Policy implementation tracker
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-28-2024 02:39 AM
Hi Everyone,
I'm looking for recommendations on how to track the implementation of specific requirements from policy or standard.
I've digitized policy / standard reviews and approvals through IRM and I would like to soon start triggering policy acknowledgements to respective audience (e.g. application owners) to make sure that they familiarize themselves with the specific requirements and flag any policy exceptions straightaway.
Typically when a policy or standard gets issued, we would allow 6-12 months for everyone to "get compliant" with the requirements, however this process would be typically managed outside of the IRM tool.
What my management would like to see is how we start tracking and reporting on the implementation efforts of expected requirements (so called "route to compliance").
How would you recommend to run such process?
Should I be converting the standard requirements to control objectives, link them with entity types and trigger control attestations straightaway?
Given the "route to compliance", should I be managing those "gaps" as issues despite the fact that compliance might be expected within the next 6-12 months?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2024 01:51 AM
Hi @kwiatolini There can be multiple way to achieve this,
Approach 1: Step by Step
1. Convert standard requirements into control objectives (again based on requirements, you can decide weather they should be control objective or citations)
2. Map control objectives to policy before publishing it, so that during policy acknowledgement, application owners also familiarize themselves with the specific requirements of policy and associated control objectives.
3. Now map policy to entity type which generates controls in draft status, status empty and control owner will be application owner (entity owner), this will help to
- Track compliance at policy level
- Entity owner can see list of control they need to be compliant with (just an overview), no action required by application owner at this time.
4. As you are tracking the time required to be compliant is managed outside IRM, i m not sure if it fixed (like 6 months from date of published) or different for different requirements.
- If it is fixed, you can configure a event based on time criteria to move control from draft to attest which triggers control attestation to application
- If it is not fixed, compliance user can manually move control from draft to attest state once the given time to be compliant is over.
5. Based on compliance attestation result, control status will be auto updated and calculate compliance score which will be rolled upto policy, entity, control objective and authority documents.
6. As you have give enough time to be compliant, there will be few non compliant applications, which gets an automated issues to remediate or accept issue with policy exception
Approach 2: Big Bang
Step 1, 2 and 3 will remain same
4. Move all controls to attestation, application owner will mark it as non compliant, which auto generates issue, just accept the issue and raise policy exception till the time you want application owners to be compliant ( PE Valid to date= 6 months or 1 year) this will turn control into compliant with exempt. after valid to date, control will be non compliant again which need to re attested.
I m not sure of volume here, if there are 10 requirements against 100 applications, this will end up in 1000 issue and policy exception. so you need to evaluate amount of effort this might lead to and opt for best approach.
If I could help you with your Query then, please hit the Thumb Icon and mark as Correct !!
Happy Learning 😊