Policy Compliance Foundation Course

Course Objectives

 Describe Policy Compliance and define IT Policy Compliance

 List the benefits of IT Policy Compliance
 Identify policies, standards, and regulations applicable to your organization
 Explain the best practices for achieving required IT policy standards
 Identify the need for automation in IT Policy Compliance

Introduction

Organizations have a variety of laws needing compliance:

 Tax laws (federal, state, and local)

 Employment laws (workplace safety, unemployment, health insurance, etc.)
 Consumer protection laws
 Data protection laws (information security) 

Agenda

Module 1
Understanding IT Policy Compliance
In this module, you will understand IT Compliance and learn about its need, scope, and benefits.
You will also identify the difference between laws, policies, and standards.
Module 2
IT Policy Compliance - Best Practices
In this module, you will learn some best practices that you can follow to be compliant with the
IT standards, policies, and laws.  

Module 3
Automation in IT Policy
In this module, you will identify the need for automation in the world of IT Compliance and its
benefits.

Understanding Information Technology (IT) Policy Compliance

Compliance (Internal/External)

We’re governed by many rules and regulations. Imagine what would happen if:

 You were allowed to drive with any speed limit

 You were allowed to build your house as high as you wished
 You were allowed to play loud music in residential areas

We need a compliance program. 

A compliance program is about education, scope, prevention, detection, collaboration, and
enforcement of rules and regulations on a fundamental level. Compliance programs prevent,
detect, and fix ethical and regulatory compliance risks at an organizational level. This is
achieved by adequate education and training, regular audit and monitoring, investigation and
discipline, and policies and procedures to prevent noncompliance.

IT Policy Compliance is the implementation and management of information technology

under accepted standards and means taking appropriate control of and protecting information,
including how it is obtained and stored, secured, its availability, and how the data is protected.

Internal Compliance

The internal compliance functions revolve around:

 Policies
 Goals
 Organizational structure of the business

External Compliance

External considerations include satisfying the customer or end-user while protecting the
company and end-user from harm. They revolve around:
 Industry regulations
 Government policies
 Security frameworks
 Client or customer contractual terms  

What does the IT Policy Compliance include?

IT Policy Compliance includes:
1. Organizational strategic objectives
2. User awareness and training
3. High-level policies, procedures, and standards
4. Configuration settings
5. Technology control
6. Ongoing monitoring
7. Business risk assessment
8. Internal and external audits
Laws, Policies, and Standards
Policy Compliance is proving that Information Technology operates in conformance with laws
and regulations. Auditors enforce these compliances. 

A policy is a high-level document usually governed by the management. Further, it results in

standards that later form procedures. A policy is the foundation of all the required
documentation. When you understand the documentation hierarchy, it will be easier to adhere to
the IT Policies and help your organization become both secure and compliant. 
Examples of laws that affect IT policy compliance:

 Energy regulation and authority of federal agencies such as US Federal

Energy Regulatory Commission (FERC) and North American Electric
Reliability Corporation (NERC): Energy Policy Act of 2005
 Personal information breach notification: California SB 1386 and the
American Recovery and Reinvestment Act of 2009 (ARRA)
 Personal data: UK Data Protection Act of 1995

Standards that affect IT Policy Compliance:

 Information Technology Infrastructure Library (ITIL)

 Federal Financial Institution Examination Council (FFIEC) Information
Security Book
 Security Content Automation Protocol (SCAP)

Examples of government and industry certified auditors responsible for verifying IT policy
compliance:

 Internal auditors employed by an organization

 Certified Public Accountants (CPAs)
 Bank auditors, such as those from the Federal Reserve, Federal Depository
Trust Corporation (FDIC), and Office of Comptroller of the Currency (OCC)
 Payment Card Industry (PCI) Qualified Security Assessors (QSAs)  

  Some basic questions that can help you are:

1. What law(s) apply to my company or agency?
2. What standards help to guide us toward compliance with those laws?
3. What type of audits and assessments are required for compliance?
4. What controls do we need in place to meet policy requirements?
5. What evidence do we need to substantiate compliance to auditors?

Best Practices – Introduction

 List the best practices to be followed for IT Policy Compliance

 Explain the importance of having IT Policy Compliance

IT Policy Compliance Best Practices

1. Align IT Policy Compliance & security with the business

2. Understand your tech. environment
3. IT Compliance starts with Policy
4. Establish accountability
5. Conduct a pre-audit or readiness assessment
6. Centralize IT Policy Program Management
7. Prioritize remediation activities
 8. IT Policy Compliance Management and other areas
9. Regular monitoring of the whole compliance program
10. Remember the big picture

Best Practice #1: Align IT Policy

a. Maintain Your Perspective

i. Identify what you are trying to protect or control
ii. Understand your organization's policy control objectives

Administrative controls: The policies, procedures, and processes associated with the
control objectives. 
              
Physical and environmental controls: The physical protection of electronic and non-
electronic information or assets. Examples are door locks, camera monitoring, and fire
suppression. 
Logical controls: A control of access to specific networks and resources by an authorized
user; generally managed by information technology. 

b. Auditor’s Mentality
i. Beware of Auditor's objective, approach, and plan
ii. Understand the different risks that the Auditor will evaluate

An auditor’s role is to decide whether your organization’s policy controls are

working and if they were correctly designed before deployment.

Audit process:

 Study the control design

 Understand the objectives
 Identify how the objectives align with the business
 Study the day-to-day processes employed by your organization
 Identify the underlying technologies used by organization

Audit risk = Inherent risk × Control risk × Detection risk

 Inherent risk means things built into the audit situation that the auditor doesn’t
control, such as type of business, activity, or other environmental factors. 
 Control risk refers to the likelihood that the control environment won’t detect or
prevent an error or misstatement. When the client designs a better control
environment, it automatically reduces control and audit risks. 
 Detection risk is the likelihood that an auditor’s testing won’t capture an error or
misstatement. This audit risk area is over which an auditor has the most control.
 An auditor’s objective is to minimize overall audit risk

  Failed audits almost always trigger an increase in scope for future audits. 
In the worst case, they can lead to potential financial penalties for the company, its
directors, or individual officers. Top executives can lose their jobs by failing an audit due
to a known issue that was never resolved.

Best practice #2: Align IT Policy Compliance and Security with the Business

Identifying Organization’s Maturity Level

Model 1: Compliance Maturity Spectrum

Consider the Compliance Maturity Spectrum. It consists of different levels.

 Level 1: Minimal
 Level 2: Reactive
 Level 3: Evolving
 Level 4: Continuously Compliant
 Level 5: Strategic

Model 2: The SEI Common Maturity Model

 Initial: Chaos
 Repeatable: Rough repeatable outcome
 Defined: Standard business process
 Managed: Process managed based on defined stage metrics
 Optimized: Includes deliberate process improvement

Identifying Business Risk

For policy compliance, the focus of reporting must be the business process layer or the specific
business risk you’re trying to assess.

Example:
1. Privacy audits- for personally identifiable information.
2. Audits- for protection of intellectual property in research and development.
3. Operational reviews of controls- for critical lines of business, such as e-
commerce.

Best practice #3: Understand your technology environment

Gauge tech. environment by asking:

  Is your environment homogeneous (where things are relatively consistent)? 
 Is your environment heterogeneous (where there’s a good amount of everything)? 
 Does your environment use traditional standalone systems or newer virtualization
technology?

Identifying Your Environment

The technology environment can be categorized into homogeneous and heterogeneous

environment categories. 

Homogeneous: Technical environment is largely inconsistent. Example: Microsoft, Hewlett-

Packard, or Dell for nearly all desktops, laptops, and servers. Networking equipment could be
from Cisco Systems, Inc., and while deviations may exist, they are rare.

Heterogeneous: Various technologies, versions, and compliance and security applications

growing more complex over time, especially in large organizations. New acquisitions, mergers,
and changes in IT leadership and direction are typical reasons. Each technology platform must
have a hardening policy describing compliance and security that must be secured. This should
also include a description of mitigating procedures on how that system will protect critical
information assets.