-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
changed file names to be consistent with lowercase, updated overview
- Loading branch information
1 parent
b3c38c5
commit 97feb79
Showing
9 changed files
with
100 additions
and
42 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # How Does NAPE Approach the Problem? | ||
|
|
||
| To solve the challenges we’ve identified, we have created a set of guiding principles. These principles explain our overall plan for tackling the obstacles and making sure our actions match our goals. The guiding policy is like a big-picture guide that helps us decide what to do and how to do it. By following these principles, we keep our approach clear, focused, and flexible, even when things change. Below, we explain the eight main principles that guide our approach to solving these problems. | ||
|
|
||
| ## 1. Humans-Think & Computers-Compute | ||
|
|
||
| Create ways of working that allow humans to do what they are best at, and computers to do what they are best at. | ||
|
|
||
| - **Human Strengths**: Humans are good at solving complex problems, planning for the future, and making decisions based on the situation. | ||
| - **Computer Strengths** Computers are best at handling repetitive tasks, and they can manage large amounts of data quickly, allowing humans to focus on more important a complex decisions and judgements. | ||
|
|
||
| ## 2. Clear & Formal Terminology | ||
|
|
||
| Words are important, and the names of capabilities or components are just as crucial as their proper functioning. It is very important that all terms used to talk about NAPE match exactly with the formal language used by industry institutions that define and teach assurance and audit processes. | ||
|
|
||
| ## 3. Move from Manual, to Automated, and Ultimately to Autonomous | ||
|
|
||
| Move towards creating an autonomous system where assurance tasks operate independently, only requiring human involvement when updates to the assurance task or the things that trigger the assurance tasks are necessary. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,45 +1,21 @@ | ||
| # NAPE Overview | ||
|
|
||
| NAPE is the means for front-line employees, such as software developers or IT Operations (call them the "first-line"), their GRC (Governance, Risk, & Compliance), Risk Management, or Security (call these folks the "second-line") teammates, and both of their Internal or External Audit counterparts (think of them as the "third-line") to redefine, for the best, how all three of these groups ([first, second, and third line](iia-three-lines-of-defense.topic)) cooperate and interact with each other. | ||
|
|
||
| NAPEs **reason-to-exist** is to **reduce**, to the absolute minimum, the **wasted effort**, **redundant communications**, and **needless frustration** between these **three lines** in an **organization**. | ||
|
|
||
| ## What is NAPE? | ||
|
|
||
| NAPE is an Assurance Engine that helps you perform different types of assurance activities. It does this by: | ||
| NAPE is the [Assurance Engine](control-assurance-and-audit.topic) which helps teams automate and autonomize assurance activities. It increases the operating capacity for the folks directly effected by assurance and audit tasks, and NAPE achieves this by: | ||
|
|
||
| - **Collecting** evidence in any format, | ||
| - **Evaluating** the evidence to verify specific facts, | ||
| - **Combines** many individual evaluations into a single composable assurance procedure, and | ||
| - **Verifying** that the assurance procedure for a process, configuration, or calibration is compliant. | ||
|
|
||
| ## What Problem Does NAPE Solve For? | ||
|
|
||
| NAPE is a tool that helps people in the [first line, second line, and third lines of defense](iia-three-lines-of-defense.topic) work together more effectively. It does this by removing the need for humans to be involved in every step of the assurance process. Instead, NAPE uses the concept of Autonomous Assurance, so humans can focus on making important decisions rather than on routine tasks. | ||
|
|
||
| Keeping up with all the rules and regulations is one of the biggest challenges in regulated business. As these requirements grow, relying on old methods—like using lots of paperwork and manual labor—is no longer enough. These traditional methods don’t work well for large-scale operations, aren’t efficient, and don’t help in remembering important information over time. | ||
|
|
||
| The mismatch between what humans and machines are good at is a reason for this problem. Companies do not use enough of the correct technology to handle simple, repetitive tasks that computers can easily do. Instead, companies do one or both of two things. First, they only adopt technology that removes the handwritten paper and replaces these handwritten documents with digitized documents. Second, companies hire more people to execute simple evaluation tasks for which computers are best suited. This approach wastes resources and becomes even more problematic when employees leave, taking important knowledge with them. | ||
|
|
||
| Another area for improvement is a gap between the technical work needed to ensure compliance and the knowledge of the people doing the work. Often, people who don’t fully understand the compliance or regulations requirements create solutions that don’t solve the problems. On the other hand, experts who know the rules well cannot handle the technical side, which means they cannot work autonomously on these tasks. | ||
|
|
||
| This situation shows that companies need to rethink how they organize their work between the technical talent and their employees who best understand the compliance and regulatory requirements. The goal should be to let computers handle the tasks they do best, like processing and storing information. Applying this level of automation allows humans to focus on making strategic decisions and assessing risks. This change should also include creating a culture of ongoing, real-time compliance checks so companies are always ready for an audit. | ||
|
|
||
| This way, human efforts can focus on finding new risks and managing them before they become problems rather than just fixing issues after they arise. | ||
|
|
||
| ## How NAPE Approaches the Problem | ||
|
|
||
| To solve the challenges we’ve identified, we have created a set of guiding principles. These principles explain our overall plan for tackling the obstacles and making sure our actions match our goals. The guiding policy is like a big-picture guide that helps us decide what to do and how to do it. By following these principles, we keep our approach clear, focused, and flexible, even when things change. Below, we explain the eight main principles that guide our approach to solving these problems. | ||
|
|
||
| 1. **Humans-Think & Computers-Compute** | ||
|
|
||
| Create ways of working that allow humans to do what they are best at, and computers to do what they are best at. | ||
|
|
||
| - **Human Strengths:** Humans are good at solving complex problems, planning for the future, and making decisions based on the situation. | ||
| - **Computer Strengths:** Computers are best at handling repetitive tasks, and they can manage large amounts of data quickly, allowing humans to focus on more important a complex decisions and judgements. | ||
|
|
||
| 2. **Clear & Formal Terminology** | ||
|
|
||
| Words are important, and the names of capabilities or components are just as crucial as their proper functioning. It is very important that all terms used to talk about NAPE match exactly with the formal language used by industry institutions that define and teach assurance and audit processes. | ||
|
|
||
| 3. **Move from Manual, to Automated, and Ultimately to Autonomous** | ||
|
|
||
| Move towards creating an autonomous system where assurance tasks operate independently, only requiring human involvement when updates to the assurance task or the things that trigger the assurance tasks are necessary. | ||
|
|
||
| NAPE removes the need for humans to be involved in every single minute step of the assurance process. It employs the concept of [Autonomous Assurance](autonomous-assurance.topic) and [Governance Engineering](governance-engineering.topic) to augment, or replace, over-burden some job functions, or tasks, so existing teams can focus on important decisions rather than on routine, mundane, or seemingly outdated (while still relevant) tasks. With these approaches, NAPE helps all three lines: | ||
|
|
||
| 1) Explicitly define what [Control Activity](nape-glossary.topic#control-activity) and [Control Actions](nape-glossary.topic#control-action) must take place inorder to meet Corporate Policy and/or Control Framework (NIST 800-53, SOC2, ISO 27001, etc...) | ||
| 2) Codifying the [Test of Details](nape-glossary.topic#test-of-details) which provide assurance by either confirming or nullify these activities and actions took place. | ||
| 3) Compose, Aggregate, and Report that all the tens, hundreds, or thousands of these required activities and actions did, in fact, happen and occurred to the organizations' expectation. | ||
| 4) Automate all of 1, 2, & 3 and have it autonomously execute as part of the daily business processes. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # What Problem Does NAPE Solve For? | ||
|
|
||
| Keeping up with all the rules and regulations is one of the biggest challenges in regulated business. Relying on old methods—like using lots of paperwork and manual labor—is no longer enough as these requirements grow. These traditional methods don’t work well for large-scale operations, are not efficient, and do not help in capturing important information over time. | ||
|
|
||
| Many companies and organizations adopt technology in two ways to address such issues, although they continue to run into limitations due to the scale of the job functions and tasks this regulatory and compliance work creates. | ||
|
|
||
| ## The First Adoption Issue - Misaligned Technology | ||
|
|
||
| There is a mismatch between what humans and machines are good at is a reason for this problem. Companies do not use enough of the correct technology to handle simple, repetitive tasks that computers can easily do. Instead, companies do one or both of two things. | ||
|
|
||
| 1) They only adopt technology that removes the handwritten paper and replaces these handwritten documents with digitized documents. | ||
| 2) Companies hire more people to execute simple evaluation tasks for which computers are best suited. | ||
|
|
||
| This approach wastes resources and becomes even more problematic when employees leave, taking important knowledge with them. | ||
|
|
||
| ## The Second Adoption Issue - Misaligned Labor | ||
|
|
||
| There is a gap between the technical work needed to assure compliance and the knowledge of the people doing the work. Often, people who don’t fully understand the compliance or regulations requirements create solutions that don’t solve the problems. On the other hand, experts who know the rules well cannot handle the technical side, which means they cannot work autonomously on these tasks. | ||
|
|
||
| ## Re-Thinking Assurance and Technology Adoption | ||
|
|
||
| These two adoption issues demonstrate companies must rethink how they organize their work between the technical talent and their employees who best understand the compliance and regulatory requirements. | ||
|
|
||
| All organizations should be to let computers handle the tasks they do best, such as processing and storing information. Applying this level of automation allows humans to focus on making strategic decisions and assessing risks. This change will create an organizational behaviour of ongoing, real-time compliance checks so companies are always ready for an audit and can achieve this state with 0 marginal costs. | ||
|
|
||
| With such an approach, human efforts can focus on finding new risks and managing them before they become problems rather than just fixing issues after they arise. |