:30):

For this given internal control, you can see all of the evidence that relates to it, and that is going to be the same kind of evidence that you provide when an auditor asks you about either of these controls. I'll go a little bit more into the evidence management in just a moment. But first, I did want to just illustrate how the design of your program, your policies, your controls, just that 30,000 foot view, how you can see your progress against multiple frameworks in this ISMS control panel. All of this feeds into a single policy manual that defines how you operate and can still be illustrated through the lens of a given framework. For example, if I look at my human resources information security, policies, and controls, I can reveal the mappings to show how this single policy maps to requirements of ISO and SOC 2.

Chris (21:28):

This is the policy manual that you can then export and share with internal stakeholders. You can share sanitized version of this with customers or detailed version with customers, and it'll certainly be something your auditor will be interested in. All of those controls across all those frameworks feed into a single ISMS, a single set of governance, policies, and procedures, and acceptable use policies. The frameworks themselves, as I mentioned, they live under this frameworks tab. I'm going to zoom in a little bit because I know my screen is kind of small. They live under this frameworks tab. This is where you can see a little bit more information about each of these frameworks like ISO 27001.

Chris (22:13):

You can create a statement of applicability here. You can just filter to the unaddressed requirements using this shortcut. This is essentially where you can plan, okay, which of these Annex A controls are applicable or not applicable? What's my justification. You can even keep track of the implementation status of your controls relating to each of these requirements of ISO. Again, this last column here is where you're ultimately creating that mapping of, hey, here's the ISO requirement or here's the ISO control. How does this map to my internal controls? You just do that with a single click of a button here and update those mappings. This is how you're relating any one of these framework requirements to your set of internal controls.

Chris (22:58):

It would be the same thing for SOC 2, every single requirement of SOC 2 mapped to your internal controls. Before I move off this point about the design of your program and how you can consolidate your policies and procedures, I do want to say one other thing, which is, for many of our customers, they come to us, they've already got policies. They've already got ... they're complying with multiple frameworks. They may have documented their security management program in multiple places, and that's okay. That team of data protection advisors will work with you to load in your policies, your procedures, your control matrix, if you've got one, into the system so that you can just immediately visualize how it maps to the different requirements of ISO and SOC 2.

Chris (23:49):

As we do this, if we do notice that, hey, there's ... If I jumped back to that dashboard for ISO, let's say, we can immediately filter down and say, hey, let's just look at the different requirements of ISO, and here are 12 or 17 ISO requirements for which we didn't find any ... It doesn't seem like you have a control in place. Again, it might be just statement of applicability dictates that this is not relevant, or it might be that, hey, you actually do have a gap. Our team of data protection advisors will meet you where you are and work with you to ingest your existing policy and control documentation.

Chris (24:29):

If you do have a gap, or if you are starting from scratch, let's say, with a new framework, Aptible can provide you with template policies and with template controls. That's actually a lot of what you're looking at here, is just the existing control library that Aptible provides customers when you are looking for either a boilerplate policy or example controls, or maybe you've already got a control in place, but you're looking for a best practice. I see that there's a Q&A, and I'm going to jump in here. Thank you, Claudia.

Chris (25:09):

The mapping, yes, so if we have our controls mapped to ISO, but we need to know whether control's mapped to SOC, FedRAMP, etc. That's a great question. Thanks for asking it. I'm going to click this answer live button. Everyone hopefully should be able to see that in the Q&A. Essentially, the mapping can be done, if you're using our baseline controls and policies, we already have the mapping and you just get those out of the box. It's instantaneous, let's say. But if you come to Aptible and you've got your own set of controls or your existing policy documents, then our data protection advisory team, our team of compliance experts can do those mappings for you if you don't already have them mapped.

Chris (26:00):

We've done that for many customers where, as part of their implementation, it's just baked into the implementation charge that customers pay when onboarding. We just say, okay, yeah, you've got ISO controls, but you want to see how it maps to SOC and FedRAMP, we'll do that for you. We will show you how your existing controls and policies satisfy the requirements of those frameworks. That's usually just baked into the initial onboarding. If that were to come up throughout your time as an Aptible customer, then we can always just do that for you, and we have great service packages, great support packages so that you can get some of that time from our compliance experts in using a package that's affordable and fits with your business needs.

Chris (26:56):

That's the overall design of the program. I want to talk a little bit more now about this. I just scrolled over to the presentation to see if that would map over, but the second one is collecting evidence for one audit and then using it for another. Once we've got our program designed, what is the actual audit experience like, and how does evidence that we gather from one audit help us in another audit? For this, we can jump over to the evidence tab of Comply. Essentially, requests lists are how we manage audits in Comply today.

Chris (27:35):

When you're working with an auditor, it could be a readiness assessment, could be an initial audit, it could be a re-certification audit or surveillance audit, you'll get a request list. We work with certain audit partners directly. If it's one of those preferred partners, it's an even more tight experience, similar to what I alluded to earlier about NCC Group and HITRUST. But whatever auditor you're working with, you're going to get a request list and you can load it into the system just by adding a CSV. So, it's very simple to get these request lists into the system.

Chris (28:11):

This one, as an example, is an ISO internal audit. Maybe this is a follow up request list, so it only has six items. Here is where, essentially, all you need to do to map evidence to any one of these requests is to just, either log evidence here. So, this is where you can upload manual evidence. It's already mapped to the given request item. This would be where you can log screenshots, things like that. But where Aptible really shines is the fact that we ... if you're using our turnkey integrations, we're just streaming in evidence automatically for you that's already mapped to your internal controls. If you know that a request list is testing one of these internal controls, then you can find it very easily and map the evidence to that request list item.

Chris (29:02):

Let's say, for example, let's use this AWS backup success. This is an example of an event that might be hitting our API endpoint. I know I'm kind of glossing over the integrations. We have other webinars dedicated specifically to the integrations that we support how to use our public API to get evidence into the system. If you're interested, let us know, and we can get you on one of those webinars. But let's say you've got the integration set up, so you have evidence streaming into the system already. The evidence is already mapped to your data backups control. It's already mapped to the relevant asset, just through the integration itself. You can then associate this piece of evidence to that request list.

Chris (29:49):

The backups, the business continuity policy, your data backups, your disaster recovery request that your auditor issued to you, this is how you can map this piece of evidence to that request. But jump back into the request list here. It's showing me now I have two pieces of evidence that is mapped to that initial request, and I'm building up my response to this request list. So, I can mark this one as complete. Now I have three of the six requests complete, and if I look at my progress, I'm 50% of the way towards satisfying this request list. Eventually, I'll get all the way there, and I'll mark this complete. With a click of a button, I'll be able to export this evidence and hand it over to my auditor, and the evidence is all organized.

Chris (30:39):

In this case, it would be six folders labeled with the request ID that was originally on the request list. So, you just ship it over to your auditor and say, everything's there, go nuts. In creating those mappings, however, the way that you can reuse this evidence really easily is through the mapping to your internal controls. If I jump into this data backups policy control, as an example, now I'm back looking at that control, and if I click on the evidence tab here, I can see all evidence that has ever been logged relating to this control. Whenever an auditor asks me, in the future, for evidence of this particular control, my data backups policy, maybe they're testing a.12.3.1, the Annex A control, or maybe they're testing the SOC 2 availability criteria, 1.2, whatever they're testing, I map it to this control.

Chris (31:34):

Right here, I can see all evidence that I've ever provided relating to this control. Again, because I have my turnkey Aptible integrations set up, or I'm using the public API, this evidence was already in the system for me and already mapped to that internal control, allowing me to find it and reuse it easily for any audit. That's how we ultimately populate these ISO 27001 and SOC 2 dashboards, how you can see, hey, here are those requirements and what's the evidence, I'm going to zoom out again, what's the evidence that we already have in the system? Sure enough, you can set up logic so that any evidence that's streaming in automatically, you can define what does good look like and what does bad look like? You can jump to an evidence that say needs attention and examine this evidence.

