Compliance as Code: Embedding Audit Readiness into Enterprise Software Delivery
DOI:
https://doi.org/10.15662/IJEETR.2022.0402004Keywords:
Compliance as Code, Audit Readiness, Software Compliance, Continuous Delivery, Enterprise Software, Automated ComplianceAbstract
Enterprise software delivery compliance is typically a distinct step where compliance is done after the development. This causes massive manual processes, laxity in control implementation and time wastage in the auditing process. As the complexity of the system and pressure of the regulatory system grow, the old techniques of compliance may no longer work. The Compliance as Code presented in this paper is a method that inserts the compliance rules into the code delivery pipelines. The compliance requirements are in the form of runnable rule and automatically executed in the process of build, test and deployment phases. The qualitative pre-post research was carried out in a large organization. The findings indicate that there was a decrease in the time spent on manual audit by 81.4 percent, the time on audit was reduced to 78 hours as compared to 420 hours. The consistency of compliance rose to 94% compared to 61 percent and auditor confidence rating grew to 4.6 out of a five-point rating. This evidence indicates that Compliance as Code goes a long way in enhancing audit readiness and assists in efficient and reliable delivery of software.
References
[1] Julisch, K., Suter, C., Woitalla, T., & Zimmermann, O. (2011). Compliance by design – Bridging the chasm between auditors and IT architects. Computers & Security, 30(6–7), 410–426. https://doi.org/10.1016/j.cose.2011.03.005
[2] Papazafeiropoulou, A., & Spanaki, K. (2015). Understanding governance, risk and compliance information systems (GRC IS): The experts view. Information Systems Frontiers, 18(6), 1251–1263. https://doi.org/10.1007/s10796-015-9572-3
[3] Amor, R., & Dimyadi, J. (2020). The promise of automated compliance checking. Developments in the Built Environment, 5, 100039. https://doi.org/10.1016/j.dibe.2020.100039
[4] Greenwood, D., Lockley, S. R., Malsane, S., & Matthews, J. (2010). Proceedings of the Construction, Building and Real Estate Research Conference of the Royal Institution of Chartered Surveyors held on 2-3 September 2010 in Paris, France. https://www.researchgate.net/publication/268186729_Automated_compliance_checking_using_building_information_models
[5] Hasan, M. M. (2016). Regulatory requirements Compliance in requirements engineering. International Journal of Systems and Service-Oriented Engineering, 6(4), 22–35. https://doi.org/10.4018/ijssoe.2016100102
[6] Weigand, H., Van Den Heuvel, W., & Hiel, M. (2011). Business policy compliance in service-oriented systems. Information Systems, 36(4), 791–807. https://doi.org/10.1016/j.is.2010.12.005
[7] Jureta, I. J., Siena, A., Mylopoulos, J., Perini, A., Susi, A., Fonds de la Recherche Scientifique – FNRS, University of Namur, FBK-Irst, University of Trento, FBK-Irst, & FBK-Irst. (2010). Theory of Regulatory Compliance for Requirements Engineering. Theory of Regulatory Compliance for Requirements Engineering. https://www.researchgate.net/publication/45902050_Theory_of_Regulatory_Compliance_for_Requirements_Engineering
[8] Ingolfo, S., Siena, A., Mylopoulos, J., Susi, A., & Perini, A. (2012). Arguing regulatory compliance of software requirements. Data & Knowledge Engineering, 87, 279–296. https://doi.org/10.1016/j.datak.2012.12.004
[9] Ingolfo, S., Siena, A., & Mylopoulos, J. (2011). Establishing Regulatory Compliance for Software Requirements. In Lecture notes in computer science (pp. 47–61). https://doi.org/10.1007/978-3-642-24606-7_5
[10] Shahin, M., Babar, M. A., & Zhu, L. (2017). Continuous Integration, Delivery and Deployment: A Systematic Review on Approaches, Tools, Challenges and Practices. IEEE Access, 5, 3909–3943. https://doi.org/10.1109/access.2017.2685629
[11] Gholami, A., & Laure, E. (2015). Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recent Developments. Security and Privacy of Sensitive Data in Cloud Computing : A Survey of Recent Developments, 131–150. https://doi.org/10.5121/csit.2015.51611
[12] Yimam, D., & Fernandez, E. B. (2016). A survey of compliance issues in cloud computing. Journal of Internet Services and Applications, 7(1). https://doi.org/10.1186/s13174-016-0046-8
[13] Rahmouni, H. B., Munir, K., Odeh, M., & McClatchey, R. (2012). Risk-Driven compliant access controls for clouds. arXiv (Cornell University). https://doi.org/10.48550/arxiv.1202.5482
[14] Lie, M. F., Sánchez-Gordón, M., & Colomo-Palacios, R. (2020). DevOps in an ISO 13485 Regulated Environment: A Multivocal Literature Review. DevOps in an ISO 13485 Regulated Environment: A Multivocal Literature Review. https://arxiv.org/pdf/2007.11295
[15] Laukkarinen, T., Kuusinen, K., & Mikkonen, T. (2018). Regulated software meets DevOps. Information and Software Technology, 97, 176–178. https://doi.org/10.1016/j.infsof.2018.01.011
[16] García-Galán, J., Pasquale, L., Grispos, G., & Nuseibeh, B. (2016). Towards adaptive compliance. Towards Adaptive Compliance, 108–114. https://doi.org/10.1145/2897053.2897070
[17] Alkalbani, A., Deng, H., & Kam, B. (2016). Investigating the role of socio-organizational factors in the information security compliance in organizations. arXiv (Cornell University). https://doi.org/10.48550/arxiv.1606.00875
[18] Massey, A. K., Smith, B., Otto, P. N., Antón, A. I., & North Carolina State University. (2011). Assessing the accuracy of legal implementation readiness decisions. In 2011 IEEE 19th International Requirements Engineering Conference Research Paper (p. 207) [Conference-proceeding]. IEEE. https://doi.org/10.1109/RE.2011.6051641
[19] Polu, O. R. (2021). AI-DRIVEN GOVERNANCE FOR MULTI-CLOUD COMPLIANCE: AN AUTOMATED AND SCALABLE FRAMEWORK. International Journal of Cloud Computing, 1(4), 1–13. https://doi.org/10.34218/ijcc_01_04_001
[20] Nekvi, M. R. I., & Madhavji, N. H. (2014). Impediments to regulatory compliance of requirements in contractual systems engineering projects. ACM Transactions on Management Information Systems, 5(3), 1–35. https://doi.org/10.1145/2629432
