Patent Application
20220164729
Risk management seeks to identify risks for an organization, like a business and then either mitigate or remove the identified risks. One variety of tool used in risk management is a control. A control is an activity that prevents risks, mitigates risks or detects risks. Controls may generally be classified as being either preventive or detective. Preventive controls seek to prevent or mitigate risks and may prevent undesirable events from happening and/or encourage desirable events from happening. Detective controls detect undesirable events.
Some controls may be automated so that the steps associated with such controls are performed automatically by systems like computer systems or machines. These systems may allow a user to define a control and then implement the control on a computer system or other machine in an automated fashion. For example, a control may be automated that requires a user to be prompted for login credentials followed by two-factor authentication before being granted access to servers of a business.
In accordance with an exemplary embodiment, a method is performed in a computing environment. Per the method, a specification of a control is received in the computing environment, wherein the specification of the control sets forth activities to be performed and/or conditions to be satisfied as part of the control and also specifies evidence of compliance with the control to be generated. The specification of the control is programmatically analyzed to identify the evidence of compliance to be generated from a source of operational data, and the evidence is programmatically caused to be generated from the source of operational data. The generated evidence is stored in a storage in an immutable manner, and the evidence is referenced on a blockchain or other secure, distributed electronic ledger. The generated evidence from the blockchain or secure distributed ledger is programmatically gathered. The gathered evidence is analyzed to determine whether there has been compliance with the control. Where it is determined that there has been compliance, a notice of compliance is generated, or a report is output on an output device. Where it is determined that there has not been compliance, one of a notice or an alert of non-compliance is generated.
The generating of the evidence and the storing of the evidence may occur in real time, in near-real time, at time intervals or in a delayed fashion. The analyzing may be performed by a programmatic entity. The programmatically gathering the evidence may entail processing system logs to extract the evidence or processing a stream of events. The gathered evidence may be stored in one of a database or a secure storage. The gathered evidence may include an event record. The gathered evidence may be hashed and/or encrypted prior to the storing in the storage. The control may be for compliance with at least one of a legal requirement, an accounting requirement, a security requirement, a risk management requirement or an organizational objective. The providing access to the gathered evidence may include generating a report of the gathered evidence on a user interface.
In accordance with an exemplary embodiment, a method is performed in a computing environment. Per the method, specifications of controls are received in a computer programming entity for managing evidence of compliance with the controls. The specifications of the controls specify evidence that is to be gathered to demonstrate compliance with the controls. The computer programming entity identifies the evidence that is to be gathered per the specifications of the controls. As activities proceed in the computing environment, the identified evidence is gathered. The gathered evidence is subjected to at least one of hashing, encryption or obfuscation to produce secured evidence. The secured evidence is in a storage in an immutable fashion by the computer programming entity. The secured evidence is referenced on a secure distributed ledger, and the secure distributed ledger is accessible to multiple parties, including at least one auditor for auditing compliance with controls.
The referencing of the evidence may be performed in real time or quasi real time relative to the proceeding of the activities, may be performed at time intervals or may be performed in a delayed fashion. The auditor may be a programmatic auditor. The method may include the additional steps of generating a report of at least some of the secured evidence by the computer programming entity for the auditor. The control may be for compliance with at least one of a legal requirement, an accounting requirement, a security requirement, a risk management requirement or an organizational objective. The computer programming entity may be one of a program, program suite, applet, script, library or other set of computer programming code.
In accordance with an exemplary embodiment, a non-transitory computer-readable storage medium stores instructions for execution by a processor. The instructions cause the processor to encrypt and/or hash evidence of compliance with a control. The control sets forth activities to be performed and/or conditions to be satisfied. The instructions also cause the processor to store the encrypted and/or hashed evidence in a storage, reference the evidence on a secure distributed ledger and access the secure distributed ledger to obtain the reference and programmatically examine the evidence regarding compliance with the control stored in the storage. The instructions further cause the processor to programmatically generate an output indicating compliance with the control where the examined evidence indicates compliance with the control, and where the examined evidence indicates lack of compliance with the control, to programmatically generate an output indicating non-compliance with the control.
The output may be a report demonstrating compliance with the control. The output may be an alarm of non-compliance with the control. The control may be for compliance with at least one of a legal requirement, an accounting requirement, a security requirement, a risk management requirement or an organizational objective. The evidence may be both hashed and encrypted.
One of the difficulties with the use of controls in conventional systems is the difficulty of proving compliance with the controls. In general, the compliance is determined by a manual audit to gather evidence of compliance or non-compliance. Gathering such evidence manually is often a time-consuming and expensive process. The gathering of the evidence may be subject to human error and may be performed differently by different auditing parties. Still further, the auditing may be performed sporadically rather than on a periodic basis or on a non-periodic but ongoing basis. As a result, the gathered evidence may be error prone, incomplete and variable.
The exemplary embodiments eliminate the need for manual auditing and may overcome the problems of conventional auditing approaches. The exemplary embodiments may provide an automated control compliance evidence manager that is responsible for gathering evidence of compliance with controls. The automated control compliance evidence manager may operate on an ongoing basis. In some exemplary embodiments, the evidence is gathered and available for review in real time or near real time. The gathering of the compliance evidence is automated. The steps for gathering the compliance evidence may be specified at the time a control is established so that there is consistency in what is gathered and how the evidence is gathered. A user may be required to provide an itemization of what evidence is to be gathered and where. The evidence may be stored in an immutable fashion. In some exemplary embodiments, the evidence may be cryptographically hashed or otherwise encrypted and referenced by a secure distributed ledger, like a blockchain. The secure distributed ledger may be visible to concerned parties.
The control compliance evidence manager may have a reporting capability for generating reports or outputs regarding the evidence of compliance. For example, a report may be generated that produces evidence for a control for a certain time period. In some exemplary embodiments, a user interface may be displayed that enables a user to navigate among controls and see compliance evidence for the controls.
In some instances, the controls 103 may include ones that are for ensuring compliance with standards or requirements, such as legal standards, accounting standards, compliance with the Hatch-Waxman Act, Defense Department regulations or standards, data security standards, etc. In other instances, the controls 103 are not for complying with standards or requirements. In some instances, a control 103 is for achieving an organizational objective.
The control manager 102 may interact with a control compliance evidence manager 104. The control compliance evidence manager 104 may be realized in software or more generally in computer program instructions. The control compliance evidence manager 104 is responsible for gathering evidence of compliance or non-compliance with a control and providing access to that evidence. The control compliance evidence manager 104 may include a gathering component 106 that gathers evidence from sources, like event logs, and stores the gathered evidence on a storage, such as a secure distributed ledger, like a blockchain. The control compliance evidence manager 104 may also include a reporting component 108 that may retrieve the gathered evidence from a storage like a secure distributed ledger and generate reports or other outputs of the evidence to a user.
The control manager 102, the controls 103 and the control compliance evidence manager 104 may interact in a number of different fashions. For example, the controls 103 may be defined as instances of control object classes in some exemplary embodiments. Methods may be defined for the object classes to interrogate the objects, so that the control compliance evidence manager 104 may interrogate the control objects or output data from the control objects. In other embodiments, Application Program Interfaces (APIs) may be defined to enable interaction between the controls 103, the control manager 102 and the control compliance evidence manager 104. There may be Remote Procedure Call (RPC) technology for facilitating interaction between the control manager 102, controls and the control compliance evidence manager 104. Those skilled in the art will appreciate that in other embodiments, the control manager 102 and the control compliance evidence manager 104 may be realized in web based environments, wherein the control compliance manager 104 may use web protocols to communicate with control manager 102 on a web server or in a cluster in a cloud based environment.
As can be seen in the diagram of
The control compliance evidence manager 204 may then begin the process of gathering the evidence on an ongoing basis from the source of operational data 205 (306). This may entail ingesting operational data from a data stream on an ongoing basis. This requires gathering the identified event records on an ongoing basis (306) and storing the gathered records in storage and referencing the gathered records on a secure distributed ledger, like a blockchain (308). As shown in diagram 320 of
In some instances, a user interface may be provided that allows navigation of the controls and the associated evidence. Reports of the evidence may be generated from the user interface. Information regarding the evidence may be shown on the user interface.
The methods described herein may be performed by a computing environment 800, such as that depicted in
As used in this application, the terms “system” and “component” and “module” are intended to refer to a computer-related entity, either hardware, a combination of hardware and software, software, or software in execution, examples of which are provided by the exemplary computing environment 800. For example, a component can be, but is not limited to being, a process running on a computer processor, a computer processor, a hard disk drive, multiple storage drives (of optical and/or magnetic storage medium), an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a server and the server can be a component. One or more components can reside within a process and/or thread of execution, and a component can be localized on one computer and/or distributed between two or more computers. Further, components may be communicatively coupled to each other by various types of communications media to coordinate operations. The coordination may involve the unidirectional or bi-directional exchange of information. For instance, the components may communicate information in the form of signals communicated over the communications media. The information can be implemented as signals allocated to various signal lines. In such allocations, each message is a signal. Further embodiments, however, may alternatively employ data messages. Such data messages may be sent across various connections. Exemplary connections include parallel interfaces, serial interfaces, and bus interfaces.
The computing device 802 includes various common computing elements, such as one or more processors, multi-core processors, co-processors, memory units, chipsets, controllers, peripherals, interfaces, oscillators, timing devices, video cards, audio cards, multimedia input/output (I/O) components, power supplies, and so forth. The embodiments, however, are not limited to implementation by the computing device 802.
As shown in
The system bus 808 provides an interface for system components including, but not limited to, the system memory 806 to the processor 804. The system bus 808 can be any of several types of bus structure that may further interconnect to a memory bus (with or without a memory controller), a peripheral bus, and a local bus using any of a variety of commercially available bus architectures. Interface adapters may connect to the system bus 808 via a slot architecture. Example slot architectures may include without limitation Accelerated Graphics Port (AGP), Card Bus, (Extended) Industry Standard Architecture ((E)ISA), Micro Channel Architecture (MCA), NuBus, Peripheral Component Interconnect (Extended) (PCI(X)), PCI Express, Personal Computer Memory Card International Association (PCMCIA), and the like.
The system memory 806 may include various types of computer-readable storage media in the form of one or more higher speed memory units, such as read-only memory (ROM), random-access memory (RAM), dynamic RAM (DRAM), Double-Data-Rate DRAM (DDRAM), synchronous DRAM (SDRAM), static RAM (SRAM), programmable ROM (PROM), erasable programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), flash memory (e.g., one or more flash arrays), polymer memory such as ferroelectric polymer memory, ovonic memory, phase change or ferroelectric memory, silicon-oxide-nitride-oxide-silicon (SONOS) memory, magnetic or optical cards, an array of devices such as Redundant Array of Independent Disks (RAID) drives, solid state memory devices (e.g., USB memory, solid state drives (SSD) and any other type of storage media suitable for storing information. In the illustrated embodiment shown in
The computing device 802 may include various types of computer-readable storage media in the form of one or more lower speed memory units, including an internal (or external) hard disk drive (HDD) 814, a magnetic floppy disk drive (FDD) 816 to read from or write to a removable magnetic disk 818, and an optical disk drive 820 to read from or write to a removable optical disk 822 (e.g., a CD-ROM or DVD). The HDD 814, FDD 816 and optical disk drive 820 can be connected to the system bus 808 by a HDD interface 824, an FDD interface 826 and an optical drive interface 828, respectively. The HDD interface 824 for external drive implementations can include at least one or both of Universal Serial Bus (USB) and IEEE 1394 interface technologies. The computing device 1302 is generally is configured to implement logic, systems, methods, apparatuses, and functionality described herein with reference to
The drives and associated computer-readable media provide volatile and/or nonvolatile storage of data, data structures, computer-executable instructions, and so forth. For example, a number of program modules can be stored in the drives and memory units 810, 812, including an operating system 830, one or more application programs 832, other program modules 834, and program data 836. In one embodiment, the one or more application programs 832, other program modules 834, and program data 836 can include, for example, the various applications and/or components of the system
A user can enter commands and information into the computing device 802 through one or more wire/wireless input devices, for example, a keyboard 838 and a pointing device, such as a mouse 840. Other input devices may include microphones, infra-red (IR) remote controls, radio-frequency (RF) remote controls, game pads, stylus pens, card readers, dongles, finger print readers, gloves, graphics tablets, joysticks, keyboards, retina readers, touch screens (e.g., capacitive, resistive, etc.), trackballs, trackpads, sensors, styluses, and the like. These and other input devices are often connected to the processor 804 through an input device interface 842 that is coupled to the system bus 808 but can be connected by other interfaces such as a parallel port, IEEE 1394 serial port, a game port, a USB port, an IR interface, and so forth.
A monitor 844 or other type of display device is also connected to the system bus 808 via an interface, such as a video adaptor 846. The monitor 844 may be internal or external to the computing device 802. In addition to the monitor 844, a computer typically includes other peripheral output devices, such as speakers, printers, and so forth.
The computing system 802 may operate in a networked environment using logical connections via wire and/or wireless communications to one or more remote computers, such as a remote computer 848. The remote computer 848 can be a workstation, a server computer, a router, a personal computer, portable computer, microprocessor-based entertainment appliance, a peer device or other common network node, and typically includes many or all of the elements described relative to the computing system 802, although, for purposes of brevity, only a memory/storage device 850 is illustrated. The logical connections depicted include wire/wireless connectivity to a local area network (LAN) 852 and/or larger networks, for example, a wide area network (WAN) 854. Such LAN and WAN networking environments are commonplace in offices and companies, and facilitate enterprise-wide computer networks, such as intranets, all of which may connect to a global communications network, for example, the Internet.
