Documentos de Académico
Documentos de Profesional
Documentos de Cultura
GROWTH
RISK
MANAGEMENT
GROWTH
Compliance
AGILITY
3
CHAPTER 2
Level 1
Risk Assessment
COMPLIANCE
MATURITY
Penetration Testing
Vulnerability Scans
Gap Assessment
LEVEL 5
LEVEL 4
LEVEL 3
LEVEL 2
LEVEL 1
TIME
One of the least costly tests involves a scan of your network and
applications. This can detect holes in your network security and
help you avoid some cyber-attacks. This is typically automated
using software and can result in many findings on the initial scan.
Many of these could be false positives, which will require you to
begin tracking them and excluding them in future scans.
Level 2
You have some customers asking for compliance. Your product
or service is sold across several verticals with no clear focus area
emerging as a core compliance need yet.
Gap Assessment
Letter of Intent from Auditor
Remediation Plan (if any gaps found)
Gap Assessment Defined
(See Level 1 definition)
Letter of Intent from Auditor Defined
This option is not well communicated across audit firms and
some audit firms may not agree to this. If you ask for a letter of
intent, they should be able to provide one after you have a signed
engagement. The letter is usually quite short, describing the
services you contracted the audit firm to perform. The letter may
have the audit firm's letterhead and include a point of contact. It
will not state any opinion or conclusion. Share this letter with
interested parties asking to know more about your compliance
status. It can also help remove friction in the market. This letter
can be helpful in winning a competitive bid or contract. It shows
your intent to be compliant. Once you share this letter, the reader
will expect you to progress towards compliance.
10
11
Level 3
You have an immediate need to be
compliant (either a Request for Proposal or
major partner is requiring it).
Compliance Readiness (project should be
inflight)
Internal Auditor or Internal Compliance
Team in Place
Strong Grasp on the Controls to Track to
Compliance
Focusing on One Compliance Domain and
Establishing it as Your Foundation
Letter of Intent from Auditor
Compliance Readiness Defined
You should have a project that is managing
compliance. Projects help implement
changes in organizations. Your compliance
efforts will change the organization and
should have its own project assigned to
manage the change. By using a project
approach, you will have a business case
and a project plan to evaluate your
compliance readiness. Prioritize the
changes required and maximize the impact
to be effective. A communication plan
should be in place to alert stakeholders.
12
Level 4
Level 5
13
14
TIPS
Depending on the size of the audit firm you hire, you can use
letters of intent to your advantage. The letters of intent state that
the audit firm will perform an audit. They do not express a
conclusion and are only a paragraph or two. However, these can
be useful to remove friction in the marketplace with prospective
and current customers. It confirms your intent and buys you extra
time (usually 6-18 months) to perform a gap analysis, remediate
findings, and pass the assessment.)
When undertaking an audit, you might fail some of the controls. It
is okay to receive less than a 100% grade. For overachievers, this
can be difficult because the findings are usually presented in red
font at the top of the report. They stand out and make you look
bad. Yet, those findings show that the process was followed
honestly. Many organizations have findings and the exception is
to have zero findings. It is also appropriate for you to comment on
those findings and explain your response to the gap. This shows
your maturity and understanding of the process.
It also helps the reader of the report if you contextualize the
findings. You can provide a backdrop along with a business
justification behind your reason. Customers that want new
features are going to understand that the process for change
management may be weaker, such as implementing highly
desired features by circumventing the compliance-driven
waterfall method. You can explain the rationale for your decision,
while maintaining your agility and high growth strategy.
15
CONCLUSION
Compliance nirvana is a state that will take time. You will need to
measure the tradeoff between agility and growth. Each step along
the way will build your confidence that you can strike the right
balance. The better you can manage the change, the more in
command you will be of the final outcome.
16