Continuous compliance requires us to distill our learned knowledge into a few tools that automate the compliance process so that a manager can know when systems drift from compliance with the consistency of a programmatic standard. The manager must be able to generate not just a status reports on systems, but a document that is the accepted configuration standard for each deployed system. The generated document must be acceptable proof of each systems compliant configurations and a guide that keeps systems compliant. The tool(s) must be acceptable proof of compliance: we intend that the auditor or QSA assessor will accept it as an artifact of compliance. To this end, Adaptive Compliance has developed a certification standard for continuous compliance tools.
As security consultants and PCI Qualified Security Assessors, we have long recognized that compliance is pure overhead. Compliance draws costly technical talent from production to meeting compliance deadlines. We don’t think this should happen anymore. So we are doing something about. We are not only developing the process of continuous compliance, we are actively searching for tools and technology that do it, and then we test those tools. If a tool meets all of our criteria, we list it on this site as certified to meet security and continuous compliance.
After performing many PCI assessments and assisting merchants with breaches in cardholder data environments, we have learned a thing or two about security and compliance. Our experience has taught us that compliance must be a byproduct of security due the growing number of breaches and ever-increasing burden of regulatory compliance.
