ZenGRC

Simply Powerful GRC

GRC

Auditing Documentation Control

· ·

Consumers across the globe have come to expect certain standards of quality, whether it’s milk in the refrigerator and the child safety harness in the back seat. Whether a customer spends hours doing research or simply purchases a product sight unseen quality assurance is now a built-in expectation.

An efficient quality management system (QMS) is the cornerstone of customer satisfaction and sustained business success. And part of the backbone of the QMS cornerstone is document control.

Therein lie the importance and necessity of regularly conducting document control audits.

Now, grab a cup of your favorite documented sustainable-and-fair-trade-certified coffee as we dive into the value of auditing documentation control.

What is the Document Control Audit Process?

To understand the significance of a document control audit, a basic understanding of QMS is helpful. Generally, QMS is a strategically defined set of policies, procedures, processes, and responsibilities adopted and documented by an organization to meet and improve standards for quality in their industry.

Note the use of the word “documented” in our definition.

As the globally accepted gatekeeper for QMS, the International Organization for Standardization (ISO) defines appropriate and necessary documentation based on the main objectives of the information contained within the documents. Objectives of documentation may include:

  • To communicate information (a tool for transmission)
  • To offer proof or evidence of conformity
  • For the purpose of sharing knowledge
  • To preserve and distribute information pertinent to an organization’s sustainable processes and experiences

What is the purpose of a document control audit?

The overall purpose of a document control audit is to verify an organization is controlling risk in areas such as customer satisfaction, compliance, process efficiency, and overall quality of products or services. A document control audit is also an imperative precursor for an organization seeking ISO 9001 certification.

Depending on the size, organizational culture, level of communication skills, and the nature of an organization’s industry, the scope of required documentation could be enormous.

Part of an effective QMS is to have a quality system for the control of documents.

What is document control?

Document control is a system of policies and procedures designed to oversee the creation, distribution, modification, accessibility, and reliability of documents. An important aspect of quality control, the document control process assures management, employees, vendors, and customers that the information they receive is current and accurate.

How do you develop controls for documents and records?

For purposes of clarity, we’ll approach this from the perspective of an organization at the beginning stages of seeking ISO certification.

During a document control audit, internal auditors check for an established document control system. Before creating the system, knowing what types of documents and records an organization is required to control and maintain is the first step.

ISO 9001:2015 mandatory QMS documents

  • QMS scope
  • QMS policy
  • QMS objectives
  • All documents determined by the organization to be “necessary to support the operation of processes” (ISO 9001:2015 Clause 4.4)

Necessary process operation documents

What an individual entity defines as “necessary” is based on several factors, according to ISO 9001 standards: “size of the organization and its type of activities, processes, products, and services”; “complexity of processes and their interactions”; “competence of persons.”

Some examples of documentation an organization should maintain based on the above descriptions:

  • Quality manual
  • Organizational charts
  • Process flow charts and descriptions
  • Product specifications
  • Work instructions
  • Production schedule
  • Inspection plans
  • Organization specific forms

A document control audit evaluates the processes and procedures an organization uses in relation to how the development, revision, and retiring of documents are handled. These are referred to as document control procedures.

What are document control procedures?

When ascertaining the presence and effectiveness of document control, an internal auditor will investigate the methods used in the development and management of all documents used by a business.

Specific document control procedures include:

Approval Process

This control describes who is authorized to create and distribute an original document, whose responsibility it is to review documents for accuracy, and how approval is recorded.

Document Revisions

This control not only monitors the current revision status, but also sets guidelines for recording when, by whom, and what type of revisions or updates were made.

Document Review

Defines the controls for annual management review of current documents, who is responsible to review documents, and the procedures required for re-approval.

Document Access

Designates specific control procedures for the availability of documents at appropriate points of use, plus control for verifying the most current documents are distributed or easily retrievable.

Document Disposition

This control addresses the identification and regulation of obsolete documents, including criteria for archiving or destroying, plus the controls regarding the unintended use of obsolete documents, including discipline policies for nonconformity.

External Documents

A master list of all approved external documents is kept, reviewed, and updated regularly.

How Can Audit Findings Be Reduced?

When a document control audit is on the horizon, it’s not uncommon to feel less organized than you need to be. Because a quality system for the control of documents is essential for ISO certification, many businesses have turned to automated systems for document control.

Streamline document storage, organization, and procedures with ZenGRC’s answer to document control.

