What is K2 Compliance?
As its primary purpose, K2 Compliance is a BPO resource that gives an organization the ability to create, deploy, measure, analyze, and improve processes to mitigate the risk associated with daily efforts and actions performed in order to protect sensitive information. Executive leadership is provided with transparency and oversight to control these newly honed processes.
Compliance Technology Introduction
ConnectPlus is a relational database management tool that allows Etactics to build and deliver custom software solutions that map almost any business environment. Each database is no more than a collection of tables related to one another that produces a screen for vendors, workforce members, policies, risk assessments and other mission-critical activities that must be managed within the given environment. On top of the basic architecture of the application, custom tools for various tasks, like report generation are added. Finally, automation is introduced to all possible mechanisms to provide maximum efficiency.
Because the K2 Compliance application is built on this foundational technology, wholly developed and owned by Etactics, we are able to infinitely customize the tool to meet the needs of our customers with minimal development and coding. ConnectPlus acts as the backbone for K2 Compliance, which will allow Etactics to deliver a truly exceptional custom application to the customers they serve.
ConnectPlus is where much of the building block technology for K2 Compliance lives. This includes our custom permissions engine, allowing for record level, read, write, access and delete permissions, field level encryption ensuring the security of our customer's most sensitive data and our full library of APIs and other integration technology. These along with other technologies are all available for the specific deployment of K2 Compliance.
ConnectPlus gives K2 Compliance the backbone that allows Etactics to deliver a truly exceptional custom application to its customers.
3rd Party Integrations
Etactics specializes in the processing of both structured and unstructured data received from countless third party sources. Complex business rules are written and applied to the data bringing life to it within many of our SaaS-based applications.
The technology platform that supports K2 Compliance will afford us the opportunity to parse reports like a D&B Business Information Report, Shared Assessment SIG report (full, lite or core), or any other outside vendor report. The application will support the functionality to link any third party vendor report to corresponding vendor record within K2 Compliance but also isolate pertinent data points and place them into the system as discrete fields.
Potential scenarios would include but are not limited to:
Parsing the report or data file
Maturity and additional information fields from the Risk Domain tab on a full SIG report to show on the vendor record inside of K2 Compliance so a user would not have to open the SIG report to see the information.
Auto-launching a ticket if the Financial Strength score on a D&B report is below a CC so a user of the system can review that vendor.
Etactics receives and transmits nearly half a million of transactions on a daily basis. The origins of these processed data records stretch across hundreds of different integrated software applications that are utilized by our clients. These data feeds are established using a variety of different methodologies such as:
RESTful API calls, both push and pull
SFTP file transmission
Direct upload to the secure web portal
As a software development company specializing in data processing and management, Etactics integrates with hundreds of third party software tools to deliver solutions to our clients. These integrations consist mainly of data flows back and forth between applications. Etactics delivers all solutions on open sourced architecture designed to be as agnostic as possible in regards to data source. Our business model embraces the opportunity to integrate with any third party tool that is willing to reciprocate the same. Examples of successful established integrations with network monitoring tools include Nessus and Nagios along with hundreds of other software vendors such as SAP, Google Apps, Microsoft 365 and many others.
CMDB/Asset Management Integration
We have experience receiving and incorporating data from several CMDB providers and vulnerability scanners, including Nagios, Nessuss, FMAudit, ConnectWise and others. Additionally, K2 Compliance has a an Asset Management module which works in conjunction with Risk Assessment tools to provide a snapshot of the Asset Management from a Compliance point of view at any given time. K2 Compliance also makes all data exportable and where necessary accessible from API calls for other applications to use as well.
Ticketing System Integration
Much like all of the other integration issues listed within the RFI, K2 Compliance accepts data from any source using whatever method that source is willing to use. K2 Compliance has its own unique ticketing system which data can be incorporated into, or ticketing data from another source is brought into its own module in the system for informational purposes. Further, data and actions within K2 Compliance can be used to update tickets in other applications via API or by another method identified by the customer
Identity Management Integration
K2 Compliance has robust abilities to tailor access based on roles granted to users. Since its inception in 1999, Etactics has integrated with more than a with hundreds of third party. As long as a vendor is willing to work with us and able to export data in universally accepted file format, then integration is seamless and easily accomplished.
