1. Field
Embodiments of the present invention apply to the field of network security and regulatory compliance, more specifically compliance management.
2. Description of the Related Art
Modern business enterprises operate in a complex regulatory environment. Many enterprises must comply with various government regulations both on the federal level and on the state and local levels. For example, most public corporations (at the present time any publicly traded corporation with fifty million or more market capitalization) must comply with the Sarbanes-Oxley Act of 2002. Financial enterprises, heath related enterprises, and other more stringently regulated industries have their own regulatory frameworks.
Furthermore, many business enterprises have internal policies and controls independent of government regulation. These controls and policies may be concerned with security, confidentiality maintenance, trade secret protection, access control, best practices, accounting standards, business process policies, and other such internal rules and controls. The cost of complying with all regulations, rules, policies, and other requirements can be substantial for a large scale business enterprise.
One common problem faced by business enterprises in the control/policy/regulation compliance area is evidence gathering. Auditors often require some form of proof that a given control is implemented, a policy is in compliance, and a regulation is being observed. Furthermore, a compliance management system should be able to monitor compliance. Some information however, is not readily accessible by usual networking methods. What is needed is a method and apparatus for automating some parts of the evidence gathering task.