Abstract
Monitoring compliance status by an organization has been historically difficult due to the growing number of compliance requirements being imposed by various standards, frameworks, and regulatory requirements. Existing practices by organizations even with the assistance of security tools and appliances is mostly manual in nature as there is still a need for a human expert to interpret and map the reports generated by various solutions to actual requirements as stated in various compliance documents. As the number of requirements increases, this process is becoming either too costly or impractical to manage by the organization. Aside from the numerous requirements, multiple of these documents actually overlap in terms of domains and actual requirements. However, since current tools do not directly map and highlight overlaps as well as generate detailed gap reports, an organization would perform compliance activities redundantly across multiple requirements thereby increasing cost as well. In this paper, we present an approach that attempts to provide an end-to-end solution from compliance document requirements to actual verification and validation of implementation for audit purposes with the intention of automating compliance status monitoring as well as providing the ability to have continuous compliance monitoring as well as reducing the redundant efforts that an organization embarks on for multiple compliance requirements. This research thru enhancing existing security ontologies to model compliance documents and applying information extraction practices would allow for overlapping requirements to be identified and gaps to be clearly explained to the organization. Thru the use of secure systems development lifecycle, and heuristics the research also provide a mechanism to automate the technical validation of compliance statuses thereby allowing for continuous monitoring as well as mapping to the enhanced ontology to allow reusability via conceptual mapping of multiple standards and requirements. Practices such as unit testing and continuous integration from secure systems development life cycle are incorporated to allow for flexibility of the automation process while at the same time using it to support the mapping between compliance requirements.
Highlights
The need to conduct compliance activities within an organization has never been more apparent that it is in recent times
Deploy anti-virus software on all systems commonly affected by malicious software. Existing works such as [11] map compliance document concepts at a section level which leads to loss of detail as well as the inability to develop a system that can automate compliance status reporting with respect to actual compliance requirement statements
In order to complete the link between compliance requirements and implementation verification as well as provide the ability to support continuous compliance monitoring and process audit [17], there is a need to link the populated ontology and its related compliance document to actual technical verification tools such as audit scripts in order to provide real-time compliance status feedback
Summary
The need to conduct compliance activities within an organization has never been more apparent that it is in recent times. The number of regulations, standards, frameworks, architectures, and practices that an organization is required to or would benefit from by complying is overwhelming and is continuously increasing in number and complexity as technology and the environment changes over time. The research takes a different path by using testing frameworks and scripting based on software quality assurance and secure software development lifecycle methodologies and practices as opposed to the use of existing notations such as Business Process Management Notation (BPMN) as a means to model processes and map to compliance documents [5] as there still exists a great majority of organizations that are not using BPMN within the organization
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callMore From: International Journal of Advanced Computer Science and Applications
Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
