The ability to be able to define your own controls and subsequent automated tests

Alex Skinner Community Founding Member Conversation starter

To be able to define your own controls as part of your own bespoke standard.

To be able to define custom tests that could via an api be notified as passing or failing

Comments

4 comments

  • Comment author
    Shannon DeLange Idea generator Vanta Team Member Conversation starter

    Hello Alex!

    This is such a great suggestion! We had some trouble with posts being flagged -  I apologize for the delayed response. I've alerted the team to your question, and you'll see some responses rolling in shortly.

    Thanks so much for being a member of the Vanta community, and we look forward to continuing to build the community with you!

    In the meantime - custom controls are on the way! Here's a video if you're curious to learn more.

     



    0
  • Comment author
    Shankar Bala

    Alex Skinner,

    In this comment, I will first respond to the question on bespoke standard.

    You can create your own bespoke standard and create your own controls as part of it today. You can bulk import custom controls in the Controls page under "Add Control" at the top right and then bulk import your framework sections in the Compliance page under "Add Framework". When you import your framework, you can tie the sections to the controls you uploaded using Control IDs.

    Let me know if this is not clear.

    0
  • Comment author
    Shankar Bala

    Alex Skinner

    I would like to understand more about your use case for custom tests. Can you give me an example of what that might be? Thanks so much in advance!

    0
  • Comment author
    Sam Kiessler

    Hi @...

    I'm also very interested in this feature. 

    My idea behind custom tests: 

    So one of the controls listed is "Secure authentication". We want this to contain ALL the information regarding Secure authentication in our environment.

    We have policies like:

    • All Apps require MFA
    • Your password must be 10+ characters in length
    • Your password must change every 90 days

    In an ideal world, we want Vanta to contain evidence that all of these policies are being met.

    Access Integrations help with this, for example: "MFA on Slack" is an automated test to ensure that we have MFA on Slack.

    However there isn't currently a way to add a custom test for "Your password must be set to change every 90 days". A workaround would be to add a document like "Evidence: Password Expiry Settings" and then screenshot the setting in the Azure portal, fulfilling the document requirement. 

    However, there is no right or wrong in a document. Just Uploaded / Not Uploaded. 
    With a test I imagine that I could create a script internally which will call Graph API (Azure) where it will go and get the specific setting in our environment which relates to Password Expiry. I could then feed that API's response into Vanta where Vanta could evaluate whether or not I have passed that test. (Alternatively just being able to send a Pass / Fail value to that test, ideally with a notes field where I can show the API output as evidence) 

    This would allow constant checking of the settings in our environment and produce alerts when compliance isn't met. (e.g. an admin changing a setting against our policies)

    This way we can provide all the evidence needed to auditors in one place. Currently we are able to show the auditors we are compliant by having policies in place but we aren't able to show how we are complying with those policies without manually screenshotting all the settings every year.

    Please let me know if you have any questions on the above. 

    1

Please sign in to leave a comment.