The compliance monitor can be used to monitor and report the compliance status of a software program in relation to policies, standards or regulations.
The compliance monitor can be used to collect compliance data during the Test, Release, Deploy and Operate stages.
The compliance monitor is typically associated with the Defect Escape Rate and Service-Level Agreements (SLAs) metrics. It can be used to collect information about policies that have been or need to be applied, or security policies and software configurations that have not been applied correctly. It can also be used to check the compliance of the environment and the resources used to deploy the software.
Policies are selected (1) then codified (2). They are then submitted to the policy repository (3). The policies are then applied to software in staging (4). A separate policy is applied to supporting the infrastructure resource (5). The compliance monitor contacts PAP/PMP, where the policy is mapped to the system to understand what policies must be applied. The PAP is a desktop tool with an API (6). The software and resources are checked to see what has been applied (7). Compliance results are provided to the database (8) and provided to a non-realtime dashboard (9), from where the compliance team and/or stakeholders can access the compliance results (10).
Establishing a fully compliant environment in testing and staging environments can be difficult and expensive, which is why this monitor is sometimes only used production. It can be used to improve lead time by automating the immediate notification of whether a given environment and its hosted software are compliant. It is also useful for preventing compliance, governance or regulatory issues from going undetected.