Microsoft Active Directory
Etactics has accomplished two different integration scenarios with Microsoft’s Active Directory.
The first scenario pertains to how our internal applications use the Active Directory to verify user credentials and an account’s group membership for authorization. In this scenario, an application server has access to Active Directory or its LDAP replica.
The second integration scenario utilizes claim based permissions that are submitted to our application from Federated Active Directory services via SAML2 or OpenID assertions. These certify that the account was authenticated and contains security group membership information.
Authentication & 3rd Party Plugins
Vendor Risk Management
Like all attachments uploaded to K2 Compliance, contracts are securely stored and easily accessible. The native relationship technology allows you to include contracts on multiple locations inside K2 Compliance to maximize efficiency. Each contract has both a base record and the option for a dedicated contract workspace. The base record contains core fields that are considered universally valuable (dedicated fields for the particular type of contract can also be deployed). The contract workspace enables the deployment of the application's task management functionality to ensure that proper processes and notifications are deployed from contract negotiations to contract termination.
Vendor performance management
K2 Compliance possesses robust Vendor Management capabilities in its default offerings. Provided, however, a normal deployment of K2 Compliance does not include Vendor Performance Management as a default offering. Nonetheless, the malleability of the platform lends itself to being able to effectively track the core fields of Vendor Performance Management because they are quantitative in nature (i.e. data and input driven). Through the tailoring process of the solution to your company, the ability to effectively deploy Information Requests along with added fields would produce a quality Vendor Performance Management offering.
Risk & Control Assessment
K2 Compliance allows for the creation and tailoring of risk analysis and control assessments for your Vendors. The technology used to actualize this plan is the application's Information Request technology. Essentially, you can decide what questions to ask each vendor and what score to attach to each question. You can send these questionnaires based on industry, importance tier, or by a multitude of other options.
Threat & Vulnerability Management
Support customer scoring & prioritization
K2 Compliance was designed to be both flexible and customizable. The priorities and methods used to calculate risk vary between vertical markets. Organizations can easily change the scoring methods during the risk assessment process on a project to project basis. The mitigating effect a particular control possesses can be altered based on the priorities of an organization. Some may regard Access Controls to be the most important while others focus on policy, etc. We recognize the importance of custom scoring and prioritization and have developed the application to support this functionality.
Correlation of Data From Multiple Sources
Processing data is a core component of K2 Compliance and the rest of the Etactics software solutions. As a result, the open source technology that supports K2 Compliance provides many avenues to establish data feeds from outside vendor applications. However, it goes beyond just relating the data to specific records inside of the system. The technology stores the imported data so that it becomes tangible and can be used or applied to other functions and reporting mechanisms.
K2 Compliance can ingest a CSV formatted vulnerability scan report from Nessus or other third party applications and apply the data to specific asset records in tandem with identified threats as part of the process to calculate potential risks. Business logic can be applied to certain data points like vulnerabilities to include or exclude them based on a severity score threshold. Tickets or workspaces can be launched with detailed process steps for analyzing newly imported data or at least those data points that meet organization defined criteria
Federated Architecture is extensively utilized in the functional development of all Etactics software solutions. For example, we provide Single Sign-On capabilities that present users with information often originating from a separate application or database. Through the use of custom Content Providers (Graphic User Interfaces), K2 Compliance retrieves or extracts data natively stored in databases of other applications and intuitively presents it on a record within the system. By providing an extensive library of API Rest call services, integration with third-party Federated Information systems is easily accomplished.
K2 Compliance features several types of reporting capabilities that are unique to the scenario or activity an organization wishes to report on. Using our ADoCS (Automated Document Composition) Technology, the summaries, findings and collected supporting documentation from control and/or risk assessments are compiled into formal word documents that include template driven cover pages, table of contents and other formatting options. The technology zips the word document and any supporting documents into a downloadable file.
