Information Technology Reference
In-Depth Information
tive compliance requirements, e.g., HIPAA, Sarbanes-Oxley, etc. Many legislative
compliance documents want the requirements to be
addressed
; the legislation does
not necessarily require the organization to introduce safeguards. Now let us be
very clear here: there are many legislative requirements that the organization must
address with the introduction of safeguards, but not all. This implies that for some
compliance requirements, the organization must acknowledge the requirement, but
not necessarily act upon that requirement. For final judgment on which require-
ments may be addressed versus which must be acted upon, seek legal advice from a
qualified attorney. The best approach is to record an organizational response to all
compliance requirements, whether acted upon or not. This supports the principle of
conscious omission with good rationale versus omission by oversight.
8.4.1
Compliance Assessment
The activity of comparing as-is current compliance posture with to-be target com-
pliance posture is a
compliance assessment
, which consists of four phases:
n
n
n
n
Discovery
Analysis
Reporting
Follow-up
The discovery phase identifies existing policy, standards, procedures, and prac-
tices. The analysis phase compares the details of each of these to the compliance
requirements. The reporting phase produces gap analysis and remediation analysis
reports. The follow-up phase produces remediation plans and progress tracking.
The policy, standards, and procedures are paper or electronic documents. Practice
is actual actions taken by personnel or agents of the organization, and implementa-
tions of various safeguards. Compliance assessments performance may take on two
general flavors. The first is an interview assessment. This entails many interviews
to discuss policy, standards, procedures, and practice. The second is a validation
assessment. This entails hands-on or eyes-on validation of the details in policy,
standards, procedures, and practice.
Compliance assessments reporting may take two formats: a
subjective
narra-
tive (the traditional manner) or an
objective
quantification of compliance analysis
results.
8.4.1.1 Compliance Assessment: Subjective
The traditional approach to compliance assessment includes devising a question-
naire and using it during a series of interviews to gather information regarding
the organization's current situation. Subsequent analysis of the information helps
