The controls observability imperative
The complexity of modern IT environments often creates new ways for technology to fail. Distributed systems are unpredictable. The shift to the cloud and the rise of containerized workloads complicate the secure movement of data between locations or cloud providers. Multi-cloud platforms with multiple service providers make it difficult to strike the right balance between tight controls and agility.
Challenges like these demand new solutions, including the need to have greater visibility into processes and controls. Controls should be considered for every phase, from planning and development to testing and deployment. While successful organizations are prepared to both prevent and acknowledge failure, they all can safeguard against damage with effective controls and continuous monitoring.
Enabling speed with reliability and traceability
The KPMG controls observability platform combines people, methodologies, and accelerators so that an organization can monitor its key controls in real time. The solution can be deployed at scale to drive control compliance and visibility, leading to risk mitigation and control validation.
As the graphic shows, our framework is anchored around governance, monitoring, and improvement functions. It requires collaboration among an organization’s engineering, security, compliance, and audit teams to achieve success.
Governance
Change Management Policy
Enhance a global practical change management policy and procedure that addresses end to end change management.
Branch Release and Management Standard
Integrate strategy, settings and guidelines for branch and pipeline management with clear path production.
Controls Inventory
Enhance process flow for each product and establish key and operational controls to address the risk.
Training and Awareness
Enhance program to improve awareness of the risks and controls with the development team.
Monitoring
Design Monitoring Framework
Develop a monitoring framework and point in time control triggers that when aligned properly with impact zone of a change will provide a more integrated assurance model without slowing down the speed.
Implement Monitoring
Leverage data and automation capabilities to monitor deviations from the controls and baselines implemented to address the risks.
Improvement
Issue Tracking and Reporting
Establish the process to put guardrails in place to generate the retrospective reviews, issues and tracking where possible.
Continuous Improvement
Establish processes to leverage results of continuous monitoring and issue tracking/remediation to determine where there is an opportunity to continuously improve the overall process.
Why KPMG?
We bring a pragmatic approach to controls observability because traditional controls may not apply in the fast-paced world of continuous DevOps delivery. We know what industry-leading solutions look like. Our cross-functional team has deep skills in engineering, controls, cyber security, target operating models, strategy, and road mapping.
Rather than simply focus on the change and release element, we take a holistic view—encompassing the change management process from ideate/plan, develop, build, and test to release/deploy, run/operate, and govern.
We collaborate with all three lines of defense—business operations (first line), oversight functions (second line), and audit teams (third line)—to help ensure that they have the design they need, with the right controls and integrated tools configured at scale, and are effectively leveraging all the data produced.”
