Regulatory Compliance¶

The Regulatory Landscape¶

Access governance is a cornerstone of multiple regulatory frameworks. Auditors expect organisations to demonstrate that access is reviewed regularly, stale permissions are revoked promptly, and an immutable evidence trail exists.

Key Regulations

Regulation	Relevant Controls
SOX Section 404	Internal controls over financial reporting — access to financial systems must be reviewed and certified.
HIPAA § 164.312	Technical safeguards — access to ePHI must follow the minimum-necessary principle with audit controls.
SOC 2 CC6.1–CC6.3	Logical and physical access controls — access must be authorised, reviewed, and revoked when no longer needed.

The Challenge¶

Traditional compliance approaches rely on quarterly snapshot reviews that generate thousands of pages of evidence but provide little actual security value.

Pain Points

Quarterly fire-drills — 4–6 weeks of scrambling before each audit.
Evidence assembly — Screenshots, spreadsheets, and email chains manually compiled into evidence packages.
Gap periods — Between reviews, access changes go unmonitored.
Reviewer fatigue — When everything is reviewed equally, nothing is reviewed carefully.
Finding remediation lag — Audit findings take months to resolve because the review process restarts from scratch.

How Verity Helps¶

Verity shifts compliance from a periodic event to a continuous process by scoring every grant in real time and immutably logging every state change.

flowchart TB
    subgraph "Continuous Loop"
        direction LR
        SC["Score<br/>every 6 hrs"] --> RV["Review<br/>risk-based"]
        RV --> RM["Remediate<br/>SLA-bound"]
        RM --> AU["Audit<br/>immutable log"]
        AU --> SC
    end

    subgraph "On-Demand"
        CR["Compliance<br/>Reporter"]
        EP["Evidence<br/>Package"]
    end

    AU --> CR --> EP

    style SC fill:#7c4dff,color:#fff,stroke:none
    style RV fill:#651fff,color:#fff,stroke:none
    style RM fill:#536dfe,color:#fff,stroke:none
    style AU fill:#448aff,color:#fff,stroke:none
    style CR fill:#40c4ff,color:#000,stroke:none
    style EP fill:#00e5ff,color:#000,stroke:none

Key Capabilities¶

Capability	Compliance Benefit
Continuous Scoring	Eliminates gap periods — every grant is assessed every 6 hours.
Immutable Audit Trail	ClickHouse stores every score change, review decision, and remediation action — append-only, tamper-evident.
SLA Enforcement	Temporal workflows ensure reviews complete within defined time bounds — auditable proof of timeliness.
Evidence Packages	One-click export of all evidence for a specific control, time window, and asset scope.
Compliance Reports	Pre-built report templates mapped to SOX, HIPAA, and SOC 2 controls.
Dry-Run Validation	Prove remediation works before enabling it — reducing risk of compliance-breaking changes.

Compliance Mapping¶

The table below maps specific regulatory requirements to Verity capabilities.

Regulation	Control	Requirement	Verity Capability
SOX § 404	ITGC-AC-01	Access to financial systems is reviewed periodically	Continuous decay scoring + automated review generation
SOX § 404	ITGC-AC-02	Terminated-user access is revoked promptly	HR connector triggers immediate score boost → auto-revoke
SOX § 404	ITGC-AC-03	Privileged access is restricted and monitored	Privilege-level scoring factor + sensitivity multiplier
HIPAA	§ 164.312(a)(1)	Unique user identification	Identity resolution across all connectors
HIPAA	§ 164.312(b)	Audit controls — record and examine access	ClickHouse immutable audit trail
HIPAA	§ 164.312(d)	Authentication — verify identity of users	Connector auth validation + principal deduplication
SOC 2	CC6.1	Logical access security software	Connector-based access discovery
SOC 2	CC6.2	Access is reviewed and modified	Review lifecycle with SLA enforcement
SOC 2	CC6.3	Access is revoked when no longer needed	Decay scoring + automated remediation

ClickHouse Audit Trail¶

Verity's immutable audit trail in ClickHouse is designed for auditor queries. Every event includes a timestamp, actor, action, target, and full before/after state.

