Ashley Deuble, profile picture
Uploaded byAshley Deuble
PPTX, PDF621 views

Creating a compliance assessment program on a tight budget

The document provides guidance on creating a compliance assessment program on a tight budget. It outlines steps to prepare such as creating policies and socializing them, determining assessment scope and methods, developing assessment forms and reporting templates, and improving the program over time. The preparation phase involves creating policies, standards, and guidelines. Assessment involves mapping processes, using forms to evaluate adherence, and creating reports on findings. Findings are then reviewed and the program is refined through cycles.

Embed presentation

Downloaded 13 times
Creating a Compliance Assessment Program on a Tight Budget ASHLEY DEUBLE
Why Do We Need A Compliance Program  We spend time and money creating all these policies – is the business adhering to them?  Are our critical assets actually being protected as we had originally planned?  Are there certain regulatory requirements that you must meet?  Do we need to make the business aware of their responsibilities in regards to information security?
The Basic Roadmap  Create policies, procedure, standards, controls & guidelines  Socialise these with the business  Create a compliance assessment in alignment with your policies/standards/controls etc.  Review the adherence to the policies  Create a report and present findings back to the business  Deal with risks and issues (accept, remediate, insure etc.)  Review and mature the process
Preparation – Create Policies, Procedures, Standards & Guidelines  Create Policies, Standards, Procedures & Guidelines (links to generic template policies are at the end of the presentation)  Talk to all parties that the policies may impact (e.g. HR, Legal etc.)  Get policies approved by the Board or appropriate senior management/representative  Notify the general business of the new policies and their responsibilities (possibly run some targeted sessions on business units that are more heavily impacted).
Preparation – Example Policy
Preparation – Comply/Non-Comply  This is a compliance assessment – we want compliant/non- compliant responses (yes or no).  We want to be able to determine specific policy areas where the business has deficiencies.
Preparation – What About Partial Compliance?  Partial compliance can be a sliding scale  Where does someone become non-compliant?  Is someone truly compliant if they are only partially compliant?  Provide notes in report to say that even though the business is non- compliant, they are doing certain actions to provide some form of compliance. The work needed to get them to be compliant may be minimal. This may also reduce the level of the finding.
Preparation – Consider The Maturity Level Of The Assessment Process  Start with a process that your assessment team can handle  Think about skill levels of staff here  Either skill them up, or make the process simpler  Does the process need to be completed by non security or IT staff at remote locations?  Mature and grow the process as the assessment teams get used to the process (take them on a learning journey).  Know what your end goal for the process is, and work towards it.
Preparation – Consider Who/What to Assess (Scope)  Determine the scope of your assessment.  Are you going to assess a facility, a business unit, a process, etc.?  Do you want to assess local staff processes against what remote managers think are happening (could be very different results)?  Is this a part of a larger audit body of work?
Preparation – Consider How Will We Assess  On-site with security staff  Remote interviews conducted by security staff via phone or video conference  On-site personnel performing the assessment on behalf of the security staff  Self survey by the business
Assessment – Create A Process Flow  Map out the process flow  Sit down and run some tabletop exercises to check for completeness  Make sure you can tie into any additional process that you may need (e.g. Risk Acceptance)  Consider running a pilot assessment to test suitability
Assessment – Process Flow Example
Assessment – The Assessment Form  Determine what elements you need so that you can assess the subject and then report on them accurately?  Examples  Policy question/statement  Rating of importance/criticality  Are they compliant?  Who did you ask  Notes?
Assessment – Assessment Question Example  Example policy statement (AUP)  <Company Name> proprietary information stored on electronic and computing devices whether owned or leased by <Company Name>, the employee or a third party, remains the sole property of <Company Name>. You must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Standard.  Example Compliance question  Is proprietary information protected in accordance with the "Data Protection Standard" on all electronic and computing devices (whether owned or leased by <Company>, employees or a third party)?
Assessment – The Assessment Form (example)  Use the category and policy statement number as a reference when writing your report  Add any non-compliant findings to your report as an issue
Assessment – Creating the Report  Use a similar format to other reports in your organisation  Make sure to include  Executive summary  Issues overview  Detailed issues  Recommendations  Document control
Assessment – Reviewing the Report  Always read the report to yourself before you send it to anyone to review (you’ll find the majority of the mistakes before anyone else)  Review amongst team members (peer review)  Always keep track of any changes/amendments  Seek management approval prior to sending to client
Assessment – Storing the Data/Evidence  ENCRYPT! ENCRYPT! ENCRYPT! (have a password safe – just in case)  Create an encryption procedure to provide to the client if you require them to send you any items of evidence.  Use a file and folder naming system  Keep one central “safe source” repository
Assessment – Reporting Findings  Conduct a meeting with management to discuss high level findings  Get their buy-in for remediation activities  Conduct a meeting with technical staff to discuss detailed findings  Explain the issues and provide recommendations to remediate  Conduct a final close out meeting with all involved in the assessment to ensure they are aware of the issues and willing to remediate them
Improving the Program – Review Cycles/Maturing the Process  How often should the process be reviewed (quarterly, yearly etc.)?  What should be reviewed?  Should you have an “improvement team”  How do you communicate your changes? Will it require additional training?  Are you moving towards your end goal?
Improving the Program – GRC Tools  Excel isn’t the best tool for running a compliance program – but the majority of us will have it as a standard application on our SOE.  Create your own tool (Sharepoint etc.)?  Purchase a commercial tool (Archer etc.)?
Resources – Policies, Standards, Procedures & Guidelines  SANS - http://www.sans.org/security-resources/policies/  InstantSecurityPolicy - https://www.instantsecuritypolicy.com  Information Sheild - http://www.informationshield.com/info-security- policy.html  ISO27001Security - http://www.iso27001security.com/  ISO27001templates - http://www.iso27001templates.com/  Beaker’s Policy Template - http://www.packetfilter.com/InfoSec_Policy-ISO17799.doc
Questions?  @ashd_au  Linkedin.com/in/ashleydeuble

