Professional Documents
Culture Documents
Policy Compliance Foundation Course
Policy Compliance Foundation Course
Course Objectives
Introduction
Agenda
Module 1
Understanding IT Policy Compliance
In this module, you will understand IT Compliance and learn about its need, scope, and benefits.
You will also identify the difference between laws, policies, and standards.
Module 2
IT Policy Compliance - Best Practices
In this module, you will learn some best practices that you can follow to be compliant with the
IT standards, policies, and laws.
Module 3
Automation in IT Policy
In this module, you will identify the need for automation in the world of IT Compliance and its
benefits.
We’re governed by many rules and regulations. Imagine what would happen if:
Internal Compliance
External Compliance
External considerations include satisfying the customer or end-user while protecting the
company and end-user from harm. They revolve around:
Industry regulations
Government policies
Security frameworks
Client or customer contractual terms
Examples of government and industry certified auditors responsible for verifying IT policy
compliance:
Administrative controls: The policies, procedures, and processes associated with the
control objectives.
Physical and environmental controls: The physical protection of electronic and non-
electronic information or assets. Examples are door locks, camera monitoring, and fire
suppression.
Logical controls: A control of access to specific networks and resources by an authorized
user; generally managed by information technology.
b. Auditor’s Mentality
i. Beware of Auditor's objective, approach, and plan
ii. Understand the different risks that the Auditor will evaluate
Audit process:
Inherent risk means things built into the audit situation that the auditor doesn’t
control, such as type of business, activity, or other environmental factors.
Control risk refers to the likelihood that the control environment won’t detect or
prevent an error or misstatement. When the client designs a better control
environment, it automatically reduces control and audit risks.
Detection risk is the likelihood that an auditor’s testing won’t capture an error or
misstatement. This audit risk area is over which an auditor has the most control.
An auditor’s objective is to minimize overall audit risk
Failed audits almost always trigger an increase in scope for future audits.
In the worst case, they can lead to potential financial penalties for the company, its
directors, or individual officers. Top executives can lose their jobs by failing an audit due
to a known issue that was never resolved.
Best practice #2: Align IT Policy Compliance and Security with the Business
Level 1: Minimal
Level 2: Reactive
Level 3: Evolving
Level 4: Continuously Compliant
Level 5: Strategic
Initial: Chaos
Repeatable: Rough repeatable outcome
Defined: Standard business process
Managed: Process managed based on defined stage metrics
Optimized: Includes deliberate process improvement
For policy compliance, the focus of reporting must be the business process layer or the specific
business risk you’re trying to assess.
Example:
1. Privacy audits- for personally identifiable information.
2. Audits- for protection of intellectual property in research and development.
3. Operational reviews of controls- for critical lines of business, such as e-
commerce.