NAPE - Not Another Policy Engine Help

NAPE Overview

NAPE is the means for front-line employees, such as software developers or IT Operations (call them the "first-line"), their GRC (Governance, Risk, & Compliance), Risk Management, or Security (call these folks the "second-line") teammates, and both of their Internal or External Audit counterparts (think of them as the "third-line") to redefine, for the best, how all three of these groups (first, second, and third line) cooperate and interact with each other.

NAPEs reason-to-exist is to reduce, to the absolute minimum, the wasted effort, redundant communications, and needless frustration between these three lines in an organization.

What is NAPE?

NAPE is the Assurance Engine which helps teams automate and autonomize assurance activities. It increases the operating capacity for the folks directly effected by assurance and audit tasks, and NAPE achieves this by:

  • Collecting evidence in any format,

  • Evaluating the evidence to verify specific facts,

  • Combines many individual evaluations into a single composable assurance procedure, and

  • Verifying that the assurance procedure for a process, configuration, or calibration is compliant.

NAPE removes the need for humans to be involved in every single minute step of the assurance process. It employs the concept of Autonomous Assurance and Governance Engineering to augment, or replace, over-burden some job functions, or tasks, so existing teams can focus on important decisions rather than on routine, mundane, or seemingly outdated (while still relevant) tasks. With these approaches, NAPE helps all three lines:

  1. Explicitly define what Control Activity and Control Actions must take place inorder to meet Corporate Policy and/or Control Framework (NIST 800-53, SOC2, ISO 27001, etc...)

  2. Codifying the Test of Details which provide assurance by either confirming or nullify these activities and actions took place.

  3. Compose, Aggregate, and Report that all the tens, hundreds, or thousands of these required activities and actions did, in fact, happen and occurred to the organizations' expectation.

  4. Automate all of 1, 2, & 3 and have it autonomously execute as part of the daily business processes.

TODO - Add the Epistomoloy "How do you konw what you know" TODO The Two things that rae not clear in GRC (since GRC seems tob e focused on specifics) TODO 1) How do I know that whaty ou tell me is true and valid? TODO- 2) How do you know, that what you think, is factual, true, and valid?"

Last modified: 26 September 2024
The Genesis of NAPE