Compliance evidence collection has been traditionally a costly endeavor. Its typically either done manually, or heavy investment and time is spent to automate this workflow into a GRC platform. Yet, at the end of the day, none of the Tier 1 GRC platforms properly address this business challenge and there is lot left to be desired.
When we set out to address this challenge, we asked several of our CISO clients to identify their primary concerns with evidence lifecycle management, and here’s what they came back with:
- Manual workflows to re-use evidence across multiple compliance programs.
- Inconsistent methods to identify “gold evidence” that can be shared as a sample with evidence providers (asset owners)
- Absence of a reliable and/or current CMDB that identifies key stakeholders and assets such that evidence can be identified and collection requests sent to system/asset owners
- Presenting evidence to internal and external auditors/assessors in a succinct format, mapped with assets as well as applicable controls, along with control health score and mapping to mitigation initiatives in motion.
- Process of requesting evidence is at best an automated email sent by a GRC platform. This workflow typically doesn’t support escalations and/or reminders unless heavily customized in a GRC platform.
- Ad-hoc identification of the evidence attributes (evidence quality) that are important to each of the compliance programs. This drives each program to generate its own requests for evidence with varying quality criteria, thus replicating efforts across multiple compliance programs.
- Manually tagging evidence lifespan so it can be deemed expired and re-requested, knowing that each compliance program may have a different timespan requirement.
- Multiple channels to receive evidence (email, online portal uploads, chat sessions) rather than a single point of convergence.
- Separating boundary-restricted evidence (case in point, FedRAMP, PCI) from other evidence
- Common recurrence of evidence pollution due to various factors
So the end result is that businesses end up with a massive cost overrun with their regulatory/statutory compliance programs, yet achieve limited efficiency and operational maturity. Typical response to this has been to throw bodies at the compliance workflow and get it done burning the midnight oil.
Now there is a better way to manage evidence across multiple compliance programs, re-use evidence, automate the evidence collection process, and streamline evidence presentment to assessors and auditors. For this purpose, Trustmarq and Ignyte Assurance Platform have joined forces to provide Evidence Management Automation (EMA) service, a managed and integrated evidence management solution for our clients looking to address their evidence related business challenges.
What is Trustmarq EMA®?
EMA® is a purpose built evidence lifecycle automation service that allows you to accelerate your evidence collection workflow so you can re-assign countless hours of time towards orchestrating a more mature compliance program. Powered by the Ignyte Assurance Platform, Trustmarq team deploys an orchestration layer between various enterprise platforms to ensure that the organization’s controls framework, as well as all of the asset evidence is centrally located and searchable based on any of the applicable compliance programs such as PCI-DSS, FedRAMP, HIPAA/HITECH, SOX, SOC2, ISO-27001, and others. This solution also ensures that evidence quality requirements are managed for each individual compliance program.
Our team integrates it with an organization’s existing GRC platforms (Archer, ServiceNow), asset repositories (CMDB), and management reporting engines (Tableau, ServiceNow, Other) so existing investments can be leveraged. In other words, there is no major lift and shift away from your GRC platform. It can be used as the primary evidence workflow engine, or it can be inherently managed by our solution.
How We Can Help
We are actively helping several enterprises with effective and economical path to streamlining their evidence workflow. You can start by scheduling a complementary discovery session so our team of certified professionals can better assess your specific evidence management needs.
Contact us for a complementary consulting session to learn more about our offering.