In the blog article Continuous compliance: From traditional auditing to real-time certification Fabasoft centered on the advantages of continuous compliance in the context of the MEDINA project – including the company compliance dashboard, which is the focus of this article.
Real-time certification using the company compliance dashboard (CCD)
As the article mentioned, Fabasoft is working with seven other European partners in the Horizon 2020 MEDINA project to give cloud service providers the opportunity to achieve automated, continuous certification, largely in real time. As part of the use case, the Fabasoft (company) compliance dashboard will be implemented as a demo system. The user interface is being designed in collaboration with compliance managers and in-house control owners with the aim of addressing their specific needs.
A CCD deep dive
Going forward, a CCD will enable cloud service providers (CSPs) to tap into the MEDINA framework and maximize their benefits from the ongoing development of continuous certifications. Using a CCD, compliance managers import the specified inspection catalogs that verify the security and transparency of the services offered, and distribute the action steps to the internal control owners for processing. The data exchange is performed using the MEDINA API, a standardized interface. External auditing bodies are granted secure access using the so-called Audit UI.
The status quo of MEDINA
The MEDINA project is currently placing its focus on the upcoming EU security catalog EUCS (European Cybersecurity Certification Scheme for Cloud Services). In consultation with the European Union Agency for Cybersecurity (ENISA) and the European Telecommunications Standards Institute (ETSI), the MEDINA consortium is developing uniform assessment rules – control measures, metrics, and measurement procedures – for instance, in OSCAL (Open Security Controls Assessment Language) format.
The intention is to use a CCD to coordinate, manage, and track other security catalogs and audits, including BSI C5, SOC2, and others:
The advantages of managing audits in the CCD
A CCD enables compliance managers to import the most important security standards such as EUCS, BSI C5, and SOC2 and also to manage them internally. Metrics are applicable and verifiable in the various requirement catalogs, and users can always monitor the current control status. The supporting documents and confidential content are kept entirely under the authority of the CSP, and accredited auditors are granted secure access to view them.
In conjunction with the Fabasoft Cloud, users also benefit from the integrated BPMN 2.0 workflow engine, targeted task delegation, and deadline management with automated notifications.
Continuous communication regarding the compliance status means that the high-level security of the cloud services can be demonstrated at any time to regulatory authorities and independent auditing bodies. The continuous assurance of comprehensive data and information security enhances the trustworthiness and the transparency of cloud services, while delivering a major boost to efficiency.