When used in a LAN networking environment, the computing device 802 is connected to the LAN 852 through a wire and/or wireless communication network interface or adaptor 856. The adaptor 856 can facilitate wire and/or wireless communications to the LAN 852, which may also include a wireless access point disposed thereon for communicating with the wireless functionality of the adaptor 856.
When used in a WAN networking environment, the computing device 802 can include a modem 858, or is connected to a communications server on the WAN 854, or has other means for establishing communications over the WAN 854, such as by way of the Internet. The modem 1358, which can be internal or external and a wire and/or wireless device, connects to the system bus 808 via the input device interface 842. In a networked environment, program modules depicted relative to the computing device 802, or portions thereof, can be stored in the remote memory/storage device 850. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers can be used.
The computing device 802 is operable to communicate with wired and wireless devices or entities using the IEEE 802 family of standards, such as wireless devices operatively disposed in wireless communication (e.g., IEEE 802.16 over-the-air modulation techniques). This includes at least Wi-Fi (or Wireless Fidelity), WiMax, and Bluetooth™ wireless technologies, among others. Thus, the communication can be a predefined structure as with a conventional network or simply an ad hoc communication between at least two devices. Wi-Fi networks use radio technologies called IEEE 802.11x (a, b, g, n, etc.) to provide secure, reliable, fast wireless connectivity. A Wi-Fi network can be used to connect computers to each other, to the Internet, and to wire networks (which use IEEE 802.3-related media and functions).
Various embodiments may be implemented using hardware elements, software elements, or a combination of both. Examples of hardware elements may include processors, microprocessors, circuits, circuit elements (e.g., transistors, resistors, capacitors, inductors, and so forth), integrated circuits, application specific integrated circuits (ASIC), programmable logic devices (PLD), digital signal processors (DSP), field programmable gate array (FPGA), logic gates, registers, semiconductor device, chips, microchips, chip sets, and so forth. Examples of software may include software components, programs, applications, computer programs, application programs, system programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, application program interfaces (API), instruction sets, computing code, computer code, code segments, computer code segments, words, values, symbols, or any combination thereof. Determining whether an embodiment is implemented using hardware elements and/or software elements may vary in accordance with any number of factors, such as desired computational rate, power levels, heat tolerances, processing cycle budget, input data rates, output data rates, memory resources, data bus speeds and other design or performance constraints.
One or more aspects of at least one embodiment may be implemented by representative instructions stored on a machine-readable medium which represents various logic within the processor, which when read by a machine causes the machine to fabricate logic to perform the techniques described herein. Such representations, known as “IP cores” may be stored on a tangible, machine readable medium and supplied to various customers or manufacturing facilities to load into the fabrication machines that make the logic or processor. Some embodiments may be implemented, for example, using a machine-readable medium or article which may store an instruction or a set of instructions that, if executed by a machine, may cause the machine to perform a method and/or operations in accordance with the embodiments. Such a machine may include, for example, any suitable processing platform, computing platform, computing device, processing device, computing system, processing system, computer, processor, or the like, and may be implemented using any suitable combination of hardware and/or software. The machine-readable medium or article may include, for example, any suitable type of memory unit, memory device, memory article, memory medium, storage device, storage article, storage medium and/or storage unit, for example, memory, removable or non-removable media, erasable or non-erasable media, writeable or re-writeable media, digital or analog media, hard disk, floppy disk, Compact Disk Read Only Memory (CD-ROM), Compact Disk Recordable (CD-R), Compact Disk Rewriteable (CD-RW), optical disk, magnetic media, magneto-optical media, removable memory cards or disks, various types of Digital Versatile Disk (DVD), a tape, a cassette, or the like. The instructions may include any suitable type of code, such as source code, compiled code, interpreted code, executable code, static code, dynamic code, encrypted code, and the like, implemented using any suitable high-level, low-level, object-oriented, visual, compiled and/or interpreted programming language.
The foregoing description of example embodiments has been presented for the purposes of illustration and description. It is not intended to be exhaustive or to limit the present disclosure to the precise forms disclosed. Many modifications and variations are possible in light of this disclosure. It is intended that the scope of the present disclosure be limited not by this detailed description, but rather by the claims appended hereto. Future filed applications claiming priority to this application may claim the disclosed subject matter in a different manner and may generally include any set of one or more limitations as variously disclosed or otherwise demonstrated herein.
