Compliance Automated Standard Solution (COMPASS), Part 7: Compliance-to-Policy for IT Operation Policies Using Auditree

(Note: A list of links for all articles in this series can be found at the conclusion of this article.)

In Part 4 of this multi-part series on continuous compliance, we presented designs for Compliance Policy Administration Centers (CPAC) which are typically part of larger platforms known in the industry under various names such as Cloud-Native Application Protection Platform (CNAPP), Cloud Security Posture Management (CSPM), Cloud Workload Protection Platforms (CWPP), or Cloud Infrastructure Entitlement Management (CIEM), bundled into those platforms to facilitate the management of the compliance artifacts connecting the Regulatory Policies expressed programmatically as Compliance-as-Code with technical policies implemented as Policy-as-Code. The separation of Compliance-as-Code and Policy-as-Code is purposeful, as different personas (see Part 1) need to independently manage their respective responsibilities according to their expertise; e.g., compliance controls and parameters selection, crosswalks mapping across regulations for compliance and auditor experts, or runtime evidence collectors and checks implementation for code developers or security focals.

This article has been indexed from DZone Security Zone

Read the original article: