The SeCube Compliance module aims to support a company’s audit and compliance type activities. Using the Compliance module ensures compliance with numerous predefined international information security standards and regulations, freely arranged company regulations and audit requirement catalogues can be examined, administered, and regularly revised (internal audit), and a planned management of discrepancies can be implemented. As a result of the tests and audits, detailed compliance and audit reports can be made, along with action plans for shortcomings.
- Compliance and audit planning and assessments based on legislation, standards, and an own catalogue of requirements (Compliance)
- The integrated and continuous management of deviations (Compliance)
SeCube’s modular structure also supports partial modular use based on requirements.
The requirement list(s) and audit packages launched in the compliance module can be freely compiled:
- Own, freely compiled requirement lists can be developed (e.g. company or parent company requirements and regulations; information security regulations, supplier requirements, audit requirements, etc.).
- Template requirement packages are also available (legal requirements and standards)
More than 40 template requirement packages are available, the change management of which is provided by product support. ISO 27001 and Information Security Act OVI-SZVI are special use cases. Legal and standard families:
- ISO/IEC HU & ENG
- MNB [National Bank of Hungary] recommendations, PCI, SWIFT
- Information Security Act and Critical Systems Act (OVI and SZVI)
- NIST, CIS, CSA
Audits mean the systematic revision and management of compliance with requirements.
Any audit packages / requirement lists can be planned, complied from templates, or created using own requirements.
The resource scope and operation method of audit packages can be flexibly set. Evaluations can be:
- simple compliance assessments
- assessments per resources (e.g. per area, system, process, etc.)
- Evaluations implemented based on classifications / groupings
- Information Security Act OVI and SZVI official operations
Numerous audit packages can be planned and run concurrently. They can be compiled in the form of audit plans.
Audit packages can be assigned to responsible persons and evaluators. Controls, evidence, and deficiencies classified as parameterizable can be recorded in the course of evaluation.
Analysis reports and exports can be prepared for the evaluation results, including comprehensive Audit reports in Word format.
Validation assessments check the consistency of evaluations.
The integrated and continuous management of audit deviations
The findings, deficiencies, and deviations identified by the assessment are collected in the Corrective measures function. Here, the corrective measures meant for their management can be planned per package or in an integrated manner. Responsible persons and statuses can be assigned to the measures, with email reminders.
Compliance with requirements can be regularly reviewed, periodical audit operations can be performed and audit results can be stored.
The implementation of measures can be tracked and managed with task manager functions, and their results can be traced back to the audit packages to provide the organization support in continuous compliance management.
Detailed past, current, and future reports on the status of compliance at the organization can be prepared based on the evaluation information and measure statuses.
- Audit, compliance, and GAP analysis reports, Audit reports
- Discrepancies report
- Action plans, current and future reports
- Detailed exports required under the Act on Information Security and the related decree (OVI, SZVI)