Security Vision Compliance Management offers tools for checking compliance with standards and best practices, covering the organisation as a whole, as well as individual business assets, divisions, business processes or other infrastructure elements. The system provides flexibility in the choice of assessment methodology, giving you the option to use standards from the suite of expertise or apply your own methodologies. Thanks to the platform, the valuation process becomes automated, which significantly reduces the number of routine operations. This allows for more efficient collection and processing of information, combining all necessary data in one window for easy access and analysis. The product also offers functionality to automatically collect data from endpoints, devices, or data sources, perform calculations using predefined methods, and automate compliance filling (auto-compliance).
Figure 1. Security Vision Compliance Management
1. Introduction
Security Vision Compliance Management in cybersecurity is a comprehensive process for verifying compliance with regulations, standards and legislation aimed at ensuring information security and data protection. This process covers assessing whether an organisation's information systems, processes and other elements are compliant with established standards and regulations, and taking action to correct identified non-compliances. It is important to emphasise that Security Vision Compliance Management includes not only technical aspects of security, but also legal and regulatory requirements such as personal data protection and information privacy.
The process of assessing the compliance of information systems and organisations involves analysing the current state, identifying potential risks and vulnerabilities, and checking for compliance with established data security standards. This process may include conducting information security audits, penetration testing, analysing security policies and access control procedures. Once the assessment is complete, remedial actions should be developed and implemented to address identified non-compliances and ensure compliance with established security standards.
In this context, Security Vision Compliance Management is a specialised tool designed to simplify the information security compliance assessment process. This product allows you to effectively analyse and control the compliance of information systems with security requirements, providing a comprehensive approach to data protection and threat prevention.
2. Security Vision Compliance Management functionality
2.1 Register of standards and requirements
Security Vision Compliance Management is a comprehensive solution for managing information security standards and requirements. It includes a wide range of functionalities aimed at maintaining a registry of standards, frameworks and best practices. The product implements the most used standards, such as FSTEC Orders 17, 21, 31, 239, GOST 57580, Bank of Russia Regulation No. 716-P, Federal Law No. 152, Federal Law No. 63-FZ, PCI DSS 4.0, GOST ISO/IEC 27001, NIST Cybersecurity Framework 2.0, CIS Critical Security Controls, and other regulatory documents.
Users are given the option to create their own standards or conduct a self-assessment procedure, combining requirements from existing ones or developing their own, which provides flexibility and adaptation to the specific needs of the organisation.
The expertise package built into the product is regularly updated by Security Vision's methodologists to ensure that it is up-to-date and compliant with all changes in standards and guidance documents.
A special feature of Security Vision Compliance Management is the completeness and detail of the standard card, which displays the number of domains with grouping of requirements. Users can see the time sequence of running assessment processes according to the standard, as well as the total number of assessments performed, which greatly simplifies the control and management of compliance.
The system provides the ability to use both typical preconfigured response options (e.g., ‘Not Applicable’, ‘Not in Compliance’, ‘Partially in Compliance’, ‘In Compliance’) and to add your own options with weighting adjustments and fine-tuning of the mechanics for the final calculation of compliance scores. This allows you to accurately determine compliance and easily manage the results of the assessments.
In this way, Security Vision Compliance Management provides transparency and convenience in compliance assessments, giving users all the tools they need to effectively manage information security standards.
2.2 Resource-Service Model
The basis for the product is the resource-service model, which includes the functionality of reproducing the information model of the enterprise, starting from the fundamental entities that the business operates with (e.g. Business Processes, which provide functional activities of the company) and ending with technical assets, which are the necessary resources for the realisation of business assets.
Figure 2: Resource and Service Model
The key business objects of the resource-service model are:
- Business Process
- Product
- Supplier
- Premises
- Equipment (technological)
Each object has its own set of attributes with the ability to edit and configure relationships with other objects in the organisation. In general, objects are related to each other in a hierarchical way according to the developed data model. In this way, the principle of dependence of one entity on another is taken into account (for example, a business process may be completely dependent on the functioning of a certain information system). Due to the visual representation in the form of a graph, it is possible to trace the relationships between entities to the level of detail required.
Figure 3: Relationship graph of the resource-service model
This functionality provides a comprehensive assessment of the compliance of different assets and organisations, giving a holistic view of security.
2.3 Protection Measures
With the ability to link downloadable assets to protection measures, the system automatically generates a top-level compliance assessment for the entire company. This means that not only individual infrastructure elements are evaluated, but also their overall impact on the security of the company.