More Related Content

PPTX
Compliance Capability
bynikatmalik
 
PPTX
Risk assessment and internal controls - Internal Audit
bySmitesh Bhosale
 
PPT
Risk Assessment For Internal Auditors
byminkhollow
 
PPTX
Functional Audit
byManoj Agarwal
 
PPTX
Internal audits role in compliance
bySalih Islam
 
PDF
The state of ia pandemic plan
byManoj Agarwal
 
PPTX
Examining Audit Quality, Common Engagement Deficiencies and the Importance of...
byInternational Federation of Accountants
 
PPTX
OPERATIONAL RISK MANAGEMENT
byIntan Noona
 
Compliance Capability
bynikatmalik
 
Risk assessment and internal controls - Internal Audit
bySmitesh Bhosale
 
Risk Assessment For Internal Auditors
byminkhollow
 
Functional Audit
byManoj Agarwal
 
Internal audits role in compliance
bySalih Islam
 
The state of ia pandemic plan
byManoj Agarwal
 
Examining Audit Quality, Common Engagement Deficiencies and the Importance of...
byInternational Federation of Accountants
 
OPERATIONAL RISK MANAGEMENT
byIntan Noona
 

What's hot

PPTX
Managing Regulatory Compliance
byMitchell Manning Sr.
 
PPTX
Practical approach to Risk Based Internal Audit
byManoj Agarwal
 
PPTX
Audit & Compliance Presentation
byJo Heighway
 
PPT
Financial controls for Businesses
byGeorge Varghese
 
PPTX
11. materiality and audit risk
bySyed Osama Rizvi
 
PDF
Risk Based Quality Management System Auditing
byAQSS-USA
 
PDF
Operational Risk Management for practitioners v1.0
byIgnacio Reclusa
 
PPTX
BSA/AML in the USA and AML/CTF in the Caymans
byElizabeth Baker, JD, CRCMP
 
PDF
Key considerations for your internal audit plan
byessbaih
 
PPTX
Audit & compliance
byGDE Coaching - Jean Noel Macaque
 
PPT
Internal audit
byShoab Malek (Certified Quality Auditor)
 
PPS
Solis Invicti Consultancy Pvt Ltd
byVijay Bajirao Chavan - HR Consultant for BFSI Sector
 
PPTX
Standards of Internal Audit
byKaran Puri
 
PDF
Vendor risk management 2013
byRahul Bhan (CA, CIA, MBA)
 
PPS
Application Security Review 5 Dec 09 Final
byManoj Agarwal
 
PPTX
02 Practical Strategies of Conducting BIA
byBCM Institute
 
PPTX
Third Party Vendor Contract – Risk Management
byElizabeth Baker, JD, CRCMP
 
PPT
The role of ia in erm process
bySALIH AHMED ISLAM
 
Managing Regulatory Compliance
byMitchell Manning Sr.
 
Practical approach to Risk Based Internal Audit
byManoj Agarwal
 
Audit & Compliance Presentation
byJo Heighway
 
Financial controls for Businesses
byGeorge Varghese
 
11. materiality and audit risk
bySyed Osama Rizvi
 
Risk Based Quality Management System Auditing
byAQSS-USA
 
Operational Risk Management for practitioners v1.0
byIgnacio Reclusa
 
BSA/AML in the USA and AML/CTF in the Caymans
byElizabeth Baker, JD, CRCMP
 
Key considerations for your internal audit plan
byessbaih
 
Audit & compliance
byGDE Coaching - Jean Noel Macaque
 
Internal audit
byShoab Malek (Certified Quality Auditor)
 
Solis Invicti Consultancy Pvt Ltd
byVijay Bajirao Chavan - HR Consultant for BFSI Sector
 
Standards of Internal Audit
byKaran Puri
 
Vendor risk management 2013
byRahul Bhan (CA, CIA, MBA)
 
Application Security Review 5 Dec 09 Final
byManoj Agarwal
 
02 Practical Strategies of Conducting BIA
byBCM Institute
 
Third Party Vendor Contract – Risk Management
byElizabeth Baker, JD, CRCMP
 
The role of ia in erm process
bySALIH AHMED ISLAM
 

Viewers also liked

PDF
Risk assessment for_small_business_-_be_smart
byRana Daniyal
 
PDF
Compliance Risk Assessment
byCompliance Consultant
 
PDF
Control Freak Ver 1.0
byDavid Stephenson
 
PPT
Electronic Compliance Monitoring
bywardsmith66
 
PPTX
The Six Stages of Incident Response - Auscert 2016
byAshley Deuble
 
PPTX
Security Essentials
byAshley Deuble
 
PDF
2015 09-22 Is it time for a Security and Compliance Assessment?
byRaffa Learning Community
 
PPTX
Scce webinar assessment_061316
byEric Morehead
 
PPTX
LT-Innovate OSCAR Open Standards Compliance Assessment Report Project
bySerge Gladkoff
 
PPTX
Regulatory Change Management
by360factors
 
PDF
Human Rights Compliance Assessment Presentation
byDanish Institute for Human Rights
 
PPTX
Compliance Effectiveness Assessments
byPYA, P.C.
 
PPTX
2017-01-24 Introduction of PCI and HIPAA Compliance
byRaffa Learning Community
 
Risk assessment for_small_business_-_be_smart
byRana Daniyal
 
Compliance Risk Assessment
byCompliance Consultant
 
Control Freak Ver 1.0
byDavid Stephenson
 
Electronic Compliance Monitoring
bywardsmith66
 
The Six Stages of Incident Response - Auscert 2016
byAshley Deuble
 
Security Essentials
byAshley Deuble
 
2015 09-22 Is it time for a Security and Compliance Assessment?
byRaffa Learning Community
 
Scce webinar assessment_061316
byEric Morehead
 
LT-Innovate OSCAR Open Standards Compliance Assessment Report Project
bySerge Gladkoff
 
Regulatory Change Management
by360factors
 
Human Rights Compliance Assessment Presentation
byDanish Institute for Human Rights
 
Compliance Effectiveness Assessments
byPYA, P.C.
 
2017-01-24 Introduction of PCI and HIPAA Compliance
byRaffa Learning Community
 

Similar to Creating a compliance assessment program on a tight budget

PPTX
How to Improve your Company’s Compliance Program.pptx
byanandjoshi714278
 
PPT
Implementing Business Aligned Security Strategy Dane Warren Li
byDaneWarren
 
PPT
7 steps to build an effective corporate compliance strategy
byMaarten BOONEN
 
PPTX
L6 RMF Phase 5 Assess.pptx
byStevenTharp2
 
PPTX
RSA 2017 - CISO's 5 steps to Success
byGary Hayslip CISSP, CISA, CRISC, CCSK
 
PDF
250250902-141-ISACA-NACACS-Auditing-IT-Projects-Audit-Program.pdf
byAddisu15
 
PPT
Frankston
bybrentcarey
 
PDF
File000168
byDesmond Devendran
 
PPTX
Security and Compliance Initial Roadmap
byAnshu Gupta
 
PDF
Mzumla_Dome_2015
byMohammed Zumla
 
PDF
A Framework for PCI DSS 2.0 Compliance Assessment and Remediation
byCognizant
 
PPTX
Risk Assessments Best Practice and Practical Approaches Webinar
byAviva Spectrum™
 
PPTX
Implementing a compliance program
byIlya Rubinshteyn
 
PDF
Tips For Being Compliance Ready
byPeak 10
 
PPTX
Top 5 Pitfalls to Avoid Implemeting COSO 2013
byAviva Spectrum™
 
DOCX
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
byjoellemurphey
 
PPTX
Information Systems Audit & CISA Prep 2010
byDonald E. Hester
 
PDF
Introduction to IT compliance program and Discuss the challenges IT .pdf
bySALES97
 
PPT
Data Security For Compliance 2
byFlaskdata.io
 
PPT
2009 iapp-the corpprivacydeptmar13-2009
byasundaram1
 
How to Improve your Company’s Compliance Program.pptx
byanandjoshi714278
 
Implementing Business Aligned Security Strategy Dane Warren Li
byDaneWarren
 
7 steps to build an effective corporate compliance strategy
byMaarten BOONEN
 
L6 RMF Phase 5 Assess.pptx
byStevenTharp2
 
RSA 2017 - CISO's 5 steps to Success
byGary Hayslip CISSP, CISA, CRISC, CCSK
 
250250902-141-ISACA-NACACS-Auditing-IT-Projects-Audit-Program.pdf
byAddisu15
 
Frankston
bybrentcarey
 
File000168
byDesmond Devendran
 
Security and Compliance Initial Roadmap
byAnshu Gupta
 
Mzumla_Dome_2015
byMohammed Zumla
 
A Framework for PCI DSS 2.0 Compliance Assessment and Remediation
byCognizant
 
Risk Assessments Best Practice and Practical Approaches Webinar
byAviva Spectrum™
 
Implementing a compliance program
byIlya Rubinshteyn
 
Tips For Being Compliance Ready
byPeak 10
 
Top 5 Pitfalls to Avoid Implemeting COSO 2013
byAviva Spectrum™
 
Running head AUDITING INFORMATION SYSTEMS PROCESS .docx
byjoellemurphey
 
Information Systems Audit & CISA Prep 2010
byDonald E. Hester
 
Introduction to IT compliance program and Discuss the challenges IT .pdf
bySALES97
 
Data Security For Compliance 2
byFlaskdata.io
 
2009 iapp-the corpprivacydeptmar13-2009
byasundaram1
 

Recently uploaded

PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PPTX
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Designing a Blog Using Wordpress
bymarkzubi50
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Do You Control the AI, or Does the AI Control You?
bymedhateltoukhy
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
GenerationAI Paris 2025 | City of Light (COL)
byapidays
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
BEP-20 Token on BNB Chain: From Concept to Deployment.pdf
byimoliviabennett
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 

Creating a compliance assessment program on a tight budget

  • 1.
    Creating a Compliance AssessmentProgram on a Tight Budget ASHLEY DEUBLE
  • 2.
    Why Do WeNeed A Compliance Program  We spend time and money creating all these policies – is the business adhering to them?  Are our critical assets actually being protected as we had originally planned?  Are there certain regulatory requirements that you must meet?  Do we need to make the business aware of their responsibilities in regards to information security?
  • 3.
    The Basic Roadmap Create policies, procedure, standards, controls & guidelines  Socialise these with the business  Create a compliance assessment in alignment with your policies/standards/controls etc.  Review the adherence to the policies  Create a report and present findings back to the business  Deal with risks and issues (accept, remediate, insure etc.)  Review and mature the process
  • 4.
    Preparation – CreatePolicies, Procedures, Standards & Guidelines  Create Policies, Standards, Procedures & Guidelines (links to generic template policies are at the end of the presentation)  Talk to all parties that the policies may impact (e.g. HR, Legal etc.)  Get policies approved by the Board or appropriate senior management/representative  Notify the general business of the new policies and their responsibilities (possibly run some targeted sessions on business units that are more heavily impacted).
  • 5.
  • 6.
    Preparation – Comply/Non-Comply This is a compliance assessment – we want compliant/non- compliant responses (yes or no).  We want to be able to determine specific policy areas where the business has deficiencies.
  • 7.
    Preparation – WhatAbout Partial Compliance?  Partial compliance can be a sliding scale  Where does someone become non-compliant?  Is someone truly compliant if they are only partially compliant?  Provide notes in report to say that even though the business is non- compliant, they are doing certain actions to provide some form of compliance. The work needed to get them to be compliant may be minimal. This may also reduce the level of the finding.
  • 8.
    Preparation – ConsiderThe Maturity Level Of The Assessment Process  Start with a process that your assessment team can handle  Think about skill levels of staff here  Either skill them up, or make the process simpler  Does the process need to be completed by non security or IT staff at remote locations?  Mature and grow the process as the assessment teams get used to the process (take them on a learning journey).  Know what your end goal for the process is, and work towards it.
  • 9.
    Preparation – ConsiderWho/What to Assess (Scope)  Determine the scope of your assessment.  Are you going to assess a facility, a business unit, a process, etc.?  Do you want to assess local staff processes against what remote managers think are happening (could be very different results)?  Is this a part of a larger audit body of work?
  • 10.
    Preparation – ConsiderHow Will We Assess  On-site with security staff  Remote interviews conducted by security staff via phone or video conference  On-site personnel performing the assessment on behalf of the security staff  Self survey by the business
  • 11.
    Assessment – CreateA Process Flow  Map out the process flow  Sit down and run some tabletop exercises to check for completeness  Make sure you can tie into any additional process that you may need (e.g. Risk Acceptance)  Consider running a pilot assessment to test suitability
  • 12.
  • 13.
    Assessment – TheAssessment Form  Determine what elements you need so that you can assess the subject and then report on them accurately?  Examples  Policy question/statement  Rating of importance/criticality  Are they compliant?  Who did you ask  Notes?
  • 14.
    Assessment – AssessmentQuestion Example  Example policy statement (AUP)  <Company Name> proprietary information stored on electronic and computing devices whether owned or leased by <Company Name>, the employee or a third party, remains the sole property of <Company Name>. You must ensure through legal or technical means that proprietary information is protected in accordance with the Data Protection Standard.  Example Compliance question  Is proprietary information protected in accordance with the "Data Protection Standard" on all electronic and computing devices (whether owned or leased by <Company>, employees or a third party)?
  • 15.
    Assessment – TheAssessment Form (example)  Use the category and policy statement number as a reference when writing your report  Add any non-compliant findings to your report as an issue
  • 16.
    Assessment – Creatingthe Report  Use a similar format to other reports in your organisation  Make sure to include  Executive summary  Issues overview  Detailed issues  Recommendations  Document control
  • 17.
    Assessment – Reviewingthe Report  Always read the report to yourself before you send it to anyone to review (you’ll find the majority of the mistakes before anyone else)  Review amongst team members (peer review)  Always keep track of any changes/amendments  Seek management approval prior to sending to client
  • 18.
    Assessment – Storingthe Data/Evidence  ENCRYPT! ENCRYPT! ENCRYPT! (have a password safe – just in case)  Create an encryption procedure to provide to the client if you require them to send you any items of evidence.  Use a file and folder naming system  Keep one central “safe source” repository
  • 19.
    Assessment – ReportingFindings  Conduct a meeting with management to discuss high level findings  Get their buy-in for remediation activities  Conduct a meeting with technical staff to discuss detailed findings  Explain the issues and provide recommendations to remediate  Conduct a final close out meeting with all involved in the assessment to ensure they are aware of the issues and willing to remediate them
  • 20.
    Improving the Program– Review Cycles/Maturing the Process  How often should the process be reviewed (quarterly, yearly etc.)?  What should be reviewed?  Should you have an “improvement team”  How do you communicate your changes? Will it require additional training?  Are you moving towards your end goal?
  • 21.
    Improving the Program– GRC Tools  Excel isn’t the best tool for running a compliance program – but the majority of us will have it as a standard application on our SOE.  Create your own tool (Sharepoint etc.)?  Purchase a commercial tool (Archer etc.)?
  • 22.
    Resources – Policies,Standards, Procedures & Guidelines  SANS - http://www.sans.org/security-resources/policies/  InstantSecurityPolicy - https://www.instantsecuritypolicy.com  Information Sheild - http://www.informationshield.com/info-security- policy.html  ISO27001Security - http://www.iso27001security.com/  ISO27001templates - http://www.iso27001templates.com/  Beaker’s Policy Template - http://www.packetfilter.com/InfoSec_Policy-ISO17799.doc
  • 23.

Editor's Notes

  • #2 For many places the term “tight budget” means no budget .. Or a BAU activity
  • #4 MAYBE REMOVE AND CHANGE TO HAVE DELIVERABLES FOR THE PRESENTATION?
  • #5 Links to generic policies at the end of the presentation
  • #6 Links to generic policies at the end of the presentation
  • #8 Think about a lock with a 4 digit combination .. If you only have 3 digits to the combo the lock doesn’t open does it?
  • #15 We want to make sure that we can tie a compliance question directly back to a policy statement
  • #22 And Finally … If the program shows value then the business may be more willing to invest into it further