In building Hugo our AI-powered Compliance Copilot, we have been evaluating cloud-based Software-as-a-Service (SaaS) GRC tools, and they are missing the mark.
Excel Control Frameworks
Traditional Control Frameworks attempt to map NIST, ISO, CMMC, and other Information Security frameworks to one another using worksheets such as Excel. Most of these worksheets range from $10,000.00 to $20,000.00 to license depending on what compliance obligations you have.
Excel sheets have a technological limitation allowing only 1:1 mapping. There are many complex relationship attributes between control objectives that a spreadsheet is not capable of containing.
Traditional GRC tools simply subscribe to these Excel sheet Control Frameworks for their data. GRC vendors are not enriching these control frameworks to meet today’s challenges, in fact they are prohibited in their licensing agreements.
The team at Jivoo has delivered Governance Programs and Enterprise Architecture services to the Fortune 500 and Government agency for over 20 years. It’s this unique perspective that allows for the full appreciation as to the scope and complexity of today’s compliance obligations.
Let’s look at this in detail…
A NIST SP 800-171 Security Requirement is compliant if the Assessment Methods and related Assessment Objects indicate all Assessment Objectives are compliant or fulfilled.
Another way of expressing Assessment Requirements is this:
Assessment Method <-> Assessment Object <-> Assessment Objectives
Assessment Methods
Keep in mind that the assessment method can be: Interview (people), Examine (policy, process), or Test (technology).
Assessment Objects
The assessment object can have scope, meaning it can included a combination of assets from the network layer that transports the data to the physical facility that retains it and all the APIs, software and servers in between.
Now add that you may have a managed service provider (MSP) somewhere in your system architecture.
Assessment Objectives
The assessment objectives can be all/most/some/any in logic.
You are probably thinking, this is unbelievably complex and expensive to define, test, report, and manage… you are correct for an Enterprising organization let alone an SMB!
Only with an AI-powered Compliance CoPilot with the knowledge and reasoning ability has automation been possible.