“Evaluate” in the IDEA framework for Data Privacy
We have the Intent to maintaining Privacy of Data under our stewardship. We take the next step and Design a comprehensive Compliance framework to address the multiple regulators and standards that we need to comply with.
As a result, we have now got a great policy frameworks in place, but do we know if the policy framework is being used?
If yes, to what extent? How do we know?
Whether they are being used or not does not really matter. Till we run into trouble. Or into an auditor 😊. That’s when it will really matter.
So, we need to ensure that what we intend to do. As the adage goes “if we are prepared for an emergency, we will never have that emergency”. That we must verify is obvious. The question is “how do we verify”?
I have talked about how this task of verifying can be immense in size and scope. Verifying something of this immense size and scope can be onerous especially if you must do a 100% verification.
How do we implement a 100% verification capability?
Clearly, manual verification of millions (or even hundreds of thousands) of tasks is not possible. Any such verification must be automated and leverage AI. How do we implement verification at scale?
A 2-part solution using an Orchestrator-Executor-Verifier architecture, coupled with an Aggregated Verification approach that uses AI for verification can address this need.
Let’s take a more detailed look at this approach.
Part 1 – An Orchestrator-Executor-Verifier Architecture
The Orchestrator does the planning. It works on the task request. Controls from the Unified Compliance Framework make up “Task Requests” in the case of Data Protection and Technology GRC. The Task Requests or Controls are broken down into sub-tasks, i.e. checklists in the context of Data Protection and Technology GRC. These tasks/ sub-tasks are performed by Executors. An example could be controls and checklists related to Business Continuity and Disaster Planning.
Executors are Specialized tools and utilities with specific functionality. They operate and perform defined tasks. An example of executor in the context of Business Continuity and Disaster Planning is the Backup utility that automates the specific task of Backing up servers, devices, and endpoints.
The Verifier is where the use of AI becomes evident. The Verifier is an independent agent that validates the Executor’s output is “adequately correct” by checking the Executor’s output against defined “done” criteria. This helps the Verifier determine if the Control has been completed or not.
If the verification fails, the task can be re-assigned to the Executor or be “Branched Off” for “human intervention”.
In the case of technology Business Continuity and Disaster Planning this could be an AI agent that evaluates the output of different kinds of Executors to determine successful completion of the task – Backups.
Part 2 – Aggregated Verification using AI
An aggregated verification strategy using a process to collect, combine, analyze (using AI) to verify data from multiple Executors and synthesize it into a trusted result. Depending on the integrity and accuracy of this synthesized analysis enables Management by Exception.
Let’s see the practical utility of having such capabilities.
If you have 5 servers and a small team you can manage it on the back of your hand or on a spreadsheet. You can build a ‘wall’ around them and appoint a few people to ‘guard’ them. Simple enough.
Put in place a more than a few servers, a mid – large team size, with each of them having multiple devices – laptops, smartphones, tablets, watches. Now you have a sieve to guard your information. There are so many points of leakage.
In the Context of Data Privacy AI enabled Scanning of the company’s IT assets to identify whether any sensitive data is residing on them is particularly useful in the context of compliance requirements such as DPDPA.
And, in the context of Technology GRC a Log Analyser enables automatic collection and analysis of logs, ensuring that the required audit evidence is readily available.
AI enables Verification at Scale and Management by Exception
While the Orchestrator-Executor combination enables automation by leveraging UCFs (Orchestrator) and Tools and Utilities (Executor), it is the use of AI that really makes it useful by scanning and analysing the output of the Executors.