Taking the Zero Trust Model Into 2021

· ·

2020 forced companies to reevaluate almost every facet of their business. With budgets put on an indefinite freeze in March, sales teams saw their pipelines dry up overnight. With all forms of face-to-face interaction canceled, marketing saw half their channels disappear into thin air. And with more economic uncertainty than we’ve seen in decades, finance departments had to squeeze, save, and recover every penny they could. It seemed as if every department was put into an indefinite holding pattern.

Well, all but one: Information Security.

While every other department spent the bulk of 2020 scrambling to scale back, infosec was burdened with more responsibility than they could have ever imagined.

With just days to move entire organizations remote, infosec teams spent their March scrambling to establish and execute new security infrastructures, access points and processes for entire workforces, with only the mere weight of their companies’ fiscal survival on their backs. 

If this shift couldn’t be done fast, fingers would point to the team who handcuffed the organization to VPNs and on-prem access. And if it couldn’t be done right, they’d blame the team who exposed vulnerabilities and caused data breaches. 

In all cases: infosec would take the blame for a failed 2020.

But the story didn’t end like that. In fact, the brilliance of information security personnel was on full display in 2020, as companies, hospitals, financial institutions, even schools were able to at least partially, if not fully, transition to a remote-first approach. 

This meant the implementation of a cocktail of security measures, including advanced anti-malware, integrity monitoring, authentication technology, data encryption and, perhaps most critically, strengthened employee awareness and training.

But what all this forced so many of us to do wasn’t forge into this unchartered territory of unprecedented security measures. It simply led us to inevitably (and finally) adopting a security model for 2020 that had been lingering in the shadows of infosec for perhaps the last decade:  Zero Trust.

Differently than the traditional “trust but verify” approach to network security, the Zero Trust model requires all users, even those inside an organization’s enterprise network, to be authenticated, authorized, and continuously validated before being granted or keeping access to applications and data. In practice, this means one-time validation won’t suffice, hence the need for advanced technologies and security measures, such as multifactor authentication. 

Historically, the Zero Trust model — at least to those of us operating primarily on-premise — felt complicated, error-prone, and unnecessary. Until all of a sudden in 2020, our model was the one complicated, error-prone, and not just unnecessary — but totally irrelevant.

And what’s most unique, perhaps, about this model, is its philosophical shift from being data-centric to role-centric. Zero Trust operates on the idea that information security should be developed on a role-by-role basis. Meaning, each role within an organization requires certain types of access. Leveraging all possible security technologies, access should be granted only as broadly and deeply as a role requires. This process transforms the traditional approach of protecting everything equally to protecting some things extremely well.

So as organizations move into 2021, having in some cases stumbled upon a Zero Trust model in their application of overnight remote access, it should be noted that more than 40 percent of people who have shifted to working remotely never want to go back to the office full time. Meaning, if you thought this was a stopgap until business could resume as usual, think again.

But there is tremendous upside to leaning into this new approach. Despite what our ethos once dictated, most of these tools are natively more secure than on-prem storage. And by implementing a technology solution to help monitor risks across the organization, you can evaluate and address information security threats, vulnerabilities and incidents from a single source of truth that satisfies the inevitable permanence of remote-required access, and at scale. Feel the zen wash over you as you imagine never hearing about another server crash. Even more, these tools are often much more user-friendly than the clunky VPNs we once required — and when your users are happier, they’re far more likely to carry out compliant behaviors than search for workarounds or not access at all.

Adopting, refining, and committing to a Zero Trust model will prove to be one of the top trends across infosec in 2021 and beyond. To learn more about Zero Trust and three other top trends we’re expecting to see in 2021 for Information Security, watch our recent webinar Key Takeaways from 2020 for More Effective Information Security in 2021.

User Behavior Analysis 101

· ·

A data security breach might terrify CISOs and other corporate executives, but with user behavior analytics (UBA)—also sometimes known as user and entity behavior analytics (UEBA)—organizations can easily track the types of activities that might indicate a breach of cybersecurity. 

In this post, we’ll give you an introductory course in user behavior analysis: what it does, how it works, how it can benefit your organization, and how to select the right UBA software.

What is UBA?

User behavior analytics are software programs that use algorithms to analyze log and event data from applications, endpoint controls, and network defenses; and gain a better understanding of how people are interacting with your IT systems. 

With UBA, businesses can use big data techniques to determine “normal” patterns of employee behavior, so that anomalies can be detected more easily and breaches traced back to the unusual behavior.

What is SIEM?

Security identity event management (SIEM) combines security information management (SIM) and security event management (SEM), to deliver real-time analysis of security alerts triggered by software, hardware, and network activity. 

SIEM programs have six main attributes: 

  • Retention
  • Dashboard
  • Correlation
  • Alerting
  • Data Aggregations
  • Compliance 

How Do UBA and SIEM Differ?

SIEM software works by identifying and analyzing threats using intelligence aggregated across the entire organization’s technology stack. This provides security teams the visibility needed to assure compliance and risk management.

UBA, meanwhile, focuses more on individuals. It allows the organization to look at a variety of data sources, such as individual files and emails, that are accessed and created daily. 

UBA software allows the aggregation of information so that anomalies among all the users in an organization can be analyzed in real-time. The UBA engine creates a baseline of individual user activity to recognize differences in use. These differences in use may be anything from deleting an unusually high number of files in a short time to launching rarely used apps.

Despite their different approaches, UBA and SIEM can work in tandem to assess behavioral analytics, detect malware, and prevent potential threats. 

How do UBA and SIEM Work Together?

Because SIEM and UBA approach security from different directions, they provide different insights into an organization’s information security environment. The distinction between the value each provides is best explained by Johna Till Johnson, who said:

“An event may be benign in one context and prove nefarious in another. For example, an accountant accessing a tax system at midnight on April 14 may be behaving in a perfectly reasonable manner but not when he accesses that system on, say, August 14.”

SIEM notices that the actions themselves are out of context; UBA notices that the user is behaving out of context. This can signal one of two things: either the individual has malicious intent, or an unauthorized user accessed the individual’s credentials. 

Either way, SIEM and UBA solutions together create a trail that allows the CISO to determine the cause of the breach and limit the damage of cyber-attacks.

Choosing a User Behavioral Analytics Software

As more organizations seek out UBA software, understanding how to evaluate those services becomes more important. According to Gartner, security analysts and risk managers should evaluate UBA solutions according to the following criteria:

  • Choose UBA vendors aligned to the threats you want to detect, such as malicious insiders and external hackers; and those with solutions that align with your use cases. 
  • Select software that fills a gap in your existing security tools (for example, security event monitoring).
  • Define use cases clearly and be prepared to confirm those use cases through extensive proof-of-concept scenarios before choosing a vendor.
  • Identify required data sources that can be provided to UBA solutions, which is critical for successful implementation and use in production.
  • Favor UBA vendors that profile multiple entities (including users), their peer groups and devices, and those who use machine learning to detect anomalies. These features enable better detection of insider threats that might otherwise go unnoticed.
  • Don’t expect UBA to replace the need for people with domain and organizational knowledge. Resources are still required to configure and tune the UBA tools, and to validate potential incidents detected by the tools.

Different Types of UBA Software

It’s also important to note that UBA software can be offered in two different ways:

First, UBA can work as a standalone product that focuses solely on UBA. It looks at the user’s data, IP address, app, and network behaviors. After setting a baseline, the UBA application continues to analyze, detect, prioritize, and respond to those behaviors that are outside of the norm. 

UBA can also work as a product feature added to SIEM. In this way, it looks at security information and event management within the normal process of network traffic. It then analyzes employee behavior within the identity, access governance, and privileged access management realms to detect and respond to anomalies. 

In other words, this isn’t true UBA, but rather, UBA functionality within another analytics application that has UBA capability.

Gartner theorizes that standalone UBA platforms will ultimately overtake SIEM software that incorporates UBA as functionality. This is because standalone UBA can pinpoint threats and sound the alarm across multiple monitoring systems, so therefore it’s more likely to evolve along with the technology and algorithms that do this best.

Questions to Ask Your Software Vendor

Security software firm Rapid7 has a series of questions one should ask a UBA vendor before making a final decision. 

  • Is the solution standalone, or does it need another service to supplement? 
  • Can it detect cloud service attacks?
  • Does it include an option to deploy endpoint agents, or does it require additional hardware? 
  • Do the analytics run in real-time? 
  • Are statistical models for baselining and machine learning used? 
  • How does the software detect attacker tools? 
  • Can the alerts be customized?
  • When the software investigates and prioritizes information, how is additional context presented? 
  • Can customized dashboards and analytics be built? 
  • How does data search work? 
  • Does it allow integration with IAM, DLP, and Incident Response or Security Orchestration Automation and Response (SOAR) tools? This is especially important when considering your risk management environment holistically, which we’ll cover at the end of this post.

What Are The Drawbacks to UBA Software?

