A guide to implementing and maintaining an IT Compliance program for small and midsize businesses

1. IMPLEMENTING IT
COMPLIANCE
A GUIDE FOR IT ORGANIZATIONS AND SERVICE PROVIDERS

2. AGENDA
 Compliance vs. Security
 Compliance Program overview
 Making the Program Successful: People
 Making the Program Successful: Documentation
 Making the Program Successful: Implementation
 Making the Program Successful: Maintenance
 Q & A

3. COMPLIANCE VS. SECURITY
Controls how corporate IT resources that contain information are
accessed and used
Protects from internal and external threats
to the information and underlying assets
Consists of Devices, Applications, Protocols, and Procedures
Dynamic – corresponds to daily changes in
the security threat landscape

4. COMPLIANCE VS. SECURITY
Conformity of the security program with standards
proposed by regulatory organizations
Consists of documentation of how these standards are
being met
Covers information and asset protection from
internal, external, and environmental threats
Corresponds to changes in policies that are often
spread out over years

5. COMPLIANCE PROGRAM REQUIREMENTS
WHO DEFINES THE STANDARDS

6. COMPLIANCE PROGRAM REQUIREMENTS
DETERMINATION OF APPLICABILITY
FEDERAL REGULATIONS
INDUSTRY SPECIFIC
SOME REQUIREMENTS OVERLAP, SOME DON’T
STATE REGULATIONS
VARY FROM STATE TO STATE
SOME ARE INDUSTRY SPECIFIC, OTHERS ARE INDUSTRY AGNOSTIC
HOMOGENEOUS THROUGHOUT THE COUNTRY
REQUIREMENTS VARY GREATLY

7. COMPLIANCE PROGRAM REQUIREMENTS
PROGRAM PURPOSE
MITIGATE RISKS
REDUCE FINES AND PENALTIES
IMPROVED IMAGE OF THE ORGANIZATION
CLIENT ACQUISITION/RETENTION
BASELINE SECURITY POLICY FRAMEWORK

8. COMPLIANCE PROGRAM REQUIREMENTS
BASE PROGRAM REQUIREMENTS
WRITTEN INFORMATION SECURITY POLICY
WRITTEN BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY
WRITTEN PERIODIC AUDIT POLICY
IDENTIFICATION OF KEY PERSONNEL
WRITTEN CHANGE MANAGEMENT POLICY

9. COMPLIANCE PROGRAM REQUIREMENTS
INFORMATION SECURITY POLICY
HOW IS ACCESS TO THE INFORMATION GRANTED
HOW IS ACCESS TO THE INFORMATION CONTROLLED
HOW IS ACCESS TO THE INFORMATION TERMINATED
HOW IS ACCESS TO THE SYSTEMS AND APPLICATIONS CONTROLLED
HOW ARE THREATS MANAGED AND REPORTED ON
HOW ARE INCIDENTS RESPONDED TO AND REPORTED ON

10. COMPLIANCE PROGRAM REQUIREMENTS
BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY
IDENTIFY SYSTEMS AND APPLICATIONS CRITICAL TO DAILY BUSINESS
OPERATIONS
IDENTIFY RECOVERY TIME AND RECOVERY POINT OBJECTIVES FOR EACH
SYSTEM AND APPLICATION
IDENTIFY PROVISIONS TO MEET RECOVERY TIME AND RECOVERY POINT
OBJECTIVES
DESCRIBE THE BACKUP AND RECOVERY PROCESS FOR EACH SYSTEM AND
APPLICATION
DETAIL TESTING FREQUENCY FOR THE BC/DR PLAN
DETAIL FREQUENCY OF BC/DR PLAN REVIEW AND UPDATE

11. COMPLIANCE PROGRAM REQUIREMENTS
BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY
IDENTIFY SYSTEMS AND APPLICATIONS CRITICAL TO DAILY BUSINESS
OPERATIONS
IDENTIFY RECOVERY TIME AND RECOVERY POINT OBJECTIVES FOR EACH
SYSTEM AND APPLICATION
IDENTIFY PROVISIONS TO MEET RECOVERY TIME AND RECOVERY POINT
OBJECTIVES
DESCRIBE THE BACKUP AND RECOVERY PROCESS FOR EACH SYSTEM AND
APPLICATION
DETAIL TESTING FREQUENCY FOR THE BC/DR PLAN
DETAIL FREQUENCY OF BC/DR PLAN REVIEW AND UPDATE

