Automated and Scalable Audit Workflows with Qualys Security Assessment Questionnaire

Risk and compliance management is a multi-faceted domain with concentrated endeavors towards reducing unacceptable risk potential that could disrupt business, or otherwise negatively impact business performance. IT GRC (Governance, Risk and Compliance) comprises many tasks related to business and IT across an entire enterprise. The compliance laws and requirements are put in place to not only protect your business, but also your customers.

The Qualys Cloud Platform, with its expansive solutions, helps you to conform to various regulatory mandates such as HIPAA, SOX, PCI-DSS, Sarbanes-Oxley and so on.

Qualys Policy Compliance, Vulnerability Management and Security Configuration Assessment are just a few apps amongst several others from Qualys to provide you with strategic solutions to ensure that your organization meets the various technical controls specified by the compliance regulations.

However, apart from the technical controls, a major part of compliance regulations comprises procedural control assessments, which are necessary for an organization’s healthy compliance posture. Well-documented information, backed by evidences that support them, are important aspects of procedural control assessments.

For example, Clause 7.5 of ISO 27001:2013 mandates the following:

The organization’s information security management system shall include:

• Documented information required by this International Standard
• Documented information determined by the organization as being necessary for the effectiveness of the information security management system.

To start with, maintaining compliance to such procedural requirements itself may appear to be complex. Involving manual efforts in the process makes it inefficient and may negatively impact an organization’s performance and reputation. This is exactly where Qualys Security Assessment Questionnaire (SAQ) comes to your rescue. With intuitive campaign designs, automated campaign tracking, simplified questionnaire distribution, and comprehensive reports, SAQ helps organizations streamline their internal audit processes, which are otherwise complex and time consuming.

Qualys itself has successfully achieved ISO27001 certification for Qualys Cloud Platform by leveraging the powerful SAQ features for internal gap analysis, internal audits, and continuous monitoring.

How SAQ Can Help You Address Your Business Requirements

With Qualys SAQ, you can take stock of the current status of procedural controls in your organization such as availability of policies, procedures, SOPs and verify if they are reviewed/approved on regular basis. The SAQ workflow can be used to check internal compliance as well as vendor or third-party compliance. Leverage SAQ’s library of out-of-the-box templates that include common compliance standards and regulations, such as the EU’s GDPR, HIPAA, PCI, ISO27001 and so on.

The SAQ workflow is designed to help organizations with various processes that are required for compliance regulations, such as Gap Analysis, Internal and External Audits.

Thus, SAQ fits into Qualys’ overarching solution for end-to-end compliance requirements by offering specialized approach towards procedural control assessments, while the other modules help you achieve compliance via technical control assessments.

Let’s understand how SAQ helps in the process of internal and external audit workflows – starting with identification of existing gaps, carrying out campaigns, collecting evidences, and the final assessment.

Gap Analysis for Audits

With Qualys SAQ, the InfoSec team can create templates per domain or per stakeholder and assign it to the stakeholders from the concerned department for their inputs. For example, a questionnaire can be created based on ‘A.11.Physical and Environmental Security’ objective requirements and assigned to the Admin team. The stakeholders then respond to the questions in the questionnaire themselves or internally delegate sections (or even questions) to other team members. Once the questionnaire is completed along with the required supporting evidence, the respondents submit it to the InfoSec team for review. The workflow also allows the InfoSec team to review the responses and ask for clarifications, if required.

The responses and evidences received are then used for gap analysis, on the basis of which, the further action plan is created.

Internal and External Audits

Maintenance is a crucial part of compliance. If your organization has adopted any of the international standards for information security such as ISO 27001, you need to conduct regular internal audits, so that your organization continues to be compliant.

The data that has been collected as a part of the gap analysis can be used for subsequent internal audits. For internal audit workflow, InfoSec team can assign the same questionnaire to the respective stakeholders – only this time, the questionnaire would contain answers that are pre-populated with the responses that were received previously. In this workflow, the stakeholders need to verify if the responses are still valid per the current/changed organizational environment and update wherever required. They also need to update latest evidences as attachment. The internal audit teams can track the campaign status and the risk score for each domain-based campaign. Once submitted, the internal auditor can review the responses and ask for clarifications or evidence for verification.

The biggest benefit of using SAQ is that you can have all the required data as well as evidences ready even before the audit process starts; thereby, saving an ample amount of time and helping in completing the audit process within a shorter period.

Besides internal audits, Qualys SAQ also helps in external ISO27001 audits. With the data for internal audits well in place, organizations can leverage the same as evidence for external audits. The reports created during the internal audits can also be leveraged to showcase user awareness, continuous monitoring and so on.

Qualys SAQ – A Simplified, Scalable Solution

To conclude, Qualys SAQ’s cloud-based and automated questionnaire-based campaigns help you with a highly scalable solution to conduct business process control assessments among your internal as well as external stakeholders. It makes sure that organizations do not have to rely on the traditional, non-intuitive, manual processes; making it easy for all the involved parties to work around a simple and customizable workflow that gives accurate results.

 

 

Acknowledgements
Vinod Raote, Solution Architect at Qualys, provided technical guidance for this blog.