Objectives, Requirements & Controls
Every Controls-based Compliance Policy starts with a number of broad reaching "Objectives". Although these objectives usually convey the ideals and sentiments behind the policy, they are often too vague and generalised to be of any real value in guiding your actions or driving real change.
Thankfully, "Requirements or Controls" are also specified to expand on each of the objectives. These are statements of the minimum standards required to meet an aspect of an objective so there are usually a number of requirements or controls specified for each objective.
Unfortunately, in many cases the requirements or controls can be as vague as the objectives themselves, and they can also be interpreted in a number of ways. This can make it very difficult to grasp the actual changes that might be needed.
Opt-Sec Compliance Systems take a unique approach to the interpretation of requirements or controls which clarifies the statements made and makes the changes that are needed to meet the minimum standards more obvious.
Documentation & Evidence
If you believe that existing Policies, Processes and Technology meet or exceed the requirements or controls, you will need to demonstrate this to an Auditor in order to "prove" your compliance.
In addition, if you have made changes, that you believe will bring you into line with the requirements or controls, you will need to provide details of the changes you have made in order to show why you believe your changes have made you compliant.
This need to provide "Evidence" to an Auditor means that the largest part of the Compliance process is actually all about Document Management.
Opt-Sec Compliance Systems provide a purpose-built Document Management System within the software. This central Document Store provides the perfect repository for all compliance related paperwork and data, and ensures that every scrap of evidence is cross-referenced to the requirements and controls to which it relates.
Tamper-proof Repository
In order for evidence to be considered valid "proof", it's integrity needs to be assured so that an Auditor will be satisfied that you meet the required standards in the way that you say you do.
Once a document, or any form of data, is uploaded into the document store it is reference tagged and date stamped. Only authorised users are allowed to upload information and any subsequent changes made to the documents or data, will be logged and recorded against the information itself and the user responsible. Any attempts to access the information once it is uploaded, other than through the User Interface by an authorised user, will cause the document or data, to be "quarantined" and alerts will be sent to the appropriate people to deal with the infraction.
In this way, Opt-Sec Compliance Systems turn documents and data that you are proffering as evidence of your compliance, into bona fide proof, the provenance of which will satisfy the most stringent of Auditors.