Regulations, compliance rules, guidelines and security directives should all be part of the overall governance risk and compliance framework implemented within your company. Governance risk and compliance frameworks are developed and implemented to bring structure in how companies are organized to protect against risks and how to react in case of an incident.
Having a governance, risk and compliance framework in place, embedding it in the “Standards Information Base” of your Enterprise Architecture Repository and ensuring with a architecture compliance review process that the standards are included in the resulting architectures and solution building blocks in only a part of the end-to-end solution.
Ensuring that your architecture is in line with the requirements stated in the governance, risk and compliance framework is not a guarantee that it is implemented in this manner. And when it is implemented in compliance with the standards it is not a guarantee that it will remain that way during operations.
What is required to ensure a correct level of compliance with he standards is a constant monitoring of the current deployments and to what level they are compliant. Solutions like Puppet can be used up to a certain level to complete this task and report the level of deviation from the standard requirements however solutions like Puppet (and others) are not designed for this specific purpose and are only able to do this task up to a certain level.
Oracle provides a fully build for purpose solution as part of the Oracle Management Cloud Service. The Oracle Compliance Cloud Service is a software-as-a service solution that enables the IT and Business Compliance function to assess and score industry standard benchmarks, REST-based cloud resources and your own custom rules. With the Oracle compliance Cloud Service you can score, assign and remediate compliance violations both on premise and in the cloud.
The Oracle Compliance Cloud Service will allow you to monitor systems and applications deployed in the Oracle cloud in other public clouds, in your local datacenter and in your private cloud. Providing a constant monitoring and reporting to enable you to have a realtime insight into the level of compliance. This can be against the standards defined by your own organisation or against industry and regulatory standards.
Having the ability to constant have a realtime insight and define automatic actions in case a check fails ensures that you gain more control over the actual implementation of the governance, risk and compliance framework in tier 3. having the option to do realtime and constant assessments will uncover situations that might lead to possible issues directly and empowers IT to ensure security, reliability and compliance at all times.