|Click the image to see detail.|
What does this mean? How do we get there? Here's the short answer.
Assurance is the confidence in your ability to provide for the confidentiality, integrity, availability, and accounting of your systems (NIST). Getting your systems set up "in the cloud" is one thing. Doing it with the appropriate controls to enforce security and meet compliance requirements… That's another. Step up the maturity of your processes and maintain your security and compliance posture over time. Step it up further to provide actionable intelligence for proactive (automatic or manual) responses. Document everything. Details matter.
This has been discussed before, and this is an illustration that I created a few years ago. It came up again this week while discussing governance with a peer. Maintaining and governing systems requires work. It. Just. Does.
Automation is a great tool, but then, consider the details as well. What is your scope? Is it accurate? How much of it is automation cover? Who covers the rest? What about the business processes? Which ones are supportive of your endeavor? Which ones are antagonistic? What is an acceptable substantive change? According to what metrics? How do you measure your success?
It's difficult to do. It requires revisiting previously executed routines multiple times and measuring your results. Success is derived when you stop looking at this as a series of athletic sprints (not to be confused with agile processes). Set yourself up with the endurance to excel in ongoing operations.