Unformatted text preview: cts can have internal audit requirements loosened to make the audit
practice more cost-effective.
Overall, each active project should undergo an audit at least biannually. Generally, subsequent audits after the initial will be simpler to perform if sufficient audit information about
the application is retained.
Advertise this service to business owners and other stakeholders so that they may request
an audit for their projects. Detailed pass/fail results per requirement from the internal
standards should be delivered to project stakeholders for evaluation. Where practical, audit
results should also contain explanations of impact and remediation recommendations. Policy & Compliance PC 3 Require compliance and measure projects against organization-wide policies and standards Activities
A. Create compliance gates for projects
Once an organization has established internal standards for security, the next level of enforcement is to set particular points in the project life-cycle where a project cannot pass
until it is audited against the internal standards and found to be in compliance.
Usually, the compliance gate is placed at the point of software release such that they are not
allowed to publish a release until the compliance check is passed. It is important to provide
enough time for the audit to take place and remediation to occur, so generally the audit
should begin earlier, for instance when a release is given to QA.
Despite being a firm compliance gate, legacy or other specialized projects may not be able to
comply, so an exception approval process must also be created. No more than about 20%
of all projects should have exception approval. B. Adopt solution for audit data collection
Organizations conducting regular audits of project teams generate a large amount of audit
data over time. Automation should be utilized to assist in automated collection, manage collation for storage and retrieval, and to limit individual access to sensitive audit data. Results
✦✦Organization-level visibility of accepted
risks due to non-compliance
✦✦Concrete assurance for
compliance at the project level
✦✦Accurate tracking of past
project compliance history
✦✦Efficient audit process leveraging
tools to cut manual effort Add’l Success Metrics
✦✦>80% projects in compliance with
policies and standards as seen by audit
✦✦<50% time per audit as
compared to manual Add’l Costs For many concrete requirements from the internal standards, existing tools such as code
analyzers, application penetration testing tools, monitoring software, etc. can be customized
and leveraged to automate compliance checks against internal standards. The purpose of
automating compliance checks is to both improve efficiency of audit as well as enable more
staff to self-check for compliance before a formal audit takes place. Additionally, automated
checks are less error-prone and allow for lower latency on discovery of problems. ✦✦Buildout or license tools to automate
audit against intern...
View Full Document
- Spring '14