Automating the Common Controls Framework (CCF)— Part I

Author: Adobe Tech GRC Team

Over the past several years, the Adobe Technology Governance Risk and Compliance (GRC) team has developed and implemented the Common Controls Framework (CCF). The CCF helps various cloud products, services, platforms, and operations achieve and maintain compliance with various security certifications, standards, and regulations such as SOC2, ISO, PCI, FedRAMP and others. The CCF is a foundational framework and backbone to our company-wide security compliance strategy. Not only does it provide the flexibility to quickly adapt to and tackle new certification requirements, but it also helps heighten our information security posture.A few years ago, through our ongoing efforts to support the broader security community, we open-sourced CCF so customers and peers can leverage it to help meet their goals.

The Next Level

As Adobe’s products, services, and platforms grow and expand, CCF must also mature and scale at the same pace. To help enable this scalability, the Adobe Technology GRC team is developing a controls automation platform. This will help CCF to mature further reducing the amount of manual effort needed for the implementation and ongoing maintenance of controls.

In addition, the CCF automation platform will be able to check the operating effectiveness of controls on a near real-time basis. It will also provide immediate alerting and remediation tracking to owners of the controls. The automated CCF checks and alerts will help enable us to identify potential issues early in the audit cycle — helping to reduce the potential risk associated with controls failure.

This CCF automation platform will also include a dashboard that provides Adobe control owners with a comprehensive view of the state of effectiveness of CCF controls along with all the upcoming activities that need to be adhered to maintain the operating effectiveness of the controls.

Scalability

Implementing CCF and managing the framework across Adobe requires working with the growing footprint of services spanning multiple clouds. We also must help these services maintain continuous operational effectiveness of controls. The current process requires that the cloud operations and engineering teams perform periodic compliance validation activities, along with manual extraction of audit evidences/artifacts (e.g. access reviews, business impact assessments, etc.). They then must retain these manual reports to demonstrate the controls’ operating effectiveness. Together these activities can be very time consuming and lack the desired operational efficiency.

The CCF automation platform ingests the logs directly from source systems and performs automated checks against them, thereby reducing the manual effort required by teams. This will bring significant improvement to the operational efficiency and scalability of Adobe’s ongoing compliance certification and attestation process.

The Platform

The CCF automation platform is built on a layered framework that consists of:

• Visualization layer
• Application layer
• Services layer
• Data layer

When?

CCF is an ongoing journey with various milestones to be achieved, and a continuous pursuit for enhancements. The automation platform is the next level of organic maturity for CCF. Over the next few quarters, we plan to implement and deliver the CCF automation platform for Adobe in a phased manner over multiple releases. Stay tuned for further updates.