Chris (32:29):

Oh, here, it looks like a poll request that was approved by the author. We know that's a violation of our SDLC change management policies. Poll requests need to be approved by somebody other than the author. That's how you'd be able to set up this continuous monitoring. Again, if you're interested in how our integrations give you that continuous monitoring of your controls, we have webinars set up about that, and we can get you some of that content or shoot you over one pagers. Just let us know whatever you'd like to dig into in more depth and we'd be happy to show you a bit more about how the integrations and automations work.

Chris (33:10):

The last pain that we often hear about complying with new frameworks and managing multiple frameworks at once is, I need to have a crisp answer of, what does it look like to comply with a net new framework? What would it look like to target FedRAMP low or FedRAMP moderate or HITRUST next year? We help you do that by providing you frameworks, even if you're not yet ready to actually implement all the necessary controls to comply with them and visualize the gap. For example, on this ISMS view, if I click on this dropdown, I can always look at your controls through the lens of a given framework. This is essentially a gap assessment, where I'm looking at all the requirements of ISO, and right here, I've got a big red zero because I don't have any controls mapped to this essentially information security, risk assessment control or requirement of ISO.

Chris (34:10):

Aptible can always provide you template policies, template controls to fill in the gaps, but it's often helpful to see, hey, just how's the design of my current program satisfying these frameworks that I might be interested in going after? Another way that you can visualize that is just, on the dashboard, just let us know, hey, I want to add HITRUST and just visualize the framework in my program. What would that look like, and where would the gaps be? So, you can then click on that framework and it'll immediately visualize the mappings. Again, thanks to Claudia's question we already talked about, well, how did those mappings get in there? That's something that our compliance team can do for you. But through those mappings, we'd be able to tell you how many internal controls you have that cover the requirements of that net new framework already, and how many of them would be unaddressed.

Chris (35:03):

So, this is how we would filter to those that say, this is what the delta is. This is what the gap would be if you did want to add a HITRUST trust framework or FedRAMP or PCI, or any of those real heavy heading frameworks. This is how we'd help you visualize the gap in controls. Then once you have those mapped, you would then be able to say, well, which of them do I already have evidence for, and which of them are lacking evidence? This is just not something that we're routinely collecting evidence for. That control may require more work to attest to in the midst of an audit.

Chris (35:40):

This brings the initial demo to a close. That's how Aptible Comply can help you consolidate your ISMS and cross mapped to all of the frameworks that you care about, keeping your documentation neat and tidy in a single place, keeping track of every change that you've ever made to your policies and your controls over time, and showing how they map to the different frameworks. That's how Aptible Comply can help you generate evidence for a given audit and easily reuse it in multiple audits. Here, again, is that evidence that we've gotten the system mapped to multiple frameworks and multiple requirements in different frameworks.

Chris (36:19):

That's how ultimately Comply can help you visualize the delta to new frameworks, if this was, say a new framework that you were looking to comply with, you could easily see how the framework requirements map to your existing control activities and what gaps there are, and what the delta is for compliance with that new framework. I'm going to stop sharing my screen there, and we're going to review the Q&A. I did see that a couple of things came up in that Q&A. The first one I'll jump in right here. I'm going to answer live. Thank you, Margot. Great to see you by the way. Not see you. I can't see anybody, but I can see the names. Margo's question was, in evidence, does owner means that they have something assigned to them?

Chris (37:05):

Let me just show my screen again so we can show what Margo's talking about here. Here we go. There's my desktop. Awesome. The owner column on evidence is essentially how you can specify when somebody does upload evidence, who's the person who is responsible for that piece of evidence? Or after it's been uploaded, who's the person who knows that evidence inside and out. This is most helpful in an audit when you're managing requests to your subject matter experts or your control owners, and you need to keep track of basically who's provided what, and who do I need to go back to if the auditor does have questions about a given piece of evidence.

