Policy as Code Engine for Preventive compliance management

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Policy as Code Engine for Preventive Compliance Management

    The Policy as Code Engine (PaCE) assists compliance managers in mapping control objectives and integrating preventive controls within digital workflows. As organizations face increasing regulations and technology risks, PaCE enables teams to validate compliance during the development process, particularly in DevOps, by ensuring that policies and controls are implemented and validated before deployment.

    Show full answer Show less

    Key Features

    • Integration with GRC: PaCE policies can be linked to control objectives through the Compliance Data Source Registry feature, enabling proactive compliance management.
    • Custom Code Logic: Users can write custom code for policy validation, which checks compliance before deployment and halts non-compliant deployments.
    • Embedded Compliance: Compliance is integrated into employee workflows, informing them of potential non-compliance based on their actions.
    • Exception Requests: Employees can request exceptions in real-time, allowing workflows to proceed without unnecessary delays.

    Key Outcomes

    • Reduced Training Needs: Embedding controls within workflows decreases the necessity for extensive employee training.
    • Automated Monitoring: Continuous automated checks minimize manual reviews and enhance compliance oversight.
    • Streamlined Audits: Automated audit logs simplify access for audit and compliance teams, reducing the burden of manual evidence collection.
    • Lowered Risks: Ongoing control monitoring significantly reduces the likelihood of compliance violations.
    • Enhanced Visibility: Stakeholders gain real-time insights into compliance status, aiding informed decision-making.
    • Increased Workflow Velocity: Employees can swiftly request exceptions without hindering workflow completion, maintaining operational efficiency.

    Compliance managers can map the control objective with the Policy as Code Engine (PaCE). PaCE calls GRC passing the document reference and the PaCE policy for which exceptions need to be determined. Control owners can view the PaCE logs to understand the compliance or non-compliance instances.

    With increasing number of regulations that organizations must comply with and equally increasing technology risks, organizations are obligated to integrate preventive controls in the digital workflows. For example, when a new software application is developed during a DevOps process, there are several IT policies and controls that have to be implemented and validated to reduce technology risk.

    With Policy as Code Engine, you can write your own custom code logic to validate a policy and integrate in a deployable instance. PaCE policy validates the code even before it is committed into a deployable instance and checks for its compliance. If there is non-compliance, the deployment is stopped. To integrate with GRC, PaCE as a policy is added to a control objective using the Compliance Data Source Registry feature.

    Preventive compliance management through integration with PaCE prevents compliance team, operations team, DevOps engineers from performing non-compliant activities. On the other hand, this integration helps them to raise exceptions in advance.

    Key features of this integration are:
    • Compliance is embedded in the employee workflows to improve the overall experience of the employees.
    • Customers can codify their controls and based on the execution status, employees can be informed if their action in the workflow would determine non-compliance.
    • In case of non-compliance, based on a business requirement the employees can request an exception and continue with the digital workflow.
    Key benefits through this integration are:
    • Reduced reliance on employee training: Since the controls are embedded in the workflows, the number of trainings that employees have to go through are considerably reduced.
    • Automated reviews and compliance monitoring: Automated checks ensure that controls are not violated, thereby decreasing the task of manual reviews.
    • Automated audit logs: Audit and compliance teams can access the automated audit logs, which reduce the task of manual audits and evidence collection.
    • Lower risks and reduced violations: Continuous monitoring of controls minimizes the probability of violations.
    • Visibility: Provides real-time visibility of compliance to stakeholders such as business, risk, and compliance teams.
    • Velocity: Increases the velocity of workflows as employees can request exceptions if there is business need without impeding the completion of the workflow.