Schema¶

CREATE TABLE verity.audit_events (
    event_id     UUID,
    event_time   DateTime64(3, 'UTC'),
    event_type   LowCardinality(String),  -- score_change, review_created, decision_made, ...
    actor_id     String,
    actor_type   LowCardinality(String),  -- system, reviewer, escalation
    target_type  LowCardinality(String),  -- grant, review, principal
    target_id    String,
    payload      String,                  -- JSON — full before/after state
    source       LowCardinality(String)   -- service name
) ENGINE = MergeTree()
ORDER BY (event_type, event_time)
TTL event_time + INTERVAL 7 YEAR;

Example Auditor Queries¶

All revocations in Q4Review SLA complianceTerminated-user access lag

SELECT event_time, actor_id, target_id,
       JSONExtractString(payload, 'grant_id') AS grant_id,
       JSONExtractString(payload, 'reason')   AS reason
FROM verity.audit_events
WHERE event_type = 'grant_revoked'
  AND event_time BETWEEN '2025-10-01' AND '2025-12-31'
ORDER BY event_time;

SELECT
    toDate(event_time) AS day,
    countIf(JSONExtractFloat(payload, 'response_hours')
            <= JSONExtractFloat(payload, 'sla_hours')) AS within_sla,
    count() AS total,
    round(within_sla / total * 100, 1) AS sla_pct
FROM verity.audit_events
WHERE event_type = 'review_decided'
  AND event_time >= now() - INTERVAL 90 DAY
GROUP BY day
ORDER BY day;

SELECT
    JSONExtractString(payload, 'principal_id')  AS principal,
    JSONExtractString(payload, 'hr_event')       AS hr_event,
    min(event_time) AS first_detection,
    minIf(event_time, event_type = 'grant_revoked') AS first_revocation,
    dateDiff('hour', first_detection, first_revocation) AS lag_hours
FROM verity.audit_events
WHERE JSONExtractString(payload, 'hr_event') = 'termination'
  AND event_time >= '2025-01-01'
GROUP BY principal, hr_event
ORDER BY lag_hours DESC
LIMIT 50;

Evidence Package Workflow¶

sequenceDiagram
    participant Auditor
    participant Dashboard
    participant API as API Gateway
    participant CR as Compliance Reporter
    participant CH as ClickHouse

    Auditor->>Dashboard: Request evidence for SOX ITGC-AC-01 (Q4 2025)
    Dashboard->>API: POST /api/v1/reports/evidence
    API->>CR: Generate evidence package
    CR->>CH: Query audit events for scope & time range
    CH-->>CR: Events (scores, reviews, decisions, remediations)
    CR-->>API: Signed evidence package (JSON + PDF)
    API-->>Dashboard: Download link
    Dashboard-->>Auditor: Evidence package ready

Auditor-Ready Output

Evidence packages include:

Score history — time-series of decay scores for every in-scope grant.
Review decisions — who reviewed, when, and what they decided.
Remediation proof — before/after state of every revoked or downgraded grant.
SLA compliance — percentage of reviews completed within SLA, with detail on breaches.
Digital signature — HMAC-SHA256 over the package contents for tamper detection.

Before & After¶

Metric	Before Verity	After Verity
Evidence assembly time	4–6 weeks per audit	Minutes (on-demand export)
Gap between reviews	90 days	0 days (continuous)
Review SLA tracking	Manual / honour system	Automated with escalation
Audit findings related to access	8–12 per audit	0–2 per audit
Compliance team headcount for access reviews	3–5 FTEs	0.5 FTE (oversight only)

Getting Started¶

Recommended First Steps

Identify in-scope systems — map financial, health, or sensitive systems to Verity connectors.
Deploy Verity with the Quick Start guide.
Configure asset sensitivity — tag assets that fall under SOX / HIPAA / SOC 2 scope.
Enable the Compliance Reporter — select the relevant report templates.
Run a mock audit — generate evidence packages and validate with your compliance team.
Present to auditors — demonstrate continuous evidence capability.