Privileged users. Privileged users such as system administrators or developers are a tricky challenge for UBA because their job functions often require irregular behaviors. This means it’s difficult for the algorithms to create a baseline. While statistical analyses are useful for most employees, it may not be effective for privileged users whose access needs to be monitored more carefully. 

Low and slow data breaches. UBA is less adept at tracking sophisticated, long-term “low and slow” attacks, where changes in behavior are more rare or subtle.

Built-in human bias. Moreover, UBA brings all the same drawbacks that any machine learning brings. Users don’t understand why the neural net determines a feature to be important. If there is a built-in human bias or corrupted data, then machine learning profiles will reflect this. 

UBA is more reactive than proactive. The purpose of UBA is to detect anomalous behavior. By definition, that makes UBA more reactive to something already happening, rather than proactive to prevent something from happening. So UBA may be more appropriate as a response to track a breach to its origin than as a prophylactic.

That doesn’t mean that user behavior data can’t be analyzed to find opportunities to strengthen defenses proactively. For example, UBA can be used to determine whether access and authentication policies work as intended or should be updated. It can also identify potential areas of risk around shadow IT assets so the security team can take action. It can help make user awareness education more targeted and impactful.

While these drawbacks are something to consider, also remember that machine learning is improving all the time. These drawbacks are likely to fade (and eventually vanish) over time.

The Top 10 UBA Software 

With so many different UBA products on the market, deciding on one may be difficult. Besides looking at how the algorithms work, security professionals need to understand the way that the program will integrate with the other security systems in your IT infrastructure, as well as the user experience they provide. Here are 10 of the most popular UBA tools available.

  1. Bottomline Technologies

  2. Cynet

  3. Dtex Systems

  4. Exabeam

  5. Forcepoint

  6. Gurucul Risk Analytics

  7. Microsoft Azure

  8. Preempt

  9. Rapid7

  10. Splunk

Holistic Risk Management

As we mentioned earlier, it’s important to evaluate your UBA software for integration potential. No one-size-fits-all solution exists, so it’s essential to choose a complementary set of tools that best suits your organization’s enterprise risk management needs and can protect you against the threats identified during your risk analysis.

ZenGRC for Enterprise Risk Management

ZenGRC helps you identify risks by analyzing your systems and filling information security and compliance gaps. It then helps you to prioritize those risks so your team can get to work defining the controls that will mitigate those risks. 

Its user-friendly dashboards allow you to see the status of each identified risk, as well as what must be done to mitigate it, in order of priority. It also creates an easy-to-understand audit trail of your risk management activities and retains all of your documentation in a central repository for easy access in the event of an audit. 

With ZenGRC, risk management is fast and efficient, which allows you and your team to focus on growing your business. Simplified risk management is the Zen way! 

Contact us now for a free consultation and demo of ZenGRC today.

Forrester 2021 Predictions

· ·

Accelerating out of the Crisis

The COVID-19 pandemic changed how companies do business in fundamental ways. Digital companies, remote workforces, and others that had prioritized digital transformation, cloud technology, and ‘agile’ strategies were well-equipped to endure the strains of 2020. Companies that hadn’t prioritized a digital strategy were not.

Now Forrester Research has released its predictions for 2021. The central theme:  Digital transformation will only accelerate, with a strong emphasis on what Forrester calls “the Five Ps”— products, practices, platforms, partners, and places. 

Forrester’s 2021 Predictions Report includes:  

Products

Businesses must change their business models and customer relationships to include digital products and services. As one line from the report says: “By the end of 2021, we expect 30 percent of Global 2000 companies to have a significant digital product portfolio, and 20 percent to stand up digital divisions dedicated to launching disruptive products to accelerate their transformation to full ecosystem participation.”

Business practices

In 2021, being a part of a digital ecosystem and using ‘agile’ methods to digitize — segmenting the process into smaller, more manageable phases for quick action, continual adaptations, cross-departmental collaboration, and fast-as-possible results — will be essential for business operations and IT success. As a part of digitization, Forrester expects half of all enterprises to move their business-critical operational apps, and all “experience apps,” into the cloud.

Platforms

In 2020, many enterprises adopted digital operations platforms (DOPs) to help them use artificial intelligence and automation, and to develop software using the ‘agile’ method. Next year, vendors will develop more DOPs and bridging systems tailored to industry-specific needs. Doing so should accelerate the shift to digital and help businesses operate more efficiently. 

Partners

The pandemic forced many changes on businesses, pressuring executives even more than usual to get the biggest bang for their business buck. In 2021 businesses will consider every digital project in light of the broader ‘ecosystem’ with which it connects — the systems of its business partners, suppliers, clients, and customers. Providers will increase their use of ‘outcome-based pricing,’ pricing their products according to perceived value rather than the costs of producing them. 

Places

Businesses will greatly expand the availability of their products and services, but will focus chiefly on their own e-commerce sites, Amazon, and Facebook. Furthermore, businesses will invest marketing dollars in personalized customer experiences and digital content management, and will also buy augmented- and virtual-reality solutions. 

2021 and Cybersecurity Risk

One of the most challenging aspects of business digitization is cybersecurity. As malicious actors constantly switch tactics, so must CISOs, working with security staff to adjust quickly to changing circumstances.

The 2020 shift to a remote-work model, coupled with increases in cloud adoption, brought new threats and a new emphasis on resilience, which is the ability to keep critical business services running even amid disruption to business systems.

Organizations expecting to return to “business as usual” in 2021 will be disappointed: We won’t quite get there next year.

Increased telecommuting coupled with potentially disgruntled employees spells an increase in “insider” cybersecurity threats. This year, about 25 percent of data breaches are inside jobs. Forrester predicts an uptick to 33 percent in 2021. 

Good governance, risk management, and compliance software such as ZenGRC can help companies prepare for the rise in cybersecurity risks and add needed controls to help prevent incidents and stay compliant with regulations and industry standards.

The year 2020 has already been very stressful for business, including in cybersecurity. And 2021 promises new and different risks and threats as well as increases in those we’re seeing now. Amid all the changes forecast in the Forrester Report, the need for great cybersecurity risk management is a constant that never goes away.

Download the Forrester 2021 Predictions Report Here

Improve Workflow Collaboration with Slack Integration for ZenGRC

· ·

Not long ago, we’d say “slack” to describe not working, as in “slacking on the job.” With the advent of the Slack app, though, the term has become synonymous with productivity.

And Slack’s ability to work in tandem with hundreds of applications makes this popular team communication and collaboration tool even more useful.

Everyone is a Slack user, it seems, collaborating with team members on their own Slack channel, sending and receiving direct messages in real-time on private channels or public channels, sharing files and updates, engaging in Slack conversations using @ mentions, and more. 

Making the popular project management platform even more useful is the Slack integration page, which cites a long list of applications with which it integrates. What’s more, solutions including ZenGRC offer full integrations with many other apps and software services.

How Slack Integration Works

Integrations let people use other applications while in Slack. For instance, they can share a Dropbox document or Google Doc without having to leave their Slack workspace

Slack works with many popular calendars to let users schedule meetings in-app, and the “Slackbot” notifies users when those meetings are coming up.

Slack integrates with marketing apps such as Google Analytics and HubSpot to let users incorporate and track their campaigns, and communicate results for team collaborations.

And Slack is customizable. Features such as incoming webhooks let users post from other apps directly into the application for seamless communication with Slack teams.

Popular Slack integrations include:

  • Jira, a cloud-based application management platform
  • Salesforce, a customer relationship management (CRM) solution
  • Oauth, for secure authentication/authorization 
  • Github, a software development platform
  • Trello, for workflow tracking and project management
  • ZenGRC, for governance, risk management, and compliance

ZenGRC Integrates With Slack

Risk and compliance teams collaborating using Slack will find ZenGRC to be a godsend. ZenGRC lets you track and manage GRC projects from inception to audit and beyond, with two-way communications to keep team members always apprised of Slack collaborations for better risk management and compliance monitoring across projects and teams.

At audit time, ZenGRC pulls documents and communications from your application stack and places them in a “Single Source of Truth” audit-trail repository, eliminating the need to collect this information manually–a time-consuming task.

ZenGRC works not only with Slack but with many other popular workplace applications  including

  • Jira
  • ServiceNow
  • Dropbox
  • Box
  • Tableau
  • Centrify
  • Duo
  • Azure
  • Microsoft Active Directory Federation Services (ADFS)
  • OneDrive
  • OneLogin
  • Okta
  • Google Drive
  • Amazon S3
  • Qualys
  • Splunk
  • Aws

For apps not on this list, ZenGRC’s customizable APIs let your developers create integrations with ease, further enhancing your GRC program.

Automatic, continuous, and worry-free application integration, risk management, and compliance with regulations and standards is the Zen way. Contact us today for your free consultation.