Usually the compliance gate is placed at the point of

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: cts can have internal audit requirements loosened to make the audit practice more cost-effective. Overall, each active project should undergo an audit at least biannually. Generally, subsequent audits after the initial will be simpler to perform if sufficient audit information about the application is retained. Advertise this service to business owners and other stakeholders so that they may request an audit for their projects. Detailed pass/fail results per requirement from the internal standards should be delivered to project stakeholders for evaluation. Where practical, audit results should also contain explanations of impact and remediation recommendations. Policy & Compliance PC 3 Require compliance and measure projects against organization-wide policies and standards Activities A. Create compliance gates for projects Once an organization has established internal standards for security, the next level of enforcement is to set particular points in the project life-cycle where a project cannot pass until it is audited against the internal standards and found to be in compliance. Usually, the compliance gate is placed at the point of software release such that they are not allowed to publish a release until the compliance check is passed. It is important to provide enough time for the audit to take place and remediation to occur, so generally the audit should begin earlier, for instance when a release is given to QA. Despite being a firm compliance gate, legacy or other specialized projects may not be able to comply, so an exception approval process must also be created. No more than about 20% of all projects should have exception approval. B. Adopt solution for audit data collection Organizations conducting regular audits of project teams generate a large amount of audit data over time. Automation should be utilized to assist in automated collection, manage collation for storage and retrieval, and to limit individual access to sensitive audit data. Results ✦✦Organization-level visibility of accepted risks due to non-compliance ✦✦Concrete assurance for compliance at the project level ✦✦Accurate tracking of past project compliance history ✦✦Efficient audit process leveraging tools to cut manual effort Add’l Success Metrics ✦✦>80% projects in compliance with policies and standards as seen by audit ✦✦<50% time per audit as compared to manual Add’l Costs For many concrete requirements from the internal standards, existing tools such as code analyzers, application penetration testing tools, monitoring software, etc. can be customized and leveraged to automate compliance checks against internal standards. The purpose of automating compliance checks is to both improve efficiency of audit as well as enable more staff to self-check for compliance before a formal audit takes place. Additionally, automated checks are less error-prone and allow for lower latency on discovery of problems. ✦✦Buildout or license tools to automate audit against intern...
View Full Document

This homework help was uploaded on 03/31/2014 for the course GEN ED IS taught by Professor 3445 during the Spring '14 term at ITT Tech Flint.

Ask a homework question - tutors are online