Fast, secure and rule-compliant IT solutions through automation

IT compliance: Optimize development and manufacturing processes without breaking existing rules.

Author: Cyrill Rüttimann

The exhaust gas scandal around diesel vehicles is a good example to explain compliance. In order to bring innovations to market faster than the competition, the efficiency of the development and manufacturing process is being optimized. At the same time, however, car manufacturers have to comply with increasingly strict regulations. This slows down and makes processes more expensive.

VW has undermined compliance by interpreting the rules differently and deliberately violating them. The challenge of compliance is the same for all industries. Only the degree of competition and the respective rules are different. Examples of regulatory requirements and best practices that affect IT infrastructure:

  • PCI in the financial sector
  • SOX in the financial sector
  • HiPPA in the medical sector
  • CIS, Best Practices for Cyber Securit

Agile software development accelerates the development of solutions

Agile software development is the recognized instrument to react quickly to customer needs. Whereas development cycles used to take months or years, today it is days or weeks. However, agile software development has no answer to the integration of non-functional requirements from operations or security. Agile software development is only one discipline in the entire development process.

Blog_IT-Compliance.png
Figure 1: The development process to transform an idea into a solution involves several teams and disciplines. Operations or security must also contribute to the solution. The later they enforce their requirements, the more expensive the solution becomes and the later it can be delivered.

Compliance is a brake pad

A solution is compliant if it complies with the rules. For this purpose, the solution or product is subjected to an audit. In this process, it must be possible to prove compliance with the set of rules. These are complex and manual processes. One reason for this is that rules in written form can be interpreted differently. And each time the set of rules or the solution is adapted, these processes must be run through. This counteracts the achievements of agile software development. Compliance is seen as a brake and a hindrance.

Taking compliance seriously

The exhaust gas scandal has shown that levering out compliance can have serious consequences. The loss of image and record-high fines can drive a company into bankruptcy in a very short time and destroy its stock market value. Have you ever wondered whether your products and services are really compliant? Or has compliance been consciously or unconsciously undermined to give preference to speed? Believe me, the next audit is bound to come. And someone must take responsibility for any violations that are discovered.

Integration of compliance into the development process: Fast development without breaking the rules

With the Chef Compliance solution, ensuring compliance of the IT infrastructure can be automatically integrated into the development process. With this solution, the compliance check and audit is carried out automatically each time the product is adapted. A dashboard visualizes the automatically checked compliance.

blog_it-compliance_dashboardChefCompliance-1.png
Figure 2: The dashboard of Chief Compliance visualizes the status of the IT infrastructure with regard to compliance.

The implementation takes place in 4 steps:

  1. Analysis - Analyse the set of rules and regulations and derive the rules to be fulfilled by the company. The rule describes the desired state.
  2. Specification - Express the desired state in a formal language. The results are formal rules.
  3. Testing - The formal rules are executed as automated tests against the system to be developed. The tests show where the compliance is not fulfilled. Several development cycles follow until the compliance is fulfilled.
  4. Certification - The compliance review is performed based on the tests. The release is done manually or automatically.

This approach enables all parties involved (software developers, system engineers, security engineers) to implement compliance according to clear rules. The automation allows to test the impact of adjustments on compliance at any time with minimal effort. The compliance officer is elevated to a new role: He is no longer the unpopular policeman who takes manual random samples and reacts reactively to compliance violations. Instead, he proactively specifies rules to ensure that the development process reliably meets compliance in the long term.

The result

Development and manufacturing processes are optimized without breaking existing rules. In recent months, we have been able to observe the consequences of the VW scandal to see what can be avoided in this way.