Inherent to K2 Compliance is a custom report writer. Through the graphic user interface (GUI), users with little or no SQL knowledge can build dynamic queries that generate reports on any data points captured within the system across multiple record types. The queries can also include specific parameters to include or exclude specific data points and quantitative thresholds. Queries can be saved and ran with a click of a button at a later date. Any of these reports can then be pinned to specific record tables within the application for easy access and can be exported into a CSV formatted file for submission to external party members.
Custom Role-Based Dashboard
All elements on every screen within K2 Compliance are permission driven including all custom dashboards. Dashboard access is controlled by role or user as necessary. Dashboards meant for management are not accessible to lower level users. Further, dashboards can be configured to only show particular data segments based on role and/or user. Even specific functionality within a dashboard (such as an export to .CSV or similar) can be limited to a role/user level.
Data feeds from outside sources are easily established because of the open source technology that supports the K2 Compliance application. Whether structured or unstructured, we have the ability to import data, update existing records within the system that the new data correlates to, or even create new records when applicable. These data feeds can link to other software applications, data repositories, and exclusive content portals using various methods like RESTful API’s or setting up SFTP file transfers.
Asset & entity information management
K2 Compliance has a full range of Asset Management capabilities. Some organizations may elect to store significantly more information about their assets than others. Our uniquely flexible, relational database technology allows organizations to tailor K2 Compliance to the specific data requirements presented by their Asset and Entity environment, to include compatibility with third-party applications where necessary. Asset records can be manually created and modified through the interface or done programmatically using APIs, SFTP file transfer and text delimited file import.
K2 Compliance features Information Requests that takes survey management to the next level. There are many different scenarios within compliance and IT security management that require communicating with external parties; whether they are non-user employees of the organization, clients, or third party vendors. This is accomplished using the Information Request feature. These dynamic questionnaires are administered by embedding a secure link into an email or text message sent from a particular record within K2 Compliance. Information Requests can have accompanying attachments for reference and include informative sections with many forms of multimedia such as videos or audio clips.
Responses to questions can be captured in forms of radial button multiple choice, drop downs, short or long answers, checkboxes, and file uploads. Once a single or group of Information Requests have been sent, a status chart is automatically created from the record depicting the status of each Information Request. Individual responses can be viewed within the application by clicking on the link to the recipients landing page, or can be exported as a CSV file and opened in Excel or similar data sheet application. Responses for an entire group of Information Requests are also cultivated this way. The use of the Information Request feature can help manage number of different types of activities that include but are not limited to:
New or reoccurring employee training
Conducting interviews and collecting data during control and risk assessments
Pushing out company wide communications
Sending policy notifications and documenting attestation/adherence
Administering 3rd party/Vendor assessments
K2 Compliance incorporates BPO (Business Process Optimization) tools that allow clients and partners to design, inspect and optimize processes from within the application. These processes are then applied to individual records via tickets which are assigned to various individuals or groups. Additionally, processes drive the interface of each ticket and may change depending on the particular activity or task being addressed.
Results from control or risk assessments include remediation activities. These activities are included in the assessment reports that are system generated. Additionally, remediation or mitigation tickets can be launched from the project screen and assigned to various stakeholders within an organization. The activities these tickets represent might include the implementation and assessment of unmet controls identified during the assessment. Documenting these efforts within a ticket provides the necessary supporting evidence during an audit, proving that the organization has performed the appropriate remediation activities to negate significant areas of risk.
Automated Custom Alerts
Automated custom alerts are implemented as necessary using triggers within the data in K2 Compliance or from third-party applications to determine when to send, what to send, and who should receive the notification. Alerts can be sent via email, text message or on dedicated screens and dashboards within the application. Any combination of the above methods can be implemented to best suit the needs of the particular alert.
