By Jingcong Zhao and Azure Security News
One of the biggest reasons security/compliance professionals choose Hyperproof is because our compliance operations platform makes it easy for them to collect, manage, review, and re-use evidence for audits. Hypersync —our new proof collection automation feature — makes evidence management even smoother.
Hypersync allows you to automate the collection of proof from AWS, Azure, Github, and other applications and store proof files directly on a Hyperproof control, in your proof repository, or on a specific label. You can define the cadence for automated collection based on your organization’s needs.
By setting up automated proof collection from AWS, Azure, and GitHub, you can automatically collect the following types of evidence from these systems: Backup settings, encryption settings, access groups and lists of users, code change management evidence, and more. Getting these types of proof automatically can save a lot of time as you prepare for SOC 2 Type II assessments or other information security framework audits.
The release of these three Hypersync connectors is just the beginning. We plan to release Hypersync for additional services in the coming months.
Hyperproof’s approach to managing evidence
Collecting evidence for IT security and data privacy audits is often a tedious and complicated exercise because enterprises don’t have a methodical approach or an organizational system for managing evidence.
Here’s what we see a lot: A compliance pro works overtime to collect all the evidence their auditor needs to see right before a scheduled audit. They’re hoping that their colleagues (who operate various business applications and business/engineering processes) can provide them with proof that stands up under an auditor’s watchful eye. Documentation of the organization’s internal security/data privacy/compliance measures are often sparse or spread across multiple places.
Someone in the company has taken some notes on what type of proof is needed to attest to the presence and functionality of different security/compliance measures on a spreadsheet — but the notes are incomplete. Further, no one has completed a full mapping of the company’s internal security/compliance measures back to the regulatory/compliance requirements the company has to adhere to. Each time a compliance professional tries to prepare for an audit, they must start the work of finding out what’s there vs. what isn’t all over again.
Here at Hyperproof, we believe the first step to streamlining compliance work is to keep track of all compliance-related work in a single place. Within a compliance operations platform like Hyperproof, all controls, compliance requirements, risks, and evidence can be mapped — which helps eliminate duplicative work. Controls can be assigned to “owners” in the business, and control operators and business process owners can collect proof to attest to the functionality of the controls in their purview throughout the year. In other words, compliance tasks are folded more seamlessly into people’s day-to-day. The platform also provides automated workflows to remind people to complete their compliance tasks.
Additional resource: 3 Tips to Radically Reduce Your Evidence Management Burden
What are the benefits of using Hypersync?
By using Hypersync, you can save time when collecting proof. The compliance pro (or internal audit pro) who needs to review proof doesn’t need to ask their colleagues for proof anymore. And the individual on the other side doesn’t need to manually capture screenshots or export data anymore.
Further, because the proof comes directly from a source system and not from a person, auditors trust that the evidence is credible. Proof files generated from our Hypersync automation comes with metadata including where it comes from, when it was collected, and who set up the Hypersync.
Sample: List of Users from IAM, AWS
These are just the immediate benefits you’ll experience with Hypersync. By investing in Hypersync, we’re setting up a foundation that enables our compliance operations platform to get smarter when assisting users with managing their organization’s internal controls and risks.
Over time, as Hyperproof gets more input about the various types of evidence our users are pulling into Hyperproof, the platform will be able to suggest where you might set up a Hypersync to save time. Getting evidence into Hyperproof automatically will also serve as the basis for automated testing and monitoring of controls — capabilities we’re planning to add in the coming months.
What types of evidence can I start to automate with Hypersync?
With this initial release, you will be able to automatically extract proof from certain services within AWS, Azure, and GitHub. After a one-time set up, you will be able to collect system configurations from these sources automatically without having to ask your colleagues. Examples of system configurations that you will be able to collect are:
- Backup settings
- Minimum TLS version
- Database restore
- Encryption settings
- Access groups and list of users (admin, read only, development, etc)
- Code change management evidence (e.g., no code gets out to production without a reviewer)
- Security alerts/automated scanning
Sample GitHub Commits
Help us figure out what automations to build next
Hyperproof will quickly add additional integrations to automate collection of evidence in the coming months. The specific services we prioritize for development are based on customer needs. If you’d like to provide us input on what services you’d like to automatically collect proof from, please contact your customer success manager or schedule a time to speak to one of our sales reps.