Overview

This solution’s key differentiator is its hybrid approach, which combines deterministic methods with interpretive techniques. Rather than relying solely on generative AI, this solution intentionally leverages the strengths of both approaches to deliver a more holistic, accurate, and economical solution. The deterministic component uses precise, programmatic logic to achieve specific outcomes, while the interpretive component harnesses generative AI to efficiently address scenarios that traditional methods would find overly tedious or prone to excessive edge cases. This synergy not only enhances overall performance but also saves valuable time.

This solution comprises three core components:

  1. Data Sources:

    • All the different data sources required to achieve the business outcomes for this solution.

  2. Preprocessing Data:

    • Transform raw data into actionable insights through a series of deterministic and interpretative steps, enabling generative AI to achieve optimal outcomes within OpenPages.

  3. Configuring OpenPages:

    • Utilize the processed data to set up the OpenPages platform while preserving critical relationships among key entities such as SIG questions, Internal Security Requirements, and ServiceNow Issues.
    • Develop and deploy watsonx.ai prompts that leverage generative AI to identify issues and gaps, provide recommendations, and generate follow-up questions.

Solution Flow

Solution Components

Data Sources

The data sources leveraged in this solution are:

  • Internal Security Requirements
    • Enterprise security requirements designed to ensure compliance with organizational policies, organized into specific domains relevant to the SIG.
  • ServiceNow Issue Catalog
    • A catalog of relevant ServiceNow issues and its relevant metadata
  • Blank SIG (Standardized Information Gathering) Questionnaire’
    • Empty version of a SIG from 2024 with all the relevant headers populated
  • Vendor SIG Questionnaires
    • Vendor populated SIG questionnaires with the relevant information.
  • Vendor KY3P Extract
    • Vendor populated information from KY3P with the vendor’s response and Additional Comments (if provided).

Preprocess Data

The primary objective of preprocessing the source data was to create the Reference Data that accurately maps the relationships among SIG questions, contextual details from the Internal Security Requirements, and ServiceNow Issues which facilitated the data ingestion process into OpenPages.

This phase involved a comprehensive ETL process to cleanse and structure the data to create the Reference Data, and it comprises of four key parts:

  1. Configure vectorstore with Internal Security Requirements (ISR)
  2. Determine Relevant ServiceNow Issue
  3. Aggregate SIG Questions from SIG Questionnaires
  4. Build Reference Data and OpenPages FastMap Import

Configure vectorstore with Internal Security Requirements (ISR)

  • Programmatically divide the Internal Security Requirements into a JSON structure by section, attaching relevant metadata—such as headings, subheadings, filenames, and summaries—to each segment.
  • Embed the chunks structured within the JSON into a vectors.
  • Ingest the vectors into a vectorstore with its metadata.

Determine Relevant ServiceNow Issue

  • For this solution, we did not focus on content related to external attachments provided by vendors. Instead, our team utilized watsonx.ai to filter out document-dependent issues.
  • Each SIG question belonged to a specific domain group. After filtering out document-dependent issues, we programmatically removed all unrelated domain issues by leveraging unique key identifiers for each domain, ensuring our focus remained solely on the relevant domain issues.
  • Once all the irrelevant and out-of-scope issues were filtered out, our team leveraged watsonx.ai to identify the most relevant issue for each SIG Question.

Aggregate SIG Questions from SIG Questionnaires

  • Aggregate all the SIG questions from the Blank SIG Questionnaire and Vendor SIG Questionnaire with the relevant metadata to populate in the Reference Data

Build Reference Data and OpenPages FastMap Import

The series of steps to build the Reference Data is as follows:

  1. Insert all the aggregated SIG questions and the appropriate headings from Aggregate SIG Questions from SIG Questionnaires step
  2. For each SIG question:
    1. search for the most relevant Internal Security Requirements (ISR) context from the vectorstore configured Configure vectorstore with ISR.
    2. After retrieving the most relevant context from the vector store, our team utilized another watsonx.ai Large Language Model (LLM) prompt to validate its relevance to the associated SIG question. If deemed relevant, the validated context was then used to populate the appropriate ISR context for the SIG question.
    3. Determine and populate the most relevant ServiceNow Issue from the ServiceNow Issue Catalog from Determine Relevant ServiceNow Issue Step

The series of steps to build the OpenPages FastMap Import is as follows:

  1. Programmatically populate the FastMap Import for SIG Questionnaire Template which consists of all the relevant SIG questions from the Reference Data
  2. Programmatically populate all the ISR context relationships to the appropriate SIG questions using the Reference Data.
  3. Programmatically populate all the SIG Question relationships to each question for the Assessment Template.

