Automating Governance: Shauneel Kumar (Head of IRAP Services & Endorsed ASD IRAP Assessor) Perspective

As an Australian Signals Directorate (ASD) endorsed IRAP (Information Security Registered Assessors Program) assessor, I evaluate how well organisations meet Australian security standards (Information Security Manual (ISM) and Protective Security Policy Framework (PSPF)) and the controls within those standards. In today’s fast-paced digital world, using automated governance frameworks has become essential. These frameworks improve our audit and assessment processes and strengthen overall security. However, it’s important to remember the role of people in this equation. Below, I outline key benefits of automating governance from an IRAP auditor's perspective while emphasising the importance of human involvement in the process.

1.??? Enhanced Efficiency

Automating routine tasks such as data collection, compliance reporting, and preparing documentation packs—including the Statement of Applicability, policies, and procedures—significantly accelerates the assessment process. This automation allows personnel to fast-track evidence gathering and documentation preparation, freeing them up to focus on more strategic activities, such as implementing the processes in practice.

2.??? Improved Accuracy

Human error is an inevitable part of manual processes. Automation reduces this risk by ensuring that data is consistently accurate. However, it remains essential for auditors and organisations to regularly review automated outputs to confirm their relevance and reliability.

3.??? Real-Time Monitoring

With automated tools, we can continuously monitor implementation of security controls within systems/organisations. This means we can spot issues as they happen instead of waiting for scheduled audits. This proactive approach helps organisations address gaps immediately, fostering a stronger security environment.

4.??? Better Tracking of Security Controls

Automated governance helps us keep track of evidence related to security controls. These systems can capture and store information about how effective these controls are, making it easy for us to access this information during audits. However, this tracking is only effective if the team actively validates it to ensure the controls are properly implemented.

5.??? Moving Beyond Tick-and-Flick

Many organisations view governance and compliance activities as mere tick-and-flick exercises to meet certain controls. Automated governance allows organisations to obtain a holistic view of the controls implemented within their environment. It promotes ongoing monitoring, helping organisations understand their current state of security control implementation and overall risk.

However, a common issue is that after completing an assessment, organisations often forget about the security controls they’ve implemented. They may not regularly check whether these controls are still effective or if the associated risks are being properly managed. Changes in architecture or systems can alter how certain controls function; controls that were once effective may no longer provide the necessary protection.

This highlights the importance of ongoing governance. Automation plays a crucial role in this process, as it helps organisations continuously monitor and assess their controls, ensuring they adapt to any changes and remain effective over time. By embracing automated governance, organisations can stay one step ahead of potential threats and maintain their certifications and attestations.

6.??? Embedding Security in Development

By integrating automated governance into software development, we can ensure that security controls are part of the design and development process from the very beginning. This approach prevents security from being an afterthought. Making changes after a solution is built can be costly and time-consuming. By embedding these controls early, we create more secure solutions, save costs and reduce risks.? Additionally, embedding audit readiness in the continuous delivery (CI/CD) process means development teams can focus on innovation without worrying about compliance issues. This integration ensures that compliance monitoring is continuous, detecting any deviations from required controls in real time. For auditors, this creates a more streamlined audit process, as automated audit trails provide clear evidence of compliance at every stage of deployment. This not only reduces the burden on development teams but also enhances the reliability of the assessments.

7.??? The Human Factor: Review and Engagement

While automation provides significant benefits, the human element remains crucial in the process. Organisations must regularly review and validate the automated outputs to ensure that frameworks are being effectively followed and the security control objectives are being effectively achieved. Frameworks like the Information Security Manual (ISM) include substantial governance components beyond the technical aspects of the system. While it’s possible to automate policy and procedure development, it is critical that the human factor drives the actual implementation of these processes within the organisation. This may include enforcing physical access controls (i.e. preventing piggybacking or unauthorized visitor access), implementing incident reporting or break-glass account procedures, and monitoring personnel performance against their responsibilities. Without this human involvement, even the best-designed automated systems can fall short, highlighting the need for a balanced approach that combines technology with active participation from personnel.

Humans play a vital role in ensuring that the automation is applied correctly to the inputs it receives. This includes validating the data being fed into automated systems and ensuring that the context is understood. Without human oversight, automated processes may operate on incorrect or incomplete information, which can lead to ineffective controls. People are essential in translating automated data into actionable steps for better security, making it imperative to maintain a balance between technology and human involvement in governance.

8.??? Adoption of Modern Frameworks

Open Security Controls Assessment Language (OSCAL) is an initiative by the National Institute of Standards and Technology (NIST) aimed at standardising the documentation, assessment, and continuous monitoring of security controls in information systems. Organisations like NIST and ASD have already released OSCAL versions of their standards, recognising the need for automation in Governance, Risk, and Compliance (GRC). The days of manually preparing documentation packs, policies, procedures, and recording evidence are over. It's time to embrace automation to enhance our GRC processes and stay current with the rapid digital changes ahead. This will facilitate more efficient and automated security assessments, reduce errors and inconsistencies, and improve the speed at which new frameworks or regulations can be implemented into an organisation’s infrastructure and systems.

9.??? Data Analytics Capabilities

With automation, we can use data analytics to gain insights from large amounts of data. This helps us identify trends and potential risks, guiding organisations in their risk management efforts.

10. Documentation and Traceability

Automated systems maintain detailed logs of all audit activities, enhancing accountability. This makes it easier to look back at previous actions and gather evidence. However, it’s crucial for teams to adhere to the documented policies and processes to ensure that the operational effectiveness of the controls and processes is properly maintained.

11. Scalability

As organisations grow, their compliance and governance needs can become more complex. Automated governance frameworks can expand alongside these changes, allowing us to adjust our audit processes without losing effectiveness.

Conclusion

From my experience as an IRAP assessor, integrating automation into governance practices is not just a trend—it’s a necessity. It allows us to conduct assessments that are thorough, efficient, and accurate. However, without active human involvement in reviewing outputs and applying governance processes and frameworks in practice, vulnerabilities will persist. While automation is crucial, we must not overlook the important role that people play in securing our digital environments. Combining technology with human oversight will be essential to navigate the challenges of information security successfully.?

?