Separate Module Functionality
Each group of records are stored in their own master table. For example, vendor records are stored within one table while incidents are stored in their own separate table. Each client has their own database which can include or exclude certain record tables. This allows us to modularize the application based on the needs of a specific organization.
Scalable/Customization per fi
K2 Compliance provides each FI with their own custom dataset to house generic system fields, organization specific fields, and fields specific to each FI. This architecture provides each FI with the ability to track and monitor unique data points most important to them. All data at rest within K2 Compliance is encrypted using AES-256 and a password unique to each FI. This ensures that each FI's data is secured down to the field level.
Shared database architecture
K2 Compliance maintains and separates each customer's data by storing them in their own unique database instance. In some cases, it is advantageous to share some data such as libraries, settings, document templates in one database instance. K2 Compliance utilizes an abstract layer of the alias databases, making the application unaware of the origin that the data is physically stored. We are then able to designate it as shared or isolated.
Maintenance & release schedule
The current development cycle for K2 Compliance incorporates a Bi-monthly release (every two months) release schedule. Our development team follows a SCRUM based development cycle that includes:
Level 1 meetings: These include the presentation of user stories and ideas to be added to the development queue.
Level 2 meetings: The list of development items compiled from the level 1 meeting are vetted with the presentation of one or multiple business cases per item. Each item is either approved for development, placed on hold for the time being, or denied for development.
Level 3 meetings: All approved items from level 2 meetings are prioritized in order of most mission critical to serve our clients and assigned to a specific releases based on their designated priority.
This process allows our clients to be actively involved in what features make it into the application and are encouraged to participate in Level 1 meetings.
The cloud-based ConnectPlus technology platform that supports K2 Compliance is continuously updated to accommodate new versions of operating systems, browsers, server upgrades and security patches.
Etactics recognizes that all of its software applications are integrated into core business functions for each client and that outages or downtime of these applications may have a negative impact on mission critical functions. While bug fixes and new releases cause a brief periods of downtime or system outages, typically less than 5 minutes. To ensure that our clients do not experience a disruption in service, we schedule these downtime periods outside of normal coast to coast business hours, typically between 2-3 am EST.
Customer Data Isolation
A client’s data is located on a single-tenanted database on a shared server. Access to the database is then controlled by permission and further secured using encryption with a unique key per dataset. This ensures that even a user who gains access to the wrong database is prevented from decrypting and viewing sensitive data. There have been scenarios where clients are given their own dedicated server within the Etactics data center.
There have been unique circumstances where Etactics has alternatively allowed a client to host the application at their own data center.
Harmonized Control Libraries
K2 Compliance provides an interactive library of frameworks, regulations, and guidelines. Within each are their corresponding controls or citations that can be mapped to specific policy components and procedures. Gap analysis reports can be downloaded depicting these mappings or correlations. Additionally, controls can be mapped across frameworks for reference during specific framework/regulatory audits and assessments to avoid duplicate work. For example, if an organization has recently performed a HIPAA audit or assessment and assessment and 2 months later is performing a NIST audit, they can incorporate the findings for the HIPAA citations that map to particular NIST controls.
Control Assessment Questionnaires
The Information Request function provides assessors and consultants with the ability to interact with various stakeholders or system administrators that don't have access to the K2 Compliance application. Emails or text messages are sent from within a control assessment ticket. These notifications contain secure embedded links to interactive landing pages which contain questions pertaining to specific controls. Responses to questions can take on multiple formats such as yes/no drop-downs, short answer, essay or file upload. Any documents uploaded in responses feed directly back into the control assessment ticket, can be directly attached to summary findings, and included in a formal report. The same is applied should entire responses be used as supporting evidence and included in report.
Automated control assessments
Control assessments can be conducted within K2 Compliance in tandem with the risk assessment process, evaluating the compliance status for associated controls that may help to mitigate the identified risks. They can also be conducted autonomously as a separate project for organizations that wish to know what controls are currently implemented at the organizational or asset levels.