12. COMPLIANCE PROGRAM REQUIREMENTS
KEY PERSONNEL
IDENTIFY PERSONNEL RESPONSIBLE FOR:
IMPLEMENTATION OF POLICY COMPONENTS
POLICY MAINTENANCE AND UPDATE
PERIODIC SYSTEM AUDITS AND ASSESSMENT
RISK IDENTIFICATION AND MITIGATION
PERFORMANCE OF TASKS AS IDENTIFIED BY POLICIES AND PROCEDURES

13. COMPLIANCE PROGRAM REQUIREMENTS
PERIODIC AUDIT
A COMPREHENSIVE ANNUAL AUDIT OF ALL POLICY COMPONENTS
AN ANNUAL THIRD PARTY PENETRATION AND VULNERABILITY ASSESSMENT
CONTINUOUS REVIEW OF STANDARDS TO ENSURE POLICY COMPLIANCE
AUDIT OF SYSTEMS AND APPLICATIONS DURING DEVELOPMENT AND POST
PRODUCTION DEPLOYMENT
ANNUAL AUDIT REVIEW AND REMEDIATION PLANNING

14. COMPLIANCE PROGRAM REQUIREMENTS
CHANGE MANAGEMENT POLICY
DESCRIBES HOW SYSTEMS AND APPLICATIONS ARE UPDATED OR REPLACED
IF APPLICATIONS ARE DEVELOPMENT INTERNALLY, DESCRIBES APPLICATION
DEVELOPMENT METHODOLOGY AND PROCESSES USED
NEW SYSTEM TESTING AND IMPLEMENTATION
CHANGE TRACKING
POST IMPLEMENTATION REVIEW/POST-MORTEM

15. COMPLIANCE PROGRAM REQUIREMENTS
MAKING THE PROGRAM SUCCESSFUL: PEOPLE
IDENTIFY KEY BUSINESS STAKEHOLDERS
TO ENSURE ORGANIZATION BUY-IN
ENSURE SEGREGATION OF DUTIES:
DESIGN, IMPLEMENTATION, AUDIT
ASSIGN ROLES BASED ON FUNCTION
IN THE ORGANIZATION

16. COMPLIANCE PROGRAM REQUIREMENTS
MAKING THE PROGRAM SUCCESSFUL: PEOPLE
ENSURE THAT STAFF IS PROPERLY
TRAINED ON THE POLICIES
MAKE SURE PEOPLE UNDERSTAND
WHY THIS IS NECESSARY
TRAINING MUST BE PERIODIC AND
CONTINUOUS
IT’S A TEAM EFFORT

17. COMPLIANCE PROGRAM REQUIREMENTS
MAKING THE PROGRAM SUCCESSFUL: DOCUMENTATION
FORMAL DOCUMENT
VERSION TRACKING
IDENTIFY SCOPE AND TARGET AUDIENCE
IDENTIFY CONTROLS THE DOCUMENT ADDRESSES

18. COMPLIANCE PROGRAM REQUIREMENTS
MAKING THE PROGRAM SUCCESSFUL: IMPLEMENTATION
TREAT IT LIKE YOU WOULD TREATE A SYSTEM DEPLOYMENT PROJECT
USE PROJECT MANAGEMENT METHODS/TOOLS
GIVE YOURSELF PLENTY OF TIME
UTILIZE A PHASED APPROACH
WORK CLOSELY WITH BUSINESS LEADERS

19. COMPLIANCE PROGRAM REQUIREMENTS
MAKING THE PROGRAM SUCCESSFUL: IMPLEMENTATION
ENSURE CONTINUOUS BUY-IN
IDENTIFY IMPACT TO DAILY WORKFLOW
REVIEW WORKFLOW IMPACT WITH BUINESS
LEADERS TO MITIGATE PUSH BACK
ENSURE CONTINUOUS COMMUNICATION
DURING THE IMPLEMENTATION
TEST WHENEVER POSSIBLE TO ADDRESS
ISSUES PRIOR TO THEM BECOMING
PROBLEMS

20. COMPLIANCE PROGRAM REQUIREMENTS
MAKING THE PROGRAM SUCCESSFUL: MAINTENANCE
PERIODICALLY REVIEW REQUIREMENTS FOR CHANGES
KEEP AN EYE ON BELL-WEATHER STATES: NY, MA, CA
KEEP UP TO DATE WITH GUIDANCE FROM
ISC(2) AND NIST
USE THE AUDIT FUNCTION TO MAINTAIN
THE PROGRAM
WORK WITH INDUSTRY PEERS TO TEST
IDEAS

21. COMPLIANCE PROGRAM REQUIREMENTS
QUESTIONS AND ANSWERS