Quod Orbis Continuous Controls Monitoring

This integration is an offering provided through the Archer Exchange to enhance your existing Archer implementation. The Archer Exchange provides offerings to expand the use of Archer solutions into new business processes and address specific industry, geographic, regulatory, or technical requirements.

Quod Orbis does not provide an installation package on the Archer Exchange. To learn more about the Quod Orbis CCM integration or request services to setup the platform, build the controls, and set up the integration, please contact Quod Orbis at support@quodorbis.com.

On this page

Release notes

Release Date	Archer Platform Release	Notes
August 2024	2024.03	Initial Release

About Quod Orbis Continuous Controls Monitoring Integration

The Quod Orbis Continuous Controls Monitoring (QO CCM) platform allows you to see and understand your security, compliance and risk posture in near real time. Our managed platform offers continuous monitoring and reporting of control effectiveness, metric performance and compliance readiness. With a strong focus on actionable intelligence, the platform also integrates with ITSM tools, automating creation of incident tickets in the event of control failure. This ensures issues are identified and resolved efficiently, minimizing impact and risk to organizations.

The QO CCM integration with Archer harnesses QO’s ability to connect to any technology source and generate an extensive library of inventory, technology and business metrics. This data can be automatically fed into Archer, to enable continuous controls assessment with near real-time data.

This offering provides clients with the ability to automate the assessment of controls, continuously and in near real-time, rather than a manually led, point-in-time assessment.

This provides numerous benefits, including:

Real-Time Continuous Monitoring: Gain an immediate and up-to-date view of your risk posture and control deployment, enabling proactive risk management.
Cost Reduction: By automating tasks that were previously manual, there is no more labor-intensive data analysis.
Accurate Assessments: Data-driven approach ensures that the results reported are based on accurate findings. As part of the ongoing service, QO will continue to manage the data to always ensure continued accuracy.
Any Datasource, Any Control, Any Framework: QO can ingest data from any datasource, measure any control, and align to any framework.
Continuous Support: QO support starts with the set-up of the platform and continues into BAU and throughout the duration of the service. QO's industry SME’S work with the customer to define requirements, implement requirements into the platform, and maintain both the infrastructure and the data to ensure continuous accuracy and availability. This cycle is repeated for any new controls onboarded at any point during the service.
Integration with ITSM: The integration with ITSM systems ensures the key control failures are quickly identified and resolved.

Key features and benefits

The Quod Orbis Continuous Controls Monitoring Integration enables organizations to:

Define and configure controls for assets within your infrastructure
Create monitoring rules and set up notifications for critical events
Critical events are communicated to Archer via integration with Configuration Check Results and Findings for teams to take action
Connects seamlessly to any data source, including cloud, SaaS, on-premises, legacy, and custom systems

Prerequisites (ODA and system requirements)

The following table lists the compoents and prerequisites for the Quod Orbis Continuous Controls Monitoring Integration.

Components	Prerequisites
Archer Solution Area(s)	Archer IT Security Risk Management
Archer Use Case(s)	Archer Issues Management Archer IT Controls Assurance
Archer Applications	Findings Configuration Checks Configuration Check Results
Uses Custom Application	No
Requires On-Demand License	This offering does NOT require any Archer On-Demand Application (ODA) licenses.
Archer Platform Requirements	Archer Platform Release 2024.03 and later
Supported Archer Environments	On-Premises Archer SaaS Note: Archer SaaS clients can leverage this offering but cannot install the offering in the Archer SaaS environment. The offering must be installed on a client owned and managed server that can communicate with the Archer instance.
Partner/Vendor Requirements	Valid QO CCM license is required. Additional fees may apply.

Impacted fields (Integrations only)

Findings summarize an item's performance and changes in evidence, impacting its score. The configurable record types could include:

Latest item score,
Latest item evidence count
Average item score
Average item evidence count

Coverage metrics in QO CCM display covered/uncovered percentages and asset counts for each category and provide a monthly performance overview. Group items in QO CCM will show scores.

Archer Application	Archer Target Field	(Partner/Vendor Name) Source Field
Configuration Checks	Source Check ID	Name of the control
Configuration Checks	Assessment Description	Control description
Configuration Check Results	Title	Name of the control
Configuration Check Results	QO Scope	Scope of the control where applicable, description or nothing if not presented
Configuration Check Results	Test Result	Measure based on score
Finding	Finding	Contains details of the control name, score (average score by default but depends on configuration), description, scope & benchmarks e.g. how data is measured, when the data was last pushed into Archer platform and where further information is available in QO CCM

Quod Orbis CCM Integration components

Architecture diagram

The following diagram shows the relationships between the applications that make up the QO CCM and Archer integration offering.

Process diagram

The following diagram shows the general workflow of the integration:

Applications

The following table describes the required applications in Quod Orbis CCM.

Application	Description
Metrics / Controls	The metrics and controls application captures the base information for any given process. The application enables you to track the business processes personnel, risk, and business risks and impact. Each metric/control is assigned a unique and configurable rating, ensuring that the evaluation aligns with organizational risk tolerances and policies.
Coverage	The coverage application provides complete visibility of customers assets from multiple data sources, enabling the customer to track and manage their entire asset estate.

The following table describes the required applications in Archer.

Application	Description
Findings	The Findings application allows you to document issues, deficiencies, or gaps found through assessments and control testing. Findings are either auto-generated from questionnaires, including links back to the questionnaire, target, and any applicable control standards and authoritative sources, or are manually generated by users. Findings can be resolved through remediation tasks and/or exception requests. Through the Findings application, you can: Review findings that are auto-generated through the results of assessments and control testing. Use automated workflow to route findings to the appropriate personnel. Mitigate findings through remediation tasks and/or exception requests. The system calculates residual risk and compliance status based on the resolution of findings. Relate multiple findings in the context of a remediation plan. Track tasks associated with findings resolution.
Configuration Checks	The Configuration Checks application facilitates the automated control testing of technical control procedures utilizing an automated assessment technology. To automate the compliance testing of a technical control procedure, a relationship between the control procedure and the external configuration assessment must be created. This application stores the external checks provided by the assessment technology and allows the company to map their technical control procedures in Archer to the check performed by the external system.
Configuration Check Results	The Configuration Check Results application stores the scan results fed into Archer through the Data Feed Manager to assess compliance with specified technology baselines. These records will contain the date of the scan, the device scanned, the configuration check that was performed, and the result of the check. The user may then address any instances of non-compliance through an exception request or remediation plan.

Application

Description

Findings

The Findings application allows you to document issues, deficiencies, or gaps found through assessments and control testing. Findings are either auto-generated from questionnaires, including links back to the questionnaire, target, and any applicable control standards and authoritative sources, or are manually generated by users. Findings can be resolved through remediation tasks and/or exception requests.

Through the Findings application, you can:

Review findings that are auto-generated through the results of assessments and control testing.
Use automated workflow to route findings to the appropriate personnel.
Mitigate findings through remediation tasks and/or exception requests. The system calculates residual risk and compliance status based on the resolution of findings.
Relate multiple findings in the context of a remediation plan.
Track tasks associated with findings resolution.

Configuration Checks

The Configuration Checks application facilitates the automated control testing of technical control procedures utilizing an automated assessment technology. To automate the compliance testing of a technical control procedure, a relationship between the control procedure and the external configuration assessment must be created. This application stores the external checks provided by the assessment technology and allows the company to map their technical control procedures in Archer to the check performed by the external system.

Configuration Check Results

The Configuration Check Results application stores the scan results fed into Archer through the Data Feed Manager to assess compliance with specified technology baselines. These records will contain the date of the scan, the device scanned, the configuration check that was performed, and the result of the check. The user may then address any instances of non-compliance through an exception request or remediation plan.

Installing Quod Orbis CCM Integration

Security Considerations

The information in this publication is provided "as is". Archer makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Client is solely responsible for ensuring that the installation of the application is performed in a secure manner. Archer recommends clients perform a full security evaluation prior to implementation.

Installation Overview

The integration between Quod Orbis and Archer platforms aims to create a cohesive environment where data is efficiently shared and leveraged between systems. By aligning record definitions, the integration ensures a smooth and transparent data exchange process. This collaborative approach enhances the overall functionality and effectiveness of both platforms, contributing to a unified and streamlined experience for users.

The following steps provide an overview of the installation process:

Step 1: Configuration of platform

QO will build a dedicated platform to host the data.

Step 2: Connection to data sources

QO will work with the customer to define which data sources they would like to connect to the platform, and which ones they would like to integrate into Archer.

QO and the customer will obtain the required credentials to connect to customers API’s. QO. will test these and confirm once the data is connected.

Step 3: Building controls and dashboards

QO will:

Provide customers with access to the QO CCM platform
Prebuild required controls in CCM
Build associated dashboards to visualize controls.
Set up integration link between platforms (see above screenshots)
Run through with the customer how to access the controls in the platform

Step 4: QO CCM & Archer API Connected

API between QO CCM and Archer platform is set-up and tested.

Step 5: Test the population of data

Configure data processing

Step 6: Test the population of data

Review the population of the relevant data fields in the Archer platform, to ensure the data has populated as expected.

Step 1: API Feed

API configured to push all required data from QO CCM database into Archer platform.

Step 2: Test the population of data

Configure data processing to meet user’s needs (daily by default, but can be configured accordingly).

Step 3: Test the population of data

Review the population of the relevant data fields in the Archer platform, to ensure the data has populated as expected.

Using Quod Orbis CCM Integration

Task: Transfer data from Quod Orbis CCM to Archer

The control is displayed in the QO CCM environment. The Archer logo will be displayed on the top right.
Click on the Archer logo to submit the data to the Archer platform
The data will be pushed into the desired location within the Archer platform.

Certification environment

Date Tested: August 2024

Product Name	Release Information	Operating System
Archer Suite	2024.03	Virtual Appliance

ADDRESS	ABOUT ARCHER	CUSTOMERS
13200 Metcalf Ave	Events	Archer Academy
Suite 300	Resources	Archer Exchange
Overland Park, KS 66213	Services	Support
	About Us	Archer Community