Policy as Code Engine for Preventive compliance management

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Policy as Code Engine for Preventive compliance management

    The Policy as Code Engine (PaCE) enables compliance managers to align control objectives with compliance requirements effectively. It integrates with Governance, Risk, and Compliance (GRC) to assess compliance and manage exceptions proactively, particularly during the software development lifecycle.

    Show full answer Show less

    Key Features

    • Custom Code Logic: Users can write custom logic to validate policies before deployment, ensuring compliance.
    • Integration with GRC: PaCE policies are linked to control objectives via the Compliance Data Source Registry feature.
    • Embedded Compliance: Compliance checks are integrated into employee workflows, informing them of potential non-compliance in real time.
    • Exception Management: Employees can request exceptions to continue workflows when necessary.

    Key Outcomes

    • Reduced Training Needs: Embedded controls decrease the need for extensive employee training.
    • Automated Monitoring: Continuous automated checks reduce manual compliance reviews and audits.
    • Lower Risks: Ongoing monitoring minimizes the likelihood of compliance violations.
    • Enhanced Visibility: Stakeholders gain real-time insights into compliance status.
    • Increased Workflow Velocity: Employees can efficiently request exceptions, facilitating workflow completion without delays.

    Compliance managers can map the control objective with the Policy as Code Engine (PaCE). PaCE calls GRC passing the document reference and the PaCE policy for which exceptions need to be determined. Control owners can view the PaCE logs to understand the compliance or non-compliance instances.

    With increasing number of regulations that organizations must comply with and equally increasing technology risks, organizations are obligated to integrate preventive controls in the digital workflows. For example, when a new software application is developed during a DevOps process, there are several IT policies and controls that have to be implemented and validated to reduce technology risk.

    With Policy as Code Engine, you can write your own custom code logic to validate a policy and integrate in a deployable instance. PaCE policy validates the code even before it is committed into a deployable instance and checks for its compliance. If there is non-compliance, the deployment is stopped. To integrate with GRC, PaCE as a policy is added to a control objective using the Compliance Data Source Registry feature.

    Preventive compliance management through integration with PaCE prevents compliance team, operations team, DevOps engineers from performing non-compliant activities. On the other hand, this integration helps them to raise exceptions in advance.

    Key features of this integration are:
    • Compliance is embedded in the employee workflows to improve the overall experience of the employees.
    • Customers can codify their controls and based on the execution status, employees can be informed if their action in the workflow would determine non-compliance.
    • In case of non-compliance, based on a business requirement the employees can request an exception and continue with the digital workflow.
    Key benefits through this integration are:
    • Reduced reliance on employee training: Since the controls are embedded in the workflows, the number of trainings that employees have to go through are considerably reduced.
    • Automated reviews and compliance monitoring: Automated checks ensure that controls are not violated, thereby decreasing the task of manual reviews.
    • Automated audit logs: Audit and compliance teams can access the automated audit logs, which reduce the task of manual audits and evidence collection.
    • Lower risks and reduced violations: Continuous monitoring of controls minimizes the probability of violations.
    • Visibility: Provides real-time visibility of compliance to stakeholders such as business, risk, and compliance teams.
    • Velocity: Increases the velocity of workflows as employees can request exceptions if there is business need without impeding the completion of the workflow.