For control assessment projects, users select the controls from one or multiple frameworks to be evaluated. Tickets, or individual workspaces are generated per control with the click of a button. Within each ticket, assessors can mine data from external parties using Information Requests. Any supporting documentation submitted by participating stakeholders is attached to the summaries or findings written by the assessors. Summaries of each control feed into a formal assessment report that is automatically generated from within the system with a click of a button. These reports contain any supporting documentation or artifacts that were attached to the summaries.
Regulatory updates & changes
As noted in this RFI, external information is easily imported into the K2 Compliance application such as regulatory updates. However, Etactics does not provide the regulatory content or updates today. Should an organization currently have a source to pool updates and other information, a connection can be established to ingest the information into K2 Compliance.
Templates and Questionnaires within K2 Compliance can easily be altered or updated by users, typically dedicated system administrators with permissions to edit such records. There are no automated mechanisms in place today where the system will updated said records based on regulatory changes.
Data Aggregation from multiple sources
Etactics has nearly 20 years of experience standardizing data from multiple sources in a production environment. To the degree that third-party applications allow access to their data, Etactics ingests that data and standardizes it for viewing in a single data environment with accompanying reports and dashboards. Our customers are then able to review one source for all incident reports and follow up regardless of the initial source.
Business Impact analysis
K2 Compliance allows companies to conduct Business Impact Assessments by deploying dedicated workspaces for each of its core functions. The Information Request functionality expertly gathers any supporting data that is required to formulate a conclusion. K2 Compliance's process management guides the evaluation of the collected information while the system natively prepares the report based on templates defined by the organization. Finally, this information presented in a professional document providing senior leadership with a birds eye view of the results of the assessment.
Multi-Stage Incident Management
The genesis of the cornerstone technology behind K2 Compliance focused on customizable workflow management. Therefore, its native abilities excel in prompting guided action to handle incidents at every step of the way. Naturally, tailoring incident management to your policies is a company specific task and appropriate Etactics support will be provided. Rest assured that once implemented and an incident has been documented within the application, K2 Compliance will help guide your team based on your policies to a resolution that is both a trackable and intuitive.
Business Continuity Planning Functionality
K2 Compliance is accessible from any internet connected device. Audit tracking capabilities are inherent to all data stored within the application. Call trees can be setup for various activities and scenarios but are not currently automated. Further explanation is required to confirm whether K2 Compliance provides the necessary functionality regarding a 3rd party notification interface and drill tracking.
Supported Risk Frameworks
K2 Compliance was built on an flexible open source platform that allows the application to serve an organization's compliance and IT security needs regardless of its industry or vertical market. The application supports a variety of risk frameworks and methodologies for calculating both inherent and mitigated risks. Those methodologies or frameworks include but are not limited to FAIR, ISO and NIST. Additionally, K2 Compliance provides an organization with the ability to incorporate its own unique methodology for calculating risk that may fall outside the parameters of those that are more commonly used.
Risk Assessment Questionnaires
The information request feature of K2 Compliance provides users with the ability to electronically distribute particular questionnaires to external parties through a secure link embedded within an email or text message. These questionnaires are linked to and sent from a specific record within K2 Compliance. Responses feed back into the application for review and can be attached as supporting evidence to an assessor's summary or their findings. They can also be exported for other related activities or to share with individuals without access to the application. Status charts on the record where the information requests were sent provide a summary of requests that have been returned, started or unattended to.
Asset-based risk assessment
Whether asset records are inherently created and stored within K2 Compliance or record details are imported from an outside resource, the application supports asset based risk assessments. While each asset will always have a calculated inherent and mitigated risk scores, the application provides functionality to assess an entire group of like assets to reduce project timelines.
For example a group of 10 desktop workstations within a particular business unit may be assessed at once; applying all threats and controls to the group. If an assessor chooses, they can further assess an individual asset within the group, identifying additional vulnerabilities that may impact the calculated risk for that asset but not the entire group.
Gap Analysis or Control Evaluation/Assessment projects can be created at any point in time and include only a single control, family of controls, multiple families of controls, entire framework of controls or controls from multiple frameworks. The findings and details of the Gap Analysis can be viewed from the project screen within K2 Compliance or generated in a formal word document that can be sent to executive leadership for review.
