No one questions that audits are stressful, painful and time-consuming. But organizations — financial institutions especially — must conduct audits to ensure security and validate compliance regulatory requirements. As security threats increase or regulations change, entities in turn must conduct more audits. But how can a company stay competitive when so much time and resources are spent running audit after audit?
Preparing for and satisfying an audit is often a multi-month process involving several teams and possibly hundreds of people, all who have different goals, skills, tools and communication mechanisms. Compliance teams know regulatory policies and work with documents. Security teams understand vulnerabilities but aren’t typically working with code. And DevOps teams work with code but they typically don’t go deep on the compliance requirements. These sets of different languages create an environment apt for misunderstandings, ambiguity, and mistakes.
Further exacerbating audit pain is the traditional approach to security evaluations. Typically, security and compliance checks are done at the end of the development process. These checks may be done by teams uninvolved in any of the previous steps and potentially use scanning tools notorious for delivering “false-positives”. Addressing compliance failures this late in the lifecycle also causes extensive rework, especially if exceptions aren’t managed and tracked appropriately.
The toughest pill to swallow about audits is even though so much time and effort is spent auditing and mitigating risk, in reality there’s zero visibility between audits. Audits instead are singular snapshots and provide little insight into the compliance state over time. Organizations likely follow a pattern where compliance levels spike during the flurry of work around the audit, then fall off quickly after the audit is completed, only to spike again with the next audit. The limited visibility between audits amounts to considerable risk that should be unacceptable, particularly for financial institutions.
In order to stay competitive and compliant, organizations must continuously and automatically assess and correct compliance. Managing compliance as code is the best way to implement continuous, sustainable compliance practices.
Code enables continuous compliance.
The benefits of continuous compliance driven by code are twofold. First, compliance as code makes it easy to maintain real-time and historical compliance status updates to appease scheduled and ad hoc audit requests. But, secondly, it allows organizations to fix issues before production, improving speed and lowering risk. We routinely see organizations reduce audit cycle times by over 90% after adopting compliance as code!
Chef enables continuous compliance with InSpec and Chef Automate.
InSpec is Chef’s open-source language for describing security & compliance rules that can be shared between software engineers, operations, and security engineers. Security, compliance and other policy requirements become automated tests that can be run against traditional servers, containers, and cloud APIs alike, ensuring consistent standards are enforced in every environment you manage, at every stage of development.
InSpec expresses security and compliance requirements as code to incorporate compliance continually in the delivery process.
Chef Automate transforms InSpec audits into web-accessible compliance reports, providing an aggregated overview of environments’ compliance status and trend graphs for tracking historical data. When combined with a library of preloaded compliance profiles, in-GUI agentless scans of server and cloud endpoints, and a fully auditable scan history for each system you manage, Chef Automate ensures you maintain visibility into the compliance of your entire estate.
Learn more about how Chef helps reduce audit pain with continuous compliance in our recent webinar below. In the webinar, we demo how InSpec and Chef Automate easily align to frameworks such as FFIEC standards, and how you can transform your organization’s approach to audits through the adoption of continuous compliance.