Configure OpenPages

The structure of IBM’s OpenPages platform with watsonx.ai allows an external compliance and security platform, KY3P, as an initial data input while providing as the platform which centralizes risk management and governance.

In this solution, OpenPages serves as the central platform for structured data management, while watsonx.ai enhances it with generative AI capabilities. By integrating third-party extracts, this approach enables access to additional data insights beyond the organization’s existing environment. It is ideal for organizations or teams seeking a unified solution that seamlessly integrates external data, enriches analytics, and extends watsonx.ai’s capabilities within a single platform.

This phase consists of four core components:

  1. Build Library
  2. Configure Vendor Management
  3. Deploy and integrate watsonx.ai models.
  4. Create dashboards and reports

Overview

Deep Dive

Build Library

Building the OpenPages library emulates the same goal as creating the reference data as it builds the objects in OpenPages that will serve as the anchor/reference for every incoming vendor SIG. There are two core components to setup for the OpenPages library for this use case:

1. Mandate The Mandate object relies on the Internal Security Requirements (ISR) to store relationships relevant to the ISR. Each ISR mandate will include submandate objects, and each submandate will have an associated Requirement object. - Submandate: the associated ISR “heading” for each SIG question - Requirement: the associated ISR context for each SIG question

2. An Assessment Template The assessment template will house all of the relevant information for each SIG question and will be used to create each new vendor assessment in OpenPages.

The assessment template relies on the Blank SIG data To build the assessment template, we will utilize the “Assessment” object in OpenPages, incorporating each SIG question through the “Question” object. Each SIG question will have fields associated with it:

Field Name Description Example
SIG Question Question text “Does the enterprise risk governance program include definitions of the roles and responsibilities for IT Governance?”
Issue Metadata Information pertaining to the relevant issue for the SIG question
Control Info Information around the control associated with the SIG question “Policies, Standards, and Procedures”
In Scope A flag to determine if the question was given to a vendor or not “Yes” or “No”
Response A field to populate a vendor’s response to the SIG question “Yes”, “No”, “N/A”
Additional Comments A field to populate a vendor’s additional comments to the SIG question
ISR Context A calculated field from the Requirement object with the relevant ISR context to the SIG question “Heading: II. IT Security Program Standard, Content: Managing information security risk, like risk management in general, is not an exact science. It brings together the best collective judgment of individuals and groups within organizations responsible for strategic planning, oversight, management, and day-to-day operations. etc..”

Configure OpenPages Vendor Management

Each new vendor SIG is introduced through an external vendor SIG extract. A corresponding Business Entity object is then created in OpenPages, which generates a Vendor object. This Vendor object, in turn, creates an associated Assessment object for the Vendor SIG.

For each new Vendor SIG assessment, the content from the Vendor SIG template is copied to serve as the foundation. This provides a starting point for leveraging generative AI to populate the “Issue,” “Gap,” and “Recommendation” fields.

Deploy and integrate watsonx.ai functions

Generative AI is leveraged to populate the “Issue”, “Gap” and “Recommendation” field in a Vendor SIG Assessment. This use case leverages three different watsonx.ai models through Watson Machine Learning:

  1. Gap Analysis: Determine whether or not the “Additional Comments” supports the vendor response for a specific SIG question.
  2. Issue Analysis: Determine whether or not the vendor response is most likely against industry and internal security standards.
  3. Recommendation Analysis: Leverage the ISR context and provided Additional Comments to provide an analysis on the delta and provide follow-up questions for the vendor.