Figure 4: Protection measures tree
The protection measures pre-integrated into the system are categorised into groups based on the FSTEC database. There is also a ‘My Measures’ group where users can add their own protection measures. Each of the measures has a short and a full card detailing the requirements covered. This makes it easy for users to track compliance with standards and regulatory requirements.
Additionally, custom protection measures can compensate for some FSTEC-mandated measures by implementing specialised information systems such as SOAR, SIEM, anti-virus protection tools and others. A complete protection measure card shows the status of its implementation in different organisations and facilities, allowing companies to effectively monitor and manage the implementation of protection measures at all levels of infrastructure and operations.
In this way, Security Vision Compliance Management provides tools to integrate and manage security measures, simplifying the compliance process and improving the overall defence of the enterprise.
2.4 Assessment Process and Questionnaires
In Security Vision Compliance Management, the assessment process is fully automated, making it much simpler and faster. Unlike the classic approach, where auditors have to gather information manually through personal interviews, review of documentation and observation of processes, automation allows for a significant reduction in time and effort.
The classic method requires manual completion of survey forms or interviews with employees from various departments. This is a labour-intensive process that can drag on for a long time. In Security Vision Compliance Management, automation is realised through the generation of questionnaires, which allows efficient collection of information from various departments and executives. This process is monitored in real time, so auditors are able to track the status and progress of questionnaires, quickly assess the compliance of the object with the requirements of the standard and quickly respond to identified problems.
In the classic approach, after collecting information, auditors manually analyse the data, which also requires considerable effort and time. However, using Security Vision Compliance Management tools allows you to automate the collation of all data into a single scorecard. Based on this card, an action plan template is automatically created to bring the assessment object into compliance.
The system sends notifications on all transitions in the life cycle statuses of both assessment processes and questionnaires to the usual communication channels for the organisation: mail, Telegram and others.
The system also provides the possibility of auto-compliance through automatic data collection from end nodes, devices or accounting systems (e.g. CMDB or Asset Management), automatic calculations according to specified methods and filling in compliance with one or another requirement.
Based on the results of the performed analytics, the system displays the current level of compliance of the assessed object with the audited requirements and the target level of compliance taking into account the planned measures.
As a result, the assessment report generated with the help of the automated Security Vision Compliance Management system turns out to be more detailed and operative compared to the report created manually. Thus, automation not only improves the accuracy and speed of the assessment, but also allows professionals to focus on more complex and important aspects of their work.
Figure 5. Full card of the Questionnaire in the ‘In Progress’ status
2.4.1 Action plans to achieve the target level
The information systems assessment process not only identifies outstanding requirements, but also generates an action plan to fulfil them. As part of this process, Compliance Management automatically generates compliance tasks and tracks their execution in external systems.
A key aspect is the link between the status of the task and the status of the protection measure: when the task is completed, the protection measure is moved to the ‘Implemented’ status and is included in subsequent assessment processes. This approach facilitates continuous improvement of the security system, ensuring that the target compliance level is effectively achieved.
This integrated approach not only increases the level of protection of information systems, but also improves the manageability of the process of bringing them into compliance with best practice and regulatory requirements, which in the absence of SGRC class systems is quite labour intensive and difficult to manage.
2.5 Role Model and MSSPs
To manage the compliance assessment process, a flexible role model is implemented in the product that allows differentiating access to each type of object, field or attribute. Security Vision Compliance Management contains the necessary number of settings that allow adapting the process for both small companies and large holdings, taking into account the organisational structure of the Customer's subsidiaries and parent branches.
Each role has its own set of actions, available data, reports and dashboards, as well as its own menu and display settings. Multiple roles can be assigned to a user, in which case the user will have the authority of all assigned roles.
If necessary, an unlimited set of roles can be created and each role can have its own accessibility settings for each object of the system. All settings are performed through the constructor included in the platform.
The product supports multitenancy and can also be used under the MSSP model.
2.6 Analytical engine for reporting and visualisation of compliance levels
Security Vision Compliance Management offers easy-to-use data visualisation tools for real-time analysis of the assessment process at various stages and in a variety of formats. These tools make audit monitoring transparent and efficient.
The following preconfigured dashboards are available to users:
1. Analytical Dashboard: Allows users to select start and end dates for viewing statistics on assessment processes and questionnaires for the selected time period.
Figure 6: Analytical Dashboard
2. Strategic Dashboard: Allows you to set a threshold compliance percentage against which statistics are displayed. Information on questionnaires and requirements in general is available.
3. Operational Dashboard: Provides detailed statistics on assessment processes and questionnaires based on their current statuses. Also displays compliance percentage by questionnaire and assessment processes.
