{[ promptMessage ]}

Bookmark it

{[ promptMessage ]}

At this stage try to limit the amount of requirements

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: mpliance drivers While an organization might have a wide variety of compliance requirements, this activity is specifically oriented around those that either directly or indirectly affect the way in which the organization builds or uses software and/or data. Leverage internal staff focused on compliance if available. Based on the organization’s core business, conduct research and identify third-party regulatory standards with which compliance is required or considered an industry norm. Possibilities include the Sarbanes-Oxley Act (SOX), the Payment Card Industry Data Security Standards (PCI-DSS), the Health Insurance Portability and Accountability Act (HIPAA), etc. After reading and understanding each third-party standard, collect specific requirements related to software and data and build a consolidated list that maps each driver (third-party standard) to each of its specific requirements for security. At this stage, try to limit the amount of requirements by dropping anything considered optional or only recommended. At a minimum, conduct research at least biannually to ensure the organization is keeping updated on changes to third-party standards. Depending upon the industry and the importance of compliance, this activity can vary in effort and personnel involvement, but should always be done explicitly. Results ✦✦Increased assurance for handling thirdparty audit with positive outcome ✦✦Alignment of internal resources based on priority of compliance requirements ✦✦Timely discovery of evolving regulatory requirements that affect your organization Success Metrics ✦✦>1 compliance discovery meeting in past 6 months ✦✦Compliance checklist completed and updated within past 6 months ✦✦>1 compliance review meeting with stakeholders in past 6 months Costs B. Build and maintain compliance guidelines ✦✦Initial creation and ongoing maintenance of compliance checklist Based upon the consolidated list of software and data-related requirements from compliance drivers, elaborate the list by creating a corresponding response statement to each requirement. Sometimes called control statements, each response should capture the concept of what the organization does to ensure the requirement is met (or to note why it does not apply). Personnel Since typical audit practice often involves checking a control statement for sufficiency and then measuring the organization against the control statement itself, it is critical that they accurately represent actual organizational practices. Also, many requirements can be met by instituting simple, lightweight process elements to cover base-line compliance prior to evolving the organization for better assurance down the road. ✦✦Architects (1 day/yr) ✦✦Managers (2 days/yr) ✦✦Business Owners (1-2 days/yr) Related Levels ✦✦Strategy & Metrics - 1 At a minimum, update and review control statements with stakeholders at least biannually. Depending on the number of compliance drivers, it may make sense to perform updates more often. SAMM / The Security Practices - v1.0 Working from the consolidated list, identify major gaps to feed the future pla...
View Full Document

{[ snackBarMessage ]}

Ask a homework question - tutors are online