IR
Uploaded byIlya Rubinshteyn
PPTX, PDF209 views

Implementing a compliance program

This document provides guidance on implementing an effective IT compliance program. It discusses the differences between compliance and security, and outlines the key elements of a compliance program including policies, requirements, documentation, implementation, and maintenance. An effective compliance program requires buy-in from stakeholders, proper staff training, use of project management practices, and ongoing review and updating to address changing requirements.

Technology
Related topics:
Information Security

Embed presentation

Download to read offline
IMPLEMENTING IT COMPLIANCE A GUIDE FOR IT ORGANIZATIONS AND SERVICE PROVIDERS
AGENDA  Compliance vs. Security  Compliance Program overview  Making the Program Successful: People  Making the Program Successful: Documentation  Making the Program Successful: Implementation  Making the Program Successful: Maintenance  Q & A
COMPLIANCE VS. SECURITY Controls how corporate IT resources that contain information are accessed and used Protects from internal and external threats to the information and underlying assets Consists of Devices, Applications, Protocols, and Procedures Dynamic – corresponds to daily changes in the security threat landscape
COMPLIANCE VS. SECURITY Conformity of the security program with standards proposed by regulatory organizations Consists of documentation of how these standards are being met Covers information and asset protection from internal, external, and environmental threats Corresponds to changes in policies that are often spread out over years
COMPLIANCE PROGRAM REQUIREMENTS WHO DEFINES THE STANDARDS
COMPLIANCE PROGRAM REQUIREMENTS DETERMINATION OF APPLICABILITY FEDERAL REGULATIONS INDUSTRY SPECIFIC SOME REQUIREMENTS OVERLAP, SOME DON’T STATE REGULATIONS VARY FROM STATE TO STATE SOME ARE INDUSTRY SPECIFIC, OTHERS ARE INDUSTRY AGNOSTIC HOMOGENEOUS THROUGHOUT THE COUNTRY REQUIREMENTS VARY GREATLY
COMPLIANCE PROGRAM REQUIREMENTS PROGRAM PURPOSE MITIGATE RISKS REDUCE FINES AND PENALTIES IMPROVED IMAGE OF THE ORGANIZATION CLIENT ACQUISITION/RETENTION BASELINE SECURITY POLICY FRAMEWORK
COMPLIANCE PROGRAM REQUIREMENTS BASE PROGRAM REQUIREMENTS WRITTEN INFORMATION SECURITY POLICY WRITTEN BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY WRITTEN PERIODIC AUDIT POLICY IDENTIFICATION OF KEY PERSONNEL WRITTEN CHANGE MANAGEMENT POLICY
COMPLIANCE PROGRAM REQUIREMENTS INFORMATION SECURITY POLICY HOW IS ACCESS TO THE INFORMATION GRANTED HOW IS ACCESS TO THE INFORMATION CONTROLLED HOW IS ACCESS TO THE INFORMATION TERMINATED HOW IS ACCESS TO THE SYSTEMS AND APPLICATIONS CONTROLLED HOW ARE THREATS MANAGED AND REPORTED ON HOW ARE INCIDENTS RESPONDED TO AND REPORTED ON
COMPLIANCE PROGRAM REQUIREMENTS BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY IDENTIFY SYSTEMS AND APPLICATIONS CRITICAL TO DAILY BUSINESS OPERATIONS IDENTIFY RECOVERY TIME AND RECOVERY POINT OBJECTIVES FOR EACH SYSTEM AND APPLICATION IDENTIFY PROVISIONS TO MEET RECOVERY TIME AND RECOVERY POINT OBJECTIVES DESCRIBE THE BACKUP AND RECOVERY PROCESS FOR EACH SYSTEM AND APPLICATION DETAIL TESTING FREQUENCY FOR THE BC/DR PLAN DETAIL FREQUENCY OF BC/DR PLAN REVIEW AND UPDATE
COMPLIANCE PROGRAM REQUIREMENTS BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY IDENTIFY SYSTEMS AND APPLICATIONS CRITICAL TO DAILY BUSINESS OPERATIONS IDENTIFY RECOVERY TIME AND RECOVERY POINT OBJECTIVES FOR EACH SYSTEM AND APPLICATION IDENTIFY PROVISIONS TO MEET RECOVERY TIME AND RECOVERY POINT OBJECTIVES DESCRIBE THE BACKUP AND RECOVERY PROCESS FOR EACH SYSTEM AND APPLICATION DETAIL TESTING FREQUENCY FOR THE BC/DR PLAN DETAIL FREQUENCY OF BC/DR PLAN REVIEW AND UPDATE
COMPLIANCE PROGRAM REQUIREMENTS KEY PERSONNEL IDENTIFY PERSONNEL RESPONSIBLE FOR: IMPLEMENTATION OF POLICY COMPONENTS POLICY MAINTENANCE AND UPDATE PERIODIC SYSTEM AUDITS AND ASSESSMENT RISK IDENTIFICATION AND MITIGATION PERFORMANCE OF TASKS AS IDENTIFIED BY POLICIES AND PROCEDURES
COMPLIANCE PROGRAM REQUIREMENTS PERIODIC AUDIT A COMPREHENSIVE ANNUAL AUDIT OF ALL POLICY COMPONENTS AN ANNUAL THIRD PARTY PENETRATION AND VULNERABILITY ASSESSMENT CONTINUOUS REVIEW OF STANDARDS TO ENSURE POLICY COMPLIANCE AUDIT OF SYSTEMS AND APPLICATIONS DURING DEVELOPMENT AND POST PRODUCTION DEPLOYMENT ANNUAL AUDIT REVIEW AND REMEDIATION PLANNING
COMPLIANCE PROGRAM REQUIREMENTS CHANGE MANAGEMENT POLICY DESCRIBES HOW SYSTEMS AND APPLICATIONS ARE UPDATED OR REPLACED IF APPLICATIONS ARE DEVELOPMENT INTERNALLY, DESCRIBES APPLICATION DEVELOPMENT METHODOLOGY AND PROCESSES USED NEW SYSTEM TESTING AND IMPLEMENTATION CHANGE TRACKING POST IMPLEMENTATION REVIEW/POST-MORTEM
COMPLIANCE PROGRAM REQUIREMENTS MAKING THE PROGRAM SUCCESSFUL: PEOPLE IDENTIFY KEY BUSINESS STAKEHOLDERS TO ENSURE ORGANIZATION BUY-IN ENSURE SEGREGATION OF DUTIES: DESIGN, IMPLEMENTATION, AUDIT ASSIGN ROLES BASED ON FUNCTION IN THE ORGANIZATION
COMPLIANCE PROGRAM REQUIREMENTS MAKING THE PROGRAM SUCCESSFUL: PEOPLE ENSURE THAT STAFF IS PROPERLY TRAINED ON THE POLICIES MAKE SURE PEOPLE UNDERSTAND WHY THIS IS NECESSARY TRAINING MUST BE PERIODIC AND CONTINUOUS IT’S A TEAM EFFORT
COMPLIANCE PROGRAM REQUIREMENTS MAKING THE PROGRAM SUCCESSFUL: DOCUMENTATION FORMAL DOCUMENT VERSION TRACKING IDENTIFY SCOPE AND TARGET AUDIENCE IDENTIFY CONTROLS THE DOCUMENT ADDRESSES
COMPLIANCE PROGRAM REQUIREMENTS MAKING THE PROGRAM SUCCESSFUL: IMPLEMENTATION TREAT IT LIKE YOU WOULD TREATE A SYSTEM DEPLOYMENT PROJECT USE PROJECT MANAGEMENT METHODS/TOOLS GIVE YOURSELF PLENTY OF TIME UTILIZE A PHASED APPROACH WORK CLOSELY WITH BUSINESS LEADERS
COMPLIANCE PROGRAM REQUIREMENTS MAKING THE PROGRAM SUCCESSFUL: IMPLEMENTATION ENSURE CONTINUOUS BUY-IN IDENTIFY IMPACT TO DAILY WORKFLOW REVIEW WORKFLOW IMPACT WITH BUINESS LEADERS TO MITIGATE PUSH BACK ENSURE CONTINUOUS COMMUNICATION DURING THE IMPLEMENTATION TEST WHENEVER POSSIBLE TO ADDRESS ISSUES PRIOR TO THEM BECOMING PROBLEMS
COMPLIANCE PROGRAM REQUIREMENTS MAKING THE PROGRAM SUCCESSFUL: MAINTENANCE PERIODICALLY REVIEW REQUIREMENTS FOR CHANGES KEEP AN EYE ON BELL-WEATHER STATES: NY, MA, CA KEEP UP TO DATE WITH GUIDANCE FROM ISC(2) AND NIST USE THE AUDIT FUNCTION TO MAINTAIN THE PROGRAM WORK WITH INDUSTRY PEERS TO TEST IDEAS
COMPLIANCE PROGRAM REQUIREMENTS QUESTIONS AND ANSWERS

More Related Content

PPTX
Healthcare App Testing - Make Your App Flawless
byBugRaptors
 
PDF
RAP GC 2016
byTerri Marconi McKnight
 
PDF
Event notifications
byOfqual Slideshare
 
PDF
Regulation in balance: an update for awarding organisations
byOfqual Slideshare
 
DOCX
Software Validation for Medical Devices
byEMMAIntl
 
DOCX
Example of fisma compliance analysis.1
bySal Velasco
 
PDF
What qppvs need to know about computer system validation for phv systems.
byARITHMOS
 
PDF
Ithos Ingredient SAFE
byMonica D
 
Healthcare App Testing - Make Your App Flawless
byBugRaptors
 
RAP GC 2016
byTerri Marconi McKnight
 
Event notifications
byOfqual Slideshare
 
Regulation in balance: an update for awarding organisations
byOfqual Slideshare
 
Software Validation for Medical Devices
byEMMAIntl
 
Example of fisma compliance analysis.1
bySal Velasco
 
What qppvs need to know about computer system validation for phv systems.
byARITHMOS
 
Ithos Ingredient SAFE
byMonica D
 

What's hot

PDF
Let me guess covid will be in all top risk studies this year
byHernan Huwyler, MBA CPA
 
PDF
Information Risk Management - Cyber Risk Management - IT Risks
byHernan Huwyler, MBA CPA
 
PPTX
International Standard on Assurance Engagements ISAE 3000 Audits
byHernan Huwyler, MBA CPA
 
PDF
Implementing, Documenting and Testing Compliance Controls Hernan Huwyler
byHernan Huwyler, MBA CPA
 
PDF
How to Navigate an EHR Implementation Lifecycle
byLarry Kaiser
 
PPTX
Healthcare It Security Risk 0310
byJohn Reno
 
PDF
Competence in the major hazard industries
byAlan Bassett
 
PPTX
Risk Management Research 2016
byNiamh Lynch
 
PPT
Safety management
bySrini Vasan
 
PDF
Risk management in medical devices industry
byGlobalCompliancePanel
 
PDF
Risk management-medical-devices-seattle-wa
byGlobalCompliancePanel
 
Let me guess covid will be in all top risk studies this year
byHernan Huwyler, MBA CPA
 
Information Risk Management - Cyber Risk Management - IT Risks
byHernan Huwyler, MBA CPA
 
International Standard on Assurance Engagements ISAE 3000 Audits
byHernan Huwyler, MBA CPA
 
Implementing, Documenting and Testing Compliance Controls Hernan Huwyler
byHernan Huwyler, MBA CPA
 
How to Navigate an EHR Implementation Lifecycle
byLarry Kaiser
 
Healthcare It Security Risk 0310
byJohn Reno
 
Competence in the major hazard industries
byAlan Bassett
 
Risk Management Research 2016
byNiamh Lynch
 
Safety management
bySrini Vasan
 
Risk management in medical devices industry
byGlobalCompliancePanel
 
Risk management-medical-devices-seattle-wa
byGlobalCompliancePanel
 

Similar to Implementing a compliance program

PPTX
ISStateGovtProposal
byDale White
 
PPTX
IC-ISO-27001-Business-Continuity-Checklist-10838_PowerPoint.pptx
byharrypaggy
 
PPTX
vCISO Overview Virtual CISO Chief Information Security Officer
byabstmsecure
 
PDF
CNIT 160 4d Security Program Management (Part 4)
bySam Bowne
 
PPTX
Security Baselines and Risk Assessments
byPriyank Hada
 
PDF
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
PDF
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
PPT
Implementing Business Aligned Security Strategy Dane Warren Li
byDaneWarren
 
PPT
7 steps to build an effective corporate compliance strategy
byMaarten BOONEN
 
PPTX
How to Improve your Company’s Compliance Program.pptx
byanandjoshi714278
 
PDF
AppSec Quick Start Guide 011215-2 (1)
byBilha Diaz
 
PDF
Better security through IT operations
byslighltyanon
 
PDF
CNIT 160 4d Security Program Management (Part 4)
bySam Bowne
 
PPT
Project Management of Information Security area (Slide 1)
byNgHiAnh12
 
PPTX
Information Security for Business Leaders - Eric Vanderburg - JurInnov
byEric Vanderburg
 
PDF
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
byAndris Soroka
 
PPT
Chapter 14
byKristin Harrison
 
PPT
Developing an Information Security Program
byShauna_Cox
 
PDF
The Information Office
byMahesh Patwardhan
 
ODP
CISSP Week 12
byjemtallon
 
ISStateGovtProposal
byDale White
 
IC-ISO-27001-Business-Continuity-Checklist-10838_PowerPoint.pptx
byharrypaggy
 
vCISO Overview Virtual CISO Chief Information Security Officer
byabstmsecure
 
CNIT 160 4d Security Program Management (Part 4)
bySam Bowne
 
Security Baselines and Risk Assessments
byPriyank Hada
 
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
Emerging Trends in Information Privacy and Security
byJessica Santamaria
 
Implementing Business Aligned Security Strategy Dane Warren Li
byDaneWarren
 
7 steps to build an effective corporate compliance strategy
byMaarten BOONEN
 
How to Improve your Company’s Compliance Program.pptx
byanandjoshi714278
 
AppSec Quick Start Guide 011215-2 (1)
byBilha Diaz
 
Better security through IT operations
byslighltyanon
 
CNIT 160 4d Security Program Management (Part 4)
bySam Bowne
 
Project Management of Information Security area (Slide 1)
byNgHiAnh12
 
Information Security for Business Leaders - Eric Vanderburg - JurInnov
byEric Vanderburg
 
DSS ITSEC Conference 2012 - RISK & COMPLIANCE
byAndris Soroka
 
Chapter 14
byKristin Harrison
 
Developing an Information Security Program
byShauna_Cox
 
The Information Office
byMahesh Patwardhan
 
CISSP Week 12
byjemtallon
 

Recently uploaded

PDF
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
PDF
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
PDF
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
PDF
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PPTX
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
PPTX
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
PDF
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
PDF
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
Writing GPU-Ready AI Models in Pure Java with Babylon
byAna-Maria Mihalceanu
 
Computer-Based Training (CBT) The Backbone of Modern Technical & Defence Trai...
bycomputerbasedtrainin1
 
Mesh WiFi Router: The Smart Solution for Fast, Seamless, Whole-Home Internet
byAeroMesh Systems
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
Configure and Manage Systemd Timers- RHCSA (RH134).pdf
byLinuxCert Guru
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
Track Phone Location via Number (2026)_ What Actually Works, What’s a Scam, a...
byEmily Woods
 
Understanding Foldable 3-Wheel Electric Scooters for Everyday Use
byTopmate
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
Retrieval Augmented Generation- The Synergistic Power of Prompt Engineering
bySemantic SEO BD
 
Authority After Search: How AI Systems Reconstruct Trust, Expertise, and Legi...
byJeff Howell
 
From DeFi POC to Production MVP - A 12-16 Week Blueprint.pdf
byniahiggins21
 
Post-Hackathon-Learnings-Maximizing-Impact-Beyond-the-Event.pdf
byishantyadav1111
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 

Implementing a compliance program

  • 1.
    IMPLEMENTING IT COMPLIANCE A GUIDEFOR IT ORGANIZATIONS AND SERVICE PROVIDERS
  • 2.
    AGENDA  Compliance vs.Security  Compliance Program overview  Making the Program Successful: People  Making the Program Successful: Documentation  Making the Program Successful: Implementation  Making the Program Successful: Maintenance  Q & A
  • 3.
    COMPLIANCE VS. SECURITY Controlshow corporate IT resources that contain information are accessed and used Protects from internal and external threats to the information and underlying assets Consists of Devices, Applications, Protocols, and Procedures Dynamic – corresponds to daily changes in the security threat landscape
  • 4.
    COMPLIANCE VS. SECURITY Conformityof the security program with standards proposed by regulatory organizations Consists of documentation of how these standards are being met Covers information and asset protection from internal, external, and environmental threats Corresponds to changes in policies that are often spread out over years
  • 5.
  • 6.
    COMPLIANCE PROGRAM REQUIREMENTS DETERMINATIONOF APPLICABILITY FEDERAL REGULATIONS INDUSTRY SPECIFIC SOME REQUIREMENTS OVERLAP, SOME DON’T STATE REGULATIONS VARY FROM STATE TO STATE SOME ARE INDUSTRY SPECIFIC, OTHERS ARE INDUSTRY AGNOSTIC HOMOGENEOUS THROUGHOUT THE COUNTRY REQUIREMENTS VARY GREATLY
  • 7.
    COMPLIANCE PROGRAM REQUIREMENTS PROGRAMPURPOSE MITIGATE RISKS REDUCE FINES AND PENALTIES IMPROVED IMAGE OF THE ORGANIZATION CLIENT ACQUISITION/RETENTION BASELINE SECURITY POLICY FRAMEWORK
  • 8.
    COMPLIANCE PROGRAM REQUIREMENTS BASEPROGRAM REQUIREMENTS WRITTEN INFORMATION SECURITY POLICY WRITTEN BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY WRITTEN PERIODIC AUDIT POLICY IDENTIFICATION OF KEY PERSONNEL WRITTEN CHANGE MANAGEMENT POLICY
  • 9.
    COMPLIANCE PROGRAM REQUIREMENTS INFORMATIONSECURITY POLICY HOW IS ACCESS TO THE INFORMATION GRANTED HOW IS ACCESS TO THE INFORMATION CONTROLLED HOW IS ACCESS TO THE INFORMATION TERMINATED HOW IS ACCESS TO THE SYSTEMS AND APPLICATIONS CONTROLLED HOW ARE THREATS MANAGED AND REPORTED ON HOW ARE INCIDENTS RESPONDED TO AND REPORTED ON
  • 10.
    COMPLIANCE PROGRAM REQUIREMENTS BUSINESSCONTINUITY AND DISASTER RECOVERY POLICY IDENTIFY SYSTEMS AND APPLICATIONS CRITICAL TO DAILY BUSINESS OPERATIONS IDENTIFY RECOVERY TIME AND RECOVERY POINT OBJECTIVES FOR EACH SYSTEM AND APPLICATION IDENTIFY PROVISIONS TO MEET RECOVERY TIME AND RECOVERY POINT OBJECTIVES DESCRIBE THE BACKUP AND RECOVERY PROCESS FOR EACH SYSTEM AND APPLICATION DETAIL TESTING FREQUENCY FOR THE BC/DR PLAN DETAIL FREQUENCY OF BC/DR PLAN REVIEW AND UPDATE
  • 11.
    COMPLIANCE PROGRAM REQUIREMENTS BUSINESSCONTINUITY AND DISASTER RECOVERY POLICY IDENTIFY SYSTEMS AND APPLICATIONS CRITICAL TO DAILY BUSINESS OPERATIONS IDENTIFY RECOVERY TIME AND RECOVERY POINT OBJECTIVES FOR EACH SYSTEM AND APPLICATION IDENTIFY PROVISIONS TO MEET RECOVERY TIME AND RECOVERY POINT OBJECTIVES DESCRIBE THE BACKUP AND RECOVERY PROCESS FOR EACH SYSTEM AND APPLICATION DETAIL TESTING FREQUENCY FOR THE BC/DR PLAN DETAIL FREQUENCY OF BC/DR PLAN REVIEW AND UPDATE
  • 12.
    COMPLIANCE PROGRAM REQUIREMENTS KEYPERSONNEL IDENTIFY PERSONNEL RESPONSIBLE FOR: IMPLEMENTATION OF POLICY COMPONENTS POLICY MAINTENANCE AND UPDATE PERIODIC SYSTEM AUDITS AND ASSESSMENT RISK IDENTIFICATION AND MITIGATION PERFORMANCE OF TASKS AS IDENTIFIED BY POLICIES AND PROCEDURES
  • 13.
    COMPLIANCE PROGRAM REQUIREMENTS PERIODICAUDIT A COMPREHENSIVE ANNUAL AUDIT OF ALL POLICY COMPONENTS AN ANNUAL THIRD PARTY PENETRATION AND VULNERABILITY ASSESSMENT CONTINUOUS REVIEW OF STANDARDS TO ENSURE POLICY COMPLIANCE AUDIT OF SYSTEMS AND APPLICATIONS DURING DEVELOPMENT AND POST PRODUCTION DEPLOYMENT ANNUAL AUDIT REVIEW AND REMEDIATION PLANNING
  • 14.
    COMPLIANCE PROGRAM REQUIREMENTS CHANGEMANAGEMENT POLICY DESCRIBES HOW SYSTEMS AND APPLICATIONS ARE UPDATED OR REPLACED IF APPLICATIONS ARE DEVELOPMENT INTERNALLY, DESCRIBES APPLICATION DEVELOPMENT METHODOLOGY AND PROCESSES USED NEW SYSTEM TESTING AND IMPLEMENTATION CHANGE TRACKING POST IMPLEMENTATION REVIEW/POST-MORTEM
  • 15.
    COMPLIANCE PROGRAM REQUIREMENTS MAKINGTHE PROGRAM SUCCESSFUL: PEOPLE IDENTIFY KEY BUSINESS STAKEHOLDERS TO ENSURE ORGANIZATION BUY-IN ENSURE SEGREGATION OF DUTIES: DESIGN, IMPLEMENTATION, AUDIT ASSIGN ROLES BASED ON FUNCTION IN THE ORGANIZATION
  • 16.
    COMPLIANCE PROGRAM REQUIREMENTS MAKINGTHE PROGRAM SUCCESSFUL: PEOPLE ENSURE THAT STAFF IS PROPERLY TRAINED ON THE POLICIES MAKE SURE PEOPLE UNDERSTAND WHY THIS IS NECESSARY TRAINING MUST BE PERIODIC AND CONTINUOUS IT’S A TEAM EFFORT
  • 17.
    COMPLIANCE PROGRAM REQUIREMENTS MAKINGTHE PROGRAM SUCCESSFUL: DOCUMENTATION FORMAL DOCUMENT VERSION TRACKING IDENTIFY SCOPE AND TARGET AUDIENCE IDENTIFY CONTROLS THE DOCUMENT ADDRESSES
  • 18.
    COMPLIANCE PROGRAM REQUIREMENTS MAKINGTHE PROGRAM SUCCESSFUL: IMPLEMENTATION TREAT IT LIKE YOU WOULD TREATE A SYSTEM DEPLOYMENT PROJECT USE PROJECT MANAGEMENT METHODS/TOOLS GIVE YOURSELF PLENTY OF TIME UTILIZE A PHASED APPROACH WORK CLOSELY WITH BUSINESS LEADERS
  • 19.
    COMPLIANCE PROGRAM REQUIREMENTS MAKINGTHE PROGRAM SUCCESSFUL: IMPLEMENTATION ENSURE CONTINUOUS BUY-IN IDENTIFY IMPACT TO DAILY WORKFLOW REVIEW WORKFLOW IMPACT WITH BUINESS LEADERS TO MITIGATE PUSH BACK ENSURE CONTINUOUS COMMUNICATION DURING THE IMPLEMENTATION TEST WHENEVER POSSIBLE TO ADDRESS ISSUES PRIOR TO THEM BECOMING PROBLEMS
  • 20.
    COMPLIANCE PROGRAM REQUIREMENTS MAKINGTHE PROGRAM SUCCESSFUL: MAINTENANCE PERIODICALLY REVIEW REQUIREMENTS FOR CHANGES KEEP AN EYE ON BELL-WEATHER STATES: NY, MA, CA KEEP UP TO DATE WITH GUIDANCE FROM ISC(2) AND NIST USE THE AUDIT FUNCTION TO MAINTAIN THE PROGRAM WORK WITH INDUSTRY PEERS TO TEST IDEAS
  • 21.