February 12, 2024

Automate more of your compliance program with custom tests

Written by

Lauren Wade

Product Marketing

Vin Vadhanasindhu

Product Management

Drew Gregory

Reviewed by

Accelerating security solutions for small businesses
‍

Tagore offers strategic services to small businesses.

A partnership that can scale
‍

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors
‍

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

Today, we’re launching multiple customization improvements to Vanta’s automated test capabilities, previously announced at VantaCon in December. With Custom Tests, you now have the ability to adjust Vanta’s pre-built tests as well as create new tests from scratch with new logic.

‍

Custom Tests empower you to gather evidence across your systems and use Vanta’s automation to continuously monitor and alert you when items fall out of compliance. Additionally, Custom Tests expand upon Vanta’s existing customization capabilities like custom frameworks, controls, policies, and integrations.

‍

In addition, for any test we now show deeper test visibility, enabling you or your auditor to better understand how an automated test works and how to remediate any failing tests.

‍

“As a Managed Service Provider (MSP), Custom Tests allow us to validate that an Active Directory account is enrolled in multi-factor authentication while also excluding service accounts. We were validating this by reviewing a custom report. Now, we can leverage Vanta’s automation to exponentially save time across our customer base.” - Eric Shoemaker, Advisory CISO at GeniusGRC

‍

Expanding on Vanta’s tests to meet your unique needs

Vanta’s pre-built automated tests have helped over 7,000 customers automate their compliance and security programs. But what if you have specific evidence collection needs that are unique to your organization’s compliance program or that an auditor has asked for?

‍

For example, let’s say you need to retain logs for less than the default of 365 days that Vanta recommends because of cost concerns. Previously, you had to rely on manual intervention to meet the need by uploading a document into Vanta.

‍

Similarly, if you had your own, unique evidence collection need, you’d have to upload a document manually. And to understand the logic of a test, manual outreach was required.

‍

That’s where automated Custom Tests come in.

‍

Build your own custom test regardless of technical background

Vanta’s tests power continuous evidence collection against controls across 20+ frameworks. Alongside Vanta’s pre-built tests, you now have multiple ways to customize tests as well as the ability to create your own:

‍

Customize a pre-built Vanta Test Parameter, using values such as numbers, lists, or strings
Create Custom Tests on any Vanta or partner-built (aka “pre-built”) integration’s data
Create Custom Tests on your own data with a Private Integration

‍

Customize a pre-built Vanta Test Parameter

Within Vanta-built tests, default settings are applied. In practice, you and your auditor might specify policies that slightly differ from the specifics of the Vanta-built test. For example, you and your auditor may determine that you need to retain logs for only 90 days as opposed to the default of 365 days for the Vanta-built test, “Server logs retained for 365 days (AWS).”

‍

To customize this, simply go to the specific test and adjust the value to the duration that meets your program needs. Today, Vanta has over 14 tests with customizable parameters, with more to come.

‍

*Change a parameter in a pre-built rule*

‍

Create Custom Tests with a pre-built integration

Now you can create your own Custom Tests using data from any Vanta-built or partner-built integration. These tests can be mapped back to controls and frameworks, both pre-built and custom, you are using to provide monitoring and evidence towards those goals.

‍

For example, let’s say you want to run tests on private Github repos. In general, security teams test that all Github repos have at least one required approval to merge to the default branch. You may decide that the private repos should have more approvals or that only one particular repo should have more approvals.

‍

With custom tests, this is now possible. Simply head over to the tests page and click, “Create Custom Test.” From there, enter the name and description, select from any of your connected integrations, and choose the resource you want to evaluate. Specify some conditions involving properties on that resource, and click, “Create.” Within your tests, Vanta will automatically perform this check on a recurring basis against your system and alert you along the way. Like other tests, your custom test can be mapped to controls and frameworks.

‍

Currently custom tests can only support a subset of all possible test logic. For instance, custom tests can only be built on one resource type at a time. In addition, only some properties, such as strings, numbers, and booleans, are supported for conditions. Stay tuned as we support more complex custom tests.

‍

If you want to create more complex tests on Vanta-built or partner-built integration data, you can query our GraphQL API and compute the test logic via a Private Integration.

‍

‍
*Create a custom rule from scratch with new logic*

‍

Create a Custom Test on your own data with a Private Integration

If you use in-house applications or systems that Vanta doesn’t have a pre-built integration for yet, or you want Vanta to only ingest test results and not the specifics of the source data, you can create Custom Tests on Private Integrations.

‍

To ensure a control is satisfied, some organizations may want to run tests against on-premises servers or compute resources at a cloud provider that does not integrate with Vanta. As a reminder, Private Integrations are only available to your Vanta instance. Creating a Custom Test on a Private Integration enables more technical teams to test the breadth of their tech stack and control set.

‍

To do this, you first need to create a Private Integration. See our developer docs for more information.

‍

Custom Tests, including the ability to change a parameter in a pre-built test, are now available for Vanta customers with Collaborate and Scale plans.

‍

Inspect tests for more visibility on Vanta-built tests and Custom Tests

To further support Vanta’s tests, you can now access Test Source Data within a Vanta-built test. This shows additional depth on how the test received data from the integrated service and the criteria being used for the test.

‍

Within the “Test data” tab, you can gain insight into the data Vanta is reading from integrated services and can assist in gathering details to quickly understand why a test may or may not be passing and then how to remediate any non-passing tests. This functionality can also be helpful during audit to further illustrate to an auditor how a control is satisfied.

‍

Within the “API requests” tab, you can understand when Vanta made the request, the resource type it was fetching, the URL used, and the status of that request. You can click on an individual request to see more details and even view or download the raw JSON file of the fetched data.

‍

You can also use this Test Source Data widget from Vanta-built tests to inspire the creation of your own Custom Test.

‍

Expanded test source data is now available to Vanta customers.

‍

Try it out for yourself

With our new test customization and visibility enhancements, our teams are focused on further automating compliance workflows for many teams, and making Vanta’s automated tests even better.

‍

If you’re a customer interested in trying out the new Custom Tests functionality, log in to the Tests page and at top right, click on “Create Custom Test.” If you’re not yet a Vanta customer and want to learn more, please request a demo.

‍

Access Review Stage	Content / Functionality
Across all stages	Easily create and save a new access review at a point in time View detailed audit evidence of historical access reviews
Setup access review procedures	Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems	Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta. Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS) Upload access files from non-integrated systems View and select systems in-scope for the review
Review, approve, and deny user access	Select the appropriate systems reviewer and due date Get automatic notifications and reminders to systems reviewer of deadlines Automatic flagging of “risky” employee accounts that have been terminated or switched departments Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section Track progress of individual systems access reviews and see accounts that need to be removed or have access modified Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners	Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access	Focused view of accounts flagged for access changes for easy tracking and management Automated evidence of remediation completion displayed for integrated systems Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results	Auditor can log into Vanta to see history of all completed access reviews Internals can see status of reviews in progress and also historical review detail