There are a number of frameworks which the enterprise can apply to strengthen its compliance posture. Examples of such frameworks include Control Objectives for Information and related Technology (COBIT) and security standards such as ISO 17799/27002. In this first step, the enterprise assesses the various frameworks based on the enterprise’s needs to identify a helpful direction for ongoing compliance initiatives.

• Using the "Best Practice Framework Selection Tool," answer the questionnaire to assess which frameworks should be considered by the enterprise. The result is a recommendation on each framework based on each enterprise’s individual requirements.

Checklists and self-assessments can be easily used to demonstrate proof of compliance. Such tools can also be assigned for areas needing improvement. In this step, an in-depth assessment of control gaps will point you to specific tools used to prove compliance in a wide range of areas.

• Select areas of compliance which need improvement by using the "Control Self-Assessment" tool. This assessment can be completed by you, or assigned to a particular process owner. In it, the respondent will answer a series of questions, which will direct you to other compliance tools in this program based on answers. Using these additional tools will further help demonstrate proof of compliance in more specific areas:
• Software Development Life Cycle (SDLC) Control Checklist. A template to use for verification of control implementation throughout the software development life cycle.
• Access Controls and SOX Controls Testing Worksheets. Two separate test sheets for verifying and demonstrating that access controls and SOX-specific controls are in place
• Information Technology Standards and Guidelines Tool. A template used for demonstrating established technology standards within the enterprise.
• Compliance Checklist for Requirements. A requirements checklist demonstrating controls for financial and private data requirements.
• Data Classification Guide. A guide for cataloging and classifying data types and value within the enterprise.

In this section, the enterprise will assess the staffing roles with particular emphasis on segregation of duties as a measure of control. This section also explores the various roles the enterprise may require for building effective skill sets for compliance.

• Help to demonstrate and create accountability by using the "Compliance Staffing Tool," which allows you verify which IT duties and responsibilities are overlapping in a manner that puts sensitive business processes at risk. A full set of compliance-related job description templates are included in this section. Fill these in with your enterprise’s details to create evidence of compliance-related roles within the organization. These include:
• Chief Privacy Officer
• Corporate Compliance Officer
• Sarbanes-Oxley Project Manager
• IT Asset Manager
• Chief Risk Officer
• IT Controls Auditor

There are a number of frameworks which the enterprise can apply to strengthen its compliance posture. Examples of such frameworks include Control Objectives for Information and related Technology (COBIT) and security standards such as ISO 17799/27002. In this first step, the enterprise assesses the various frameworks based on the enterprise’s needs to identify a helpful direction for ongoing compliance initiatives.

• Using the "Best Practice Framework Selection Tool," answer the questionnaire to assess which frameworks should be considered by the enterprise. The result is a recommendation on each framework based on each enterprise’s individual requirements.

Checklists and self-assessments can be easily used to demonstrate proof of compliance. Such tools can also be assigned for areas needing improvement. In this step, an in-depth assessment of control gaps will point you to specific tools used to prove compliance in a wide range of areas.

• Select areas of compliance which need improvement by using the "Control Self-Assessment" tool. This assessment can be completed by you, or assigned to a particular process owner. In it, the respondent will answer a series of questions, which will direct you to other compliance tools in this program based on answers. Using these additional tools will further help demonstrate proof of compliance in more specific areas:
• Software Development Life Cycle (SDLC) Control Checklist. A template to use for verification of control implementation throughout the software development life cycle.
• Access Controls and SOX Controls Testing Worksheets. Two separate test sheets for verifying and demonstrating that access controls and SOX-specific controls are in place
• Information Technology Standards and Guidelines Tool. A template used for demonstrating established technology standards within the enterprise.
• Compliance Checklist for Requirements. A requirements checklist demonstrating controls for financial and private data requirements.
• Data Classification Guide. A guide for cataloging and classifying data types and value within the enterprise.

In this section, the enterprise will assess the staffing roles with particular emphasis on segregation of duties as a measure of control. This section also explores the various roles the enterprise may require for building effective skill sets for compliance.

• Help to demonstrate and create accountability by using the "Compliance Staffing Tool," which allows you verify which IT duties and responsibilities are overlapping in a manner that puts sensitive business processes at risk. A full set of compliance-related job description templates are included in this section. Fill these in with your enterprise’s details to create evidence of compliance-related roles within the organization. These include:
• Chief Privacy Officer
• Corporate Compliance Officer
• Sarbanes-Oxley Project Manager
• IT Asset Manager
• Chief Risk Officer
• IT Controls Auditor

Some mid-to-large enterprises are in a compliance environment so complex that a software solution is required to effectively manage it. Yet the cost of compliance management software can be significant, