INSSIDE recently launched our regulatory compliance and risk management platform. It is an innovative product that was born with the aim of facilitating and speeding up the work of auditors and all those in charge of guiding an audit.
Undoubtedly, INSSIDE Security Suite (ISS) is a proposal that is constantly improving and optimizing, launching new features that make it at the forefront of what auditors and companies need to meet the requirements of the most well-known standards. and demanding markets.
This week we had the pleasure of talking with our specialist, Ing. Agostina Lambertucci, QSA and one of the creators of the new product that we offer from INSSIDE that promises to be the right hand of auditors.
What inspired you to develop this app?
First, most of our customers must maintain compliance with various regulations, whether by business necessity, by CISO definition, or by the industry itself. The monitoring of these regulations is usually done through Excel files, a practice that makes monitoring and visibility of the process more complex. Therefore, the objective of INSSIDE Security Suite (ISS) is that they can have all the information on the same platform, with ease of monitoring and centralization of the data.
In future versions of the tool, all the projects can be associated with the aim of reusing the information that has already been previously loaded for a standard and that is necessary for another regulatory framework.
Tell me about the user experience of using the app. How do you facilitate the gap analysis process and improve compliance?
There are three important points to highlight in this regard: remediation recommendations, evidence and those designated as responsible.
Our expert GRC consultants have uploaded the remediation recommendations in the regulations, so our clients will automatically obtain the measures to implement to comply with the controls of the evaluated standard.
Additionally, they have prepared lists of evidence to review for each standard, therefore, at the time of starting the project, our client may use this list or modify it as necessary. Each control will have its corresponding associated evidence, to link the repository where it is hosted, as well as the revision status. In this way, the evidence will be centralized and follow-up by email will not be necessary.
Lastly, in terms of those responsible, for each control the corresponding responsible person(s) may be assigned along with the date of execution, with the aim of facilitating maintenance of compliance throughout the process.
What types of cybersecurity regulations does the platform cover?
Currently, ISS has the PCI DSS, CIS, NIST and ISO 27002 regulatory frameworks. However, you can upload all the regulations you want, regardless of their nature. The important thing is to be able to organize it into requirements, subrequirements and controls.
One interesting feature is the ability to link evidence and compliance targets. How does this simplify management and documentation for users?
With this functionality, the compliance officer will only have to indicate by control the evidence that must be presented. This will allow you to hold each person involved responsible for the execution of the control and presentation of the corresponding evidence, avoiding the sending of many emails demanding the evidence, the waste of time requesting the information on several occasions and, even, the possible loss of it. .
What are the key benefits that security officers and GRC managers can expect from using this tool?
Among the key benefits, we can mention agility, implementation recommendations made by experts, easy evidence tracking, centralization of the compliance process, among others.
How does the application help to measure the current level of compliance and to assess the risk associated with non-compliance?
With the ISS, when evaluating compliance with the standard, control by control, it will be possible to obtain the level of total compliance. Of the controls identified as non-compliance, it will be possible to know the level of risk they represent for the organization since, as we well know, not carrying out the annual awareness does not generate the same risk as not having a vulnerability management process. That is, there are different types of controls and based on the importance of each one, ISS determines the level of risk to which an organization is exposed for not complying with one or the other.
Could you share some success stories or examples of how the app has helped companies improve their cybersecurity and regulatory compliance?
On one hand, we have a high number of customers using the ISS to complete the PCI DSS SAQ required by acquirers. In this case, they are customers with a very low annual volume of transactions, who do not require the services of a QSA. Through the ISS, they quickly complete the corresponding SAQ and then deliver it to whoever is requesting it.
And on the other, several companies are using it to manage supplier management processes. Through the ISS, they ask their providers to complete the defined security assessment and thus keep all the information centrally.
The ability to log the state changes of controls sounds very useful. How does this contribute to maintaining ongoing compliance and demonstrating improvements over time?
The fact of recording status changes in the controls makes it possible to keep the level of compliance updated, giving visibility to all those involved and showing the progress in the remediation process.
What is your long-term vision for the app? Are there any features or improvements that users can expect in future updates?
Like everything in technology, the ISS is constantly evolving. We take into account the recommendations that our clients make us, as well as the advances in the industry.
In the medium term we will be launching a new module, specific to PCI DSS for those customers who are required to complete the self-assessments. From this module, they will be able to easily know which SAQ corresponds to them, complete only the requirements that apply to them, and execute the quarterly ASVs. All without the help of any consultant.
In turn, we are working on getting a higher level of automation. Through integrations with different sources, the objective is that the states of the controls are modified automatically according to the information they receive.
So far, the word of Agostina Lambertucci, QSA and regulatory compliance specialist, who told us how INSSIDE Security Suite contributes to the management of audit processes.
To learn more about the platform, you can send your query at the following link and an expert will contact you shortly.