• Category: Compliance Automation
  • Tags: NIST 800-53, AT-2, CM-3, AC-2

Challenge

It is common for people to talk about trying to automate controls, but what do you do about some non-technical controls that do not lend themselves to classic automation techniques? Many would just say that it can't be automated, but we believe that automation can help ensure accuracy and timeliness of these controls.

For example: NIST 800-53 control AT-2 reads

The organization provides basic security awareness training to information system users (including managers, senior executives, and contractors):

  • As part of initial training for new users;
  • When required by information system changes; and
  • [Assignment: organization-defined frequency] thereafter.

At first glance there doesn't seem to be a way to automate compliance of this non-technical control. The assessor would need to perform the data gathering activity to identify the system users and cross correlate those users against the training system.

How this action is typically performed is that once a year a designee is assigned to gather the training details for the system. This designee will email the members and request that they email their training certificates showing that they have completed the Security Awareness Training within the past 12 months.

This is an extremely time-consuming process which consists of many manual steps:

  1. The designee emails the users requesting their training certificates
  2. The designee waits for responses to the data call and validates that training has been completed
  3. The designee monitors the list of users for those who have not responded to the data call
  4. The designee sends reminder emails periodically to the folks who have not responded
  5. Finally, once all the information is received the designee can mark the control as satisfied

Each one of these manual steps has potential failure points:

  1. The list of individuals could be incomplete
  2. Potential for error introduced via manual validation of dates
  3. Potential for error introduced via manual tracking of respondents
  4. The sending of reminder emails may be forgotten

Worst of all is the inefficiencies that are introduced into the workday of the staff:

  • The designee now must spend time baby-sitting the data call and responses instead of focusing on their core objectives
  • The staff required to produce the documentation must break from their day to manually respond to the data call

Solution

Looking at this process there are a lot of ways to improve it utilizing the tools you already have deployed. While the control itself may not be technical all the steps to validate compliance are performed by accessing and querying technical management components. As such this process can benefit from automation.

The first improvement option is regarding identifying the people in scope for the training requirement. With the manual approach this list is obtained either via another data call to the system administrators requesting the list of authorized users or by sending the request to an email Distribution List which may or may not be up to date with the actual list of authorized users.

This process can be automated by pulling out valid users from other systems such as your GRC tool, Active Directory groups, or any other authorized user list (even a CSV would work!). Using this method, we can automate the push of emails or tickets to the relevant people to perform their training actions. This can be further enhanced by integrating with HR systems that have things like hire date and ensure that each user gets a request and reminders that specifically align with their annual training needs.

The second improvement option is regarding the data call to the staff themselves. Training results are stored in a Training Management System. There's no need for staff to log into that system, search for their certificate, and email it. The Training System itself can be queried for the data and the training dates evaluated to ensure that staff training is up to date.

Best of all, this automation can be scheduled to run weekly or monthly which has two benefits:

  • Continuous Monitoring of the control is now established
  • Any new users added are automatically notified of training requirements which satisfies AT-2(a)

As an example, the below shows a high-level process that can be used for this in the real world.

  1. Query eMASS for components defined in System Boundary
  2. For each component:
    • Query authorization repository for each authorized user
    • For each authorized user:
      • Query the Training Management System
      • Validate current Security Awareness Training Report
      • Notify user if training report out of compliance
  3. Update eMASS with results

This idea can be used across many different controls to ensure that the manual actions are being completed

  • CM-3 - Configuration Change Control

  • You are already managing changes related to your Information Systems, but the data collection on a quarterly (or organization defined period) can be a real pain. Why not have Clockspring get your system inventory from your GRC tool, query your change request system (ServiceNow or similar), collect all Change Requests associated with assets in your system inventory, then update your GRC tool with the evidence that these were complete?

  • AC-2 - Account Management

  • AC-2 states that accounts must be reviewed on an organization-defined basis to ensure that each account is still needed. Clockspring can create account review tickets in your ticketing system that aligns with your policy and assign that ticket to the proper resource for evidence. The system can also track this ticket and send reminders if actions haven't been completed in a reasonable time. You can then automatically pull a report from your ticketing system and feed that to your GRC tool without having to spend any time collecting that information.

Impact

The above examples are only the tip of the iceberg as to how automation can help with non-technical controls in your enterprise. When preparing for a compliance audit, being able to prove that each of these activities happened in a timely manner is invaluable to the compliance process. Stop wasting time correlating data you already have in other systems and let Clockspring keep your systems in sync and ensure that your non-technical tasks are being completed.

Clockspring produces integrations such as this in as little as a day, yielding a near-instant ROI vs manual validation. Even better, all the potential errors from manual processing and validation are removed as well, giving you greater confidence that this control is satisfied but also monitored in an ongoing manner.

Get Started