4. Map: Displays the integral compliance score of the organisation based on the results of all assessment processes conducted, taking into account the location of the office on the map.
These tools allow users to effectively monitor the assessment process, enabling rapid response and decision-making based on up-to-date statistical information.
All dashboards are automatically updated and interactive: the user can ‘drop down’ into the required data slice and see the source for calculating a particular indicator, as well as filter the data by tracked organisations, departments or view the results as a whole.
Security Vision Compliance Management comes with preconfigured reports that allow you to upload data both by individual system objects (resource and service model objects, assessment processes, questionnaires, etc.) and summary reports that contain consolidated information. Any report can be uploaded from the system manually or automatically generated according to the set schedule and sent via the required communication channel (e.g. mail, telegram, file folder, etc.).
In addition to preconfigured visualisation and reporting forms, Security Vision Compliance Management provides the ability to customize reports and dashboards through a flexible no-code builder. The editor allows you to develop custom indicators without using design and layout tools and display them in reports and dashboard widgets as different types of views.
Figure 7. Map
3. Security Vision Compliance Management use cases
3.1 Maintaining a register of compliance standards
Standards can be generated either through the system interface or by importing them from a file. After saving the entered data or importing them from a file, the standard goes to the ‘Draft’ status, where the analyst can continue filling it in.
When the analyst completes filling in the standard, it is switched to the ‘Active’ status. If the standard is in the ‘Archived’ status, it can be returned to the ‘Active’ status.
Figure 8. Full card of the Standard
The process of adding substandards to a full standard card provides an opportunity to structure regulatory documents into smaller categories according to their specifics. For example, FSTEC Order No. 21 can be divided into several child substandards, each focusing on specific aspects of regulatory regulation. These substandards can only be added and deleted within the full standard card.
In the Objects to be assessed field, you can specify not only the organisation, but also other entities that will be assessed using the standard. This allows you to consider a variety of activities and the impact of the standard on different components of the security system. It is also possible to set your own assessment scale and offer different response options, which facilitates a more accurate and flexible assessment of compliance.
This approach provides flexibility and accuracy in assessing compliance with the standard, allowing security processes to be effectively structured and managed at different levels of the organisation.
Figure 9. Full Requirement card
3.2 Linking assets and protection measures
Downloadable assets can be linked to protection measures, which automatically provides a top-level assessment of their compliance across the company.
Figure 10. Full card of a custom Protection Measures
The security measure summary card contains the basic requirements corresponding to a specific user measure. It provides a brief description of what actions or settings are required to implement the security measure.
The full protection measure card, on the other hand, is a more detailed description. It includes information about the current implementation status of the protection measure in different organisations or sites. The user has the ability to add child protection measures, which is done by clicking on a special button in the full card. The added subsidiary measures are displayed in the lower part of the card, which contributes to improving the structure and detailing of information on protection measures.
This approach ensures that the data on protection measures is systematised and organised, making it accessible and understandable for the users of the system.
3.3 Implementation of safeguards
As part of the questionnaire evaluation, full or partial compliance is identified. If violations or deficiencies of the requirements are identified, tasks are created to implement the corresponding protection measures. This process is only possible after all questionnaires have been completed.
A new tab ‘Action Plan’ is provided to manage the implementation of protection measures. This tab will display the requirements that have not been fulfilled completely or at all. For each such requirement, the user can create a task to implement the corresponding protection measure. It will also show how the compliance indicator will change after the implementation of a particular protection measure, which will allow modelling and more accurate planning of tasks and deadlines for their implementation.
A complete task card provides the necessary actions, including changing the responsible person and fulfilling the stages of the task lifecycle. This ensures effective management of the implementation of protection measures to ensure compliance with security standards.
The described functionality allows you to systematise and manage the implementation of security requirements, improving the overall security of your organisation's data and systems.
Figure 11. Complete Protection Measures Implementation Tasks card
3.4 Conformity assessment
The conformity assessment process can be carried out either manually, by filling in questionnaires, or in an automated format, taking into account the applied protection measures of specific information systems or other objects of assessment, as well as the results of previous audits.
The assessment can be carried out both at the enterprise-wide level and at the level of specific information systems, with a visual display of current progress. For each selected object, appropriate questionnaires are created. To do this, the corresponding attribute must be set in the evaluation process card. In addition, it is possible to create questionnaires for each domain, where there will be a separate questionnaire for each requirement.
Figure 12. Full card of the Evaluation Process in the ‘New’ status
Once the assessment process has been created, questionnaires need to be developed and responsible staff assigned. A table showing the submitted questionnaires will be available on the evaluation process card, making it easy to navigate to the selected questionnaire for completion or correction.
Each completed questionnaire must be reviewed and accepted or returned for revision if the responsible staff member has filled it out incorrectly or provided parameters that were not agreed upon.
Figure 13. Full card of the Evaluation Process in the status ‘Evaluation’
Based on the completed questionnaires, the results of the assessment are calculated, which enables the formation of an action plan to achieve the target safety level. This plan also allows tracking the progress of tasks to achieve the planned level of compliance.
This approach systematises information security management, ensuring consistent compliance with standards and effective response to identified vulnerabilities or non-compliances. Assessment and action planning become key tools to ensure the reliability and protection of an organisation's information resources.
Figure 14. Full card of the Assessment Process - Action Plan tab
4. architecture
The system architecture is a centralised solution with a single component to manage all hardware.
Various configuration options are possible, such as All-in-One, where all system components are located on a single physical server or virtual machine. This approach is suitable for most use cases.
Particular attention is paid to scalability and distribution by installing individual components on several separate servers (usually 2 or 3) depending on specific needs, e.g. the database or connector server can be placed on a separate server. This is especially relevant if it is necessary to place the connector for interaction with external systems in isolated segments of the Customer's infrastructure, with the use of firewalls and without direct network connection to the main database of the system.
It is also possible to build a fault-tolerant architecture and to configure replication of any of the system components. In addition, the system is fully supported to run from a container.
Architectural features of the offering include:
1. separate connector server: a dedicated server for integration with external systems is provided, eliminating the need for direct access to the main database.
2. Secure communication protocols: all system components communicate using secure network protocols, ensuring safe data transfer.
3. administrative access: administrative access to each component of the system is provided, which allows you to effectively manage and configure their work. 5.
5. Security Vision Compliance Management delivery scenarios
5.1 On-Premise.
The standard delivery scenario includes the deployment of the infrastructure on the Customer's premises. This scenario provides full control over data and systems, ensuring a high level of security and compliance with internal company requirements.
5.2 SaaS.
Compliance Management services on a subscription basis. This approach offers automation of compliance assessment processes or self-assessment for any area of the company's activities without the need to install the solution in the company's own infrastructure.
The SaaS service is ideal for projects that require high speed of implementation and minimal infrastructure and labour costs. It eliminates the need to deploy and configure the platform, which significantly speeds up the launch of compliance assessment procedures and reduces costs. In addition, this service enables load balancing, including product operation, providing faster and more cost-effective inspections.
6. Regulatory Compliance
Security Vision Compliance Management is included in the register of domestic software (Record #364 dated 08.04.2016) and certified by FSTEC according to confidence level 4 (FSTEC Certificate of Conformity #4574 dated 02.09.2022).
In addition, the product meets the requirements of the Quality Management System GOST R ISO 9001-2015 and Information Security Management System GOST R ISO/IEC 27001.
Also Security Vision Compliance Management has the certificate of conformity of the OAC under the President of the Republic of Belarus No. BY/112 02.02. TR027 036.01 00492 dated 05 August 2022 (according to the requirements of the technical regulation TR 2013/027/BY).
7. Conclusions
Security Vision's Compliance Management solution is a powerful tool for ensuring deep control of information security in companies. It provides the ability to automate the analysis and modelling of the effect of appropriate information protection measures, which is critical for modern organisations.
Assessing the current state of security
Security Vision Compliance Management enables companies to comprehensively assess the current state of information security. With its help, organisations can guarantee compliance with the requirements of both Russian and international standards in the field of information security. This aspect is especially important in the context of globalisation and growing data security requirements.
Continuous improvement and adaptation
Security Vision is working tirelessly to improve the usability and expand the functionality of the Compliance Management product. Importantly, the company responds quickly to changes in the regulatory landscape, ensuring that the standards base provided is up-to-date. This allows users to be sure that they are working with the latest information and requirements.
Integration with other solutions
To maximise efficiency and security, Compliance Management can be integrated with other solutions offered by Security Vision such as Asset Management, BCM and Risk assessment. This integration provides a comprehensive approach to information security, enhancing the protection and reliability of the entire system.
Results management process
The processing of assessment results can be automated and customised to suit the specific processes and technologies of a particular organisation. For example, based on the assessment, a compliance plan is created and tasks are automatically generated for performers in the task management system used.
----
Security Vision Compliance Management is an important tool for modern companies striving for high standards of information security. It not only helps to assess and improve the current state of defence, but also ensures compliance. Continuous improvement of the product and its integration with other solutions make Security Vision Compliance Management indispensable in the arsenal of any company's defence tools.
