OPEN CONTROL The Open Control Architecture (OCA) “is an architecture for system control and connection management of media networks.” [3]. OpenControl was initially created was to ensure that security controls were documented although it’s importance in establishing compliance with legal requirements can arguably be more important. A complete System SecurityPlan can be created using OpenControl content schemas and tools. Project Center in Trichy The three main security processes which should be adhered to are [4]: System Security Plans (SSPs) . • Requirement Traceability Matrixes (RTMs) where a bill of materials can be created. • Security Assessment Plans (SAPs) where system elements configuration are validated against compliance requirements. In the authors views the use of OpenControl is crucial due to the fast pace of the DevOps pipeline, the increasing use of IoT devices with in company networks and the continuous change to laws and regulations. In order to apply automated compliance documentation for this research, the Compliance Masonry tool was selected. A. Tool Selection When considering which tool to use it was necessary to first investigate the available tools. Many of the tools listed as RegTech tools focused on narrow list of reporting capabilities targeted directly at traditional devices. However there are a number of tools which focus on evaluating compliance with laws or regulations or indeed with the generation of documentation to document compliance. This work focuses initially on the generation of documentation based on the European regulations. Blueprint, ADAudit and Qualio software were certainly interesting but they are commercial based and do not allow for the adaptation we required. https://powerintegrated.in/ B. Compliance Masonry Compliance Masonry is an open source software which we could adapt to the needs of this project. The nature of the tools under the umbrella name of Compliance masonry enable the “restructure the process of writing, updating, and reviewing compliance documentation.” [3]. A document of structured data can be worked on by the team and then it can be formatted in different ways using the automated system. This flexibility of adaptation can enable documentation to be restructured to suit reporting for the purposes of not only legal requirements but standardisation groups. Again, considering the inclusion of IoT devices into the network may require the generation of documentation to document the compliance with best practices such as COBIT. Creating a System Security Plan is often repetitive and much of the required information can be inherited from the system [3]. The process of generating documentation can be simplified as Ccompliance masonry includes multiple YAML files as input and produces output as a HTML website and a PDF document as required. Power Integrated The author feels that compliance masonry is very useful and is a very relevant tool set as it can take away repetitive and it will also add consistence. The additional benefits of knowledge management should not be discounted. Understanding the risk and the processes to mitigate against the risk form a large part of security systems. Thus having automated websites to update such information enhances the overall security of a company. Below in the image is an Inputs section and a Outputs sections with a compliance Masonry in the middle.
NEED FOR OPEN COMPLIANCE In order for a company to use legal compliance documentation tools it is important that the legal framework is understood by the company. The company should have a list of best practices and current company policies. If a process is new it may be necessary to get legal guidance on the nature of the applicability of the law or regulation. The company risks lawsuits and bad public relations if they do not follow the licensing and other laws. There was a survey carried out in 2015 called Future of Open Source survey. In this survey the percentage of companies which say that they use open source software was 60%. From the same survey it was also established that the majority of companies do not have anything in place to ensure that the correct licensing and also regulations are being met. Free and Open Source Software (FOSS) compliance should be considered as part of the Risk Plan. A FOSS compliance program may have a “Open Source Review Board” (OSRB) [5] which can be part of the legal compliance considerations for the automated system. In the authors option compliance with legal documentation comes in from many risk areas and is a greater risk when open source is being used without careful consideration.
https://www.facebook.com/Power-Integrated-Solutions-416076345230977/?ref=page_internal
