Information Technology Reference
In-Depth Information
its entirety, or only part of any single compliance source may apply. Requirements
engineering identifies all relevant sources, decomposes the relevant sources into
compliance requirement statements, then uses these as justification for technical
specifications and IA specifications.
A Compliance Management Framework consists of the following:
n
−
External
Explicit
Legislation, regulation, codes of conduct
Implicit
Derived from explicit requirement statements
Internal
Explicit
Self-generated
Internal policies, standards, and procedures
Self-imposed
Industry standards like ISO 27001 and ISO 27002
n
−
n
n
−
n
−
n
−
−
Implicit
Derived from internal requirements
n
he
compliance management process
includes
discovery
,
decomposition
,
analysis
,
tracking
, and
reporting
of compliance requirements. The compliance man-
agement process discovers the requirements, decomposes them into requirement
statements meaningful to the organization, analyzes them for intent and implica-
tions, tracks dissemination of requirements to appropriate areas throughout the
enterprise, and reports awareness, understanding, and actual compliance levels.
he
IA compliance management process
is the integration of IA into the discovery,
decomposition, analysis, tracking, and reporting of compliance requirements.
A
compliance assessment process
evaluates the current posture of the organi-
zation against the compliance requirements. The assessment process discovers the
current posture of the organization, compares the current posture against the com-
pliance requirements, analyzes the gaps and how to address the gaps, and produces
reports of the findings and recommendations for gap closure. The
IA compliance
assessment process
is the integration of IA into discovery, comparison, analysis, find-
ings, and recommendations as part of an overall compliance assessment.
IA compliance management thus far means the
integration of IA
into the
broader compliance management program. That is, IA integrates into the business
solution not as IA itself, but as modifications to the business solution to address the
risks. For example, moving a fax machine that receives medical supply orders from
a public area to a closed office addresses one aspect of privacy with respect to the
health industry. This simple modification does not introduce an IA solution, but
rather modifies the existing work environment to address an IA issue.