SSP Document Generation
Policy Attestation has two important functions that must be accompanied by appropriate documentation:
1.Notifying the organization's workforce of new policies and updates to existing policies.
The Information Request tool allows for privileged users to send out notifications through email or text message to specific individuals or groups. These notifications include narrative and direction to read through new policies or updates while requiring the recipient(s) to interactively respond, acknowledging their compliance.
Recipients can also make comments or ask questions regarding the notification if the organization wishes to include such an option. Submission results are monitored by sender(s), identifying recipients who have responded, began to respond or have neglected the task altogether. Reminder notifications can then be sent when applicable. Reports regarding the submission results are also available for auditing purposes or to send to executive leadership.
2. Proof that policies are being followed.
Perhaps the more difficult of the two is providing sufficient evidence that policies are being followed. Documenting attestation or adherence efforts is accomplished within K2 Compliance by relating activity tickets to specific policy records. This may be as simple as attaching a few supporting documents such as screenshots of auto-logoff parameters on a workstation or documenting multiple activities performed by multiple workforce members during a 24-hour termination procedure. Regardless of the scenario or policy, K2 Compliance provides an intuitive method for documenting attestation efforts and exporting the documentation for auditing purposes.
When scenarios arise that require exceptions to company policy, they are documented within K2 Compliance against either the entire policy record or the applicable component of the policy, depending on the organization's preference.
Details regarding the exception are noted within the record. Data points pertaining to the exception can be added or excluded depending on the extent of information the organization chooses to capture. An exception activity ticket is launched under the exception record with an organization specific process to follow. Transferring ownership of the ticket can also aid in the approval and collaboration processes. Detailed exception reports are available for generation at any point.
Policy Mapping to Controls & Procedures
Traditional or legacy methods for policy mapping typically correlate an entire policy to specific controls or regulations. The concern is that policies can be extremely vast and interpret many different security controls or regulations. Mapping controls and regulations to entire policy records becomes vague and unspecific.
We've devised a storage method for policies that create individual records for each component of a policy. These components or segments might include procedures listed or apparent within the policy. This dynamic format allows for corresponding activities, records, and processes to be related to the actual policy components that they apply to. Individual controls, regulations, and requirements can now be mapped to the applicable or specific parts of a policy.
Anytime a record stored within K2 Compliance has been altered, a detailed history is kept with the date, time and person that made a change. Unique data points or fields are relevant depending on the type of record. These data points are used for tracking and monitoring changes or updates. Policy specific fields include but are not limited to: Policy Version, Policy Owner or Author, Date Created, Reviewed, or Updated, Policy Type, etc... Previous versions of a policy can also be stored and used as reference when needed.
K2 has many “out of the box” reports, as well as, the ability to create and run custom reports. The Risk Assessment Report (RAR) will give a detailed breakdown of the risk inside an organization, including a risk rating for each. This report is invaluable when creating your risk-based roadmap to provide business justification as to why an organization should spent time and money to address this risk.
Forms, contracts, brochures, and other documents in their original formats can be stored in a dedicated repository within K2 Compliance. Versions, ownership, modified dates and other significant data points are tracked for auditing purposes. Documents can be accessed/downloaded or added to the repository by users with the appropriate allocated permissions.
By incorporating our Automatic Document Composition (ADoCs) technology into the application, dynamic template based reports can be generated in Microsoft Word or PDF formats. These reports include collected data, summaries and other pertinent information stored within the database for both security control and risk assessment projects.
Audit Calendar Management
The ticketing and workflow module of K2 Compliance incorporates pre determined timelines or expected due dates for completing both individual process steps and entire projects. Tickets or process steps are inherently assigned to workforce members for completion. When a user logs into the system, any activities they're responsible for completing show up in a daily worklist that is accessed from the left hand navigational toolbar. Further explanation of the this particular feature is required to provide additional information of correlating functionality.