Qualys Adds Tool to Automate Audit Workflows
Qualys, this week, added a tool that makes it possible for organizations to continuously run audits in a way that promises to dramatically reduce failure rates.
Anu Kapil, a senior product manager for Qualys, said Policy Audit leverages the unified agent software that Qualys developed to automate data collection and enforce policies. It is designed to automate evidence collection spanning more than 90 compliance frameworks. Whenever a gap is identified, IT teams can then apply more than 1,000 policies developed by Qualys to bring the organization back into compliance.
Additionally, Qualys is making available an optional add-on tool, dubbed Audit Fix, that can be used to repair issues proactively surfaced in an audit using a library of pre-defined, out-of-the-box scripts and golden policies that can, for example, be integrated into continuous integration/continuous delivery (CI/CD) pipelines.
The overall goal is to make it simpler for organizations to ensure they comply with regulations that now require them to prove there has not been any violation of a compliance mandate, said Kapil.
Historically, audits have been conducted at regular intervals, with organizations spending thousands of hours and dollars preparing. Most of those efforts involved manual tasks, which increases the probability that an issue leading to the audit failure wasn’t initially discovered.
More challenging still, many organizations have a fragmented approach to auditing that increases costs, noted Kapil. Qualys is making a case for a more integrated approach that leverages agent software its customers have already installed to address both security and compliance requirements, she added.
Compliance mandates tend to require many of the same controls, so there is also an opportunity to reduce audit costs by identifying the ones that span multiple frameworks and technologies, noted Kapil. The Policy Audit tool, for example, can identify where one control may have already been implemented in a way that also serves to satisfy the requirements of another mandate, she noted.
In addition, Policy Audit is also integrated with Qualys TruRisk, a tool that automatically maps compliance and data privacy risks, including misconfigurations that are one of the primary reasons most organizations fail to pass an audit.
It’s not clear how automated auditing processes are becoming, but many organizations have been integrating their governance, risk and compliance (GRC) and cybersecurity teams to not only ensure compliance but also improve overall cyber resiliency. Of course, meeting compliance mandates is only a baseline for implementing best cybersecurity practices, but they do help ensure organizations are addressing fundamental requirements that are often overlooked. More often than not, it’s those very issues that are the root cause of a cybersecurity breach.
The challenge, as always, is ensuring those mandates are met before any fine might be levied because an audit wasn’t passed.
Hopefully, advances in artificial intelligence (AI) will soon make it easier for organizations to not only achieve but also maintain compliance in an era where application environments are not only becoming more complex but are also being updated more frequently than ever.
