We're revisiting our compliance policies, and want to get input from all business units and other stakeholders,...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
but when we last did this, two to three years ago, the compliance review process became unruly. What's the best way to keep things in check? Solicit electronic feedback? Have a few meetings? Have an off-site? Who gets invited?
I'd encourage you to focus your efforts on the facts as much as possible. Generally speaking, compliance reviews are a fact-finding mission with several goals:
- Identify all activities in your organization that are subject to each compliance obligation.
- Identify the security controls in place surrounding those activities.
- Determine whether the security controls meet the requirements or whether you have compliance gaps.
- Design a remediation plan designed to fill any gaps, and bring your organization into compliance.
Ask the Expert
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)
You should avoid open-ended or philosophical questions that could lead to the type of unruly process you describe. I would suggest tackling each of the four goals above one at a time. Contact each business unit and provide them with the list of compliance-covered activities from your last assessment, and ask them to identify any changes that affect the list. Once you have a list of activities subject to various regulations, enumerate the controls surrounding those processes, identify any gaps and design remediation plans.
The format of your compliance review will depend upon its complexity and the culture of your organization. I prefer to hold annual face-to-face meetings with each stakeholder to review our organization's compliance plans, but that's the culture in my environment. If that would be unwieldy for you, due to your company's complexity or culture, consider conducting the review electronically instead. Whatever format you use, the key is to design the process in a manner that keeps participants focused on identifying facts, rather than rendering opinions.
Dig Deeper on IT Security Audits
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.