Chris (37:58):

It can then be really handy, because over time, you will build up a big library of evidence. You can then use this shortcut of evidence I own so that, if you're looking at this, or if you've invited any of your teams as collaborators, you can invite them into the tool and just filter down to the evidence that you own or that that person owns. That's what makes it easier to collaborate and easier to retain accountability for who is the subject matter expert for what pieces of evidence. A given request list, you always see, okay, hey, I want to review these business continuity plans that we're going to provide. Click into that piece of evidence and you can see who the owner of that piece of evidence is, and keep your paper trail of who provided it and who to circle up with.

Chris (38:54):

Awesome. Yes. Rebecca, were there any other Q&A questions that came in that I have not seen? I saw a couple pop up, and I'm not sure if I got them all.

Rebecca (39:07):

I don't think so. I think we've gotten all the questions, but feel free, we've got a few minutes here left. So, pop your questions into the Q&A box, or you can ask them in the chat. Just for those of you who missed some of the housekeeping at the beginning. It seems that there was some sort of issue with the reminder link going out, which I think is why some people had to join a little bit late. I was sending some emails frantically, but this webinar has been recorded, and so you will all receive a link to the on-demand version of this. Feel free to come back and watch at your leisure and share with other people within your organization as well.

Rebecca (39:47):

We'll also be sending out a link to next month's compliance corner, which is going to be on evidence collection. That should be a follow on very nicely from this cross framework, compliance management event. Then, I think we did just have one new one come in.

Chris (40:03):

Yes, I can answer this live.

Rebecca (40:05):


Chris (40:06):

Thank you, Claudia. Great question. So, is the control owner assumed to be the one attesting to the effectiveness of the control? That is what we recommend. I'll share my screen again. Essentially, we give you the ability to enumerate who the owner is for pretty much everything in the product. That's because it can be so helpful to keep track of who's on first. If I share my screen here, this owner column, it's pulling from your list of people in your program, and this list of people, you can think of as kind of like your team management page. This can also, we can sync with Okta or G Suite, or your identity provider, JumpCloud, even to populate this list for you.

Chris (40:55):

Then all those individuals are eligible to own controls. The control owner is ultimately the person who, if they're not invited, you'll issue an invite by assigning them a control owner. But your control owners are ultimately the people who are responsible for testing to the effectiveness of it, and who are responsible for the maintenance of the control and related policy over time. They may not have the ultimate approval authority. You may define, say a management team that is responsible for ultimately approving a given control, but they're the individual on the hook for maintaining that control over time. Follow up question, which is a ... I love this question. Great question, Claudia.

Chris (41:41):

What if one control is owned by multiple people? I'm going to use this as a plug for our ... let's see, roadmap.aptible.com. Check out roadmap.aptible.com, because that is a very common ask, and we are actually already working on ... where is it? Here it is. Oh, no, that's asset groups. Well, roadmap.aptible.com is where you can see what we're working on, what's under consideration, including new integrations, and what's planned. Here we go, team-based assignments. We are adding in support for a given control or assets to be owned by more than just a single person, but rather a team.

Chris (42:27):

This would allow you to maintain that level of ownership at the team level. Your service reliability team's responsible for your data backups policy. Then you can define, behind the scenes, how does that team translate to an individual. Whenever there is work to be done, whenever a policy does need to be reviewed, how does that translate into a specific individual? We are working on that, and we know that that would be valuable. The other aspect of that is by having that team ownership, you can then see, how are my different teams performing, rather than saying, how are the 157 people in my company performing, but how's my HR team doing for the controls that they own for the evidence that they're responsible for?

Chris (43:13):

How's my IT team doing? How's my service reliability team doing? Kind of an "it's coming" sort of question, but I got excited when I saw that question because that is an opportunity to plug roadmap.aptible.com, if you want to see what we're working on or what's under consideration.

Rebecca (43:38):

Awesome. Great. Thank you everyone for the questions.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form. Please try again.