This preview shows page 1. Sign up to view the full content.
Unformatted text preview: mpliance drivers
While an organization might have a wide variety of compliance requirements, this activity is
specifically oriented around those that either directly or indirectly affect the way in which
the organization builds or uses software and/or data. Leverage internal staff focused on
compliance if available.
Based on the organization’s core business, conduct research and identify third-party regulatory standards with which compliance is required or considered an industry norm. Possibilities include the Sarbanes-Oxley Act (SOX), the Payment Card Industry Data Security Standards (PCI-DSS), the Health Insurance Portability and Accountability Act (HIPAA), etc. After
reading and understanding each third-party standard, collect specific requirements related to
software and data and build a consolidated list that maps each driver (third-party standard)
to each of its specific requirements for security. At this stage, try to limit the amount of
requirements by dropping anything considered optional or only recommended.
At a minimum, conduct research at least biannually to ensure the organization is keeping
updated on changes to third-party standards. Depending upon the industry and the importance of compliance, this activity can vary in effort and personnel involvement, but should
always be done explicitly. Results
✦✦Increased assurance for handling thirdparty audit with positive outcome
✦✦Alignment of internal resources based
on priority of compliance requirements
✦✦Timely discovery of evolving
regulatory requirements that
affect your organization Success Metrics
✦✦>1 compliance discovery
meeting in past 6 months
✦✦Compliance checklist completed
and updated within past 6 months
✦✦>1 compliance review meeting with
stakeholders in past 6 months Costs B. Build and maintain compliance guidelines ✦✦Initial creation and ongoing
maintenance of compliance checklist Based upon the consolidated list of software and data-related requirements from compliance
drivers, elaborate the list by creating a corresponding response statement to each requirement. Sometimes called control statements, each response should capture the concept of
what the organization does to ensure the requirement is met (or to note why it does not
apply). Personnel Since typical audit practice often involves checking a control statement for sufficiency and
then measuring the organization against the control statement itself, it is critical that they
accurately represent actual organizational practices. Also, many requirements can be met by
instituting simple, lightweight process elements to cover base-line compliance prior to evolving the organization for better assurance down the road. ✦✦Architects (1 day/yr)
✦✦Managers (2 days/yr)
✦✦Business Owners (1-2 days/yr) Related Levels
✦✦Strategy & Metrics - 1 At a minimum, update and review control statements with stakeholders at least biannually.
Depending on the number of compliance drivers, it may make sense to perform updates
more often. SAMM / The Security Practices - v1.0 Working from the consolidated list, identify major gaps to feed the future pla...
View Full Document
This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.
- Spring '14