In addressing compliance through automation, you must deal with specific areas of concern that can be introduced into your system at any number of points. To deal with this, a “compliance solution” needs to be adaptable and flexible as well as provide the ability to rapidly and cost effectively respond to new requirements or threats to compliance. The AvePoint Testing Language (ATL) is an XML-structured Language for validating and classifying content and structure of both content and the IT systems that manage that content. The language, simply put, is a set of commands, keywords, and specific vocabularies that when used with the AvePoint Testing Engine allow companies to have confidence that they are protected from intentional or accidental breaches in policy.
The language works from the premise that we must use the correct tool for the job. A good non-technical example of this would be selecting the proper tool to cut Balsa wood when making a model airplane. To cut the Balsa wood, we would take the wood out of its package; put it in a vice or on a cutting board; and then we would use a hobby knife to carefully cut the wood. We would not place the Balsa wood in a vice and then use a chain saw to cut the wood, because it would be too much and could damage the effort.
Selecting the correct tool for the job is also true in completing content discovery. In some cases, when performing discovery tasks we need to use Regular Expressions and, sometimes, a basic Find Text method. The difference is that while both could be effective in finding a string, one can take up to 40 times longer to complete the same task. In addition there could be some complex discovery task that requires conditional text, elements, or attributes to be found in order to identify a condition. AvePoint has addressed the complexity of content discovery by identifying different methods used to answer questions of electronic data and structure.
The AvePoint Testing Language User Documentation covers each main type in exhaustive detail. However, for this post we will introduce just a few methods such as:
· Find Text and Conditional Find Text
· Regular Expression & Dictionary
· Element Validation
· Cookie Validation & Web Beacon Validation
· SSL Validation
These methods introduce unique terms and/or vocabularies that provide the testing mechanisms needed to protect your organization, and in some cases, your customers.
For example, what if you are a financial services company and you are allowing your user to log into a financial account through which they will access financial data? This data will be transferred to them via an internet connection. SSL validation allows you to identify customer access points and then assure that the access point and what follows is using SSL, and that the encryption level matches your standards and policies.
Additionally, when considering using the right tool for the job, consider looking at a HTML page – you are looking for specific text in the href attribute of an A element as well as the attribute to contain the string “privacy”. While the page may contain multiple instances of the word privacy from a compliance perspective, we are only looking for it to exist in a href attribute. So, by using the element versus the find text or Regular expression methods, we not only speed up identification but we reduce false positives!
The cookies and web beacons methods of discovery allow the user to monitor usage of cookies and web beacons to track compliance to standards, whether it is a U.S. Government Agency that is validating compliance to Cookie Regulations or a company based in the European Union is doing a self-audit of cookie usage to determine if they are in compliance with standing regulations – these methods represent both structural elements and content at the same time. While we could complete these tasks using human evaluation alone or multiple testing methodologies, what the AvePoint Testing Language does is create the necessary method to provide computer aided evaluation in a flexible and cost effective manner.
A Powerful Option is using the Dictionary and/or Regular Expression methods that allow us to introduce a large list of terms, phrases, or strings to then find simple matches or a list of patterns with Regular Expressions and then act on these discoveries to either classify or block content from being published or viewed. It is important to remember that it is more than just finding something, it is also a matter of what do we do with content that matches our discovery method – what actions will we perform, if any.
While many of these language terms and vocabulary items are domain specific, as a whole, the ATL is not domain specific. Using the language in conjunction with the AvePoint Compliance Engine, the user can test structure and content against different Commercial off the Shelf (COTS) test suites that are included. Some examples are:
· Section 508
· Web Content Accessibility Guidelines (WCAG) 1.0 & 2.0
· Operational Security
· The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules (HIPAA)
· PHI and PII Identification
So while the language is powerful, it is also both easy to use and, in the cases above, the user of the solution would find no need to understand or use the language. It should be noted that these COTS test suites can be easily modified to match your specific requirements and needs.
Finally, the specific rules created are wrapped in either Compliance Scanning or Classification test suites (Collections). The Compliance Scanning is used to identify and report on instances of non-compliance to rules and tie together associated risks, while the Classification collections allow for Content Classification and a whole set of related actions are possible. Some of the Possible Actions include, but are not limited to:
· Embedding Metadata
· Moving Documents to Predefined Locations based on Classification
· Quarantining documents
· Deletion of Content
· Redaction of Content
The metadata and classification are not necessarily the same, and when used it can be associated or embedded into the document itself. By embedding the metadata into your content, the classification or complex classification scheme stays with the document and is not linked to the content management system.
The ability to rapidly and cost effectively respond to new requirements or threats to compliance is essential to any compliance programming. To do this you need more than basic or hard coded validation methods; you need a flexible language that can work across multiple compliance domains that are known today or will be defined tomorrow. At AvePoint, we understand this and this fact is central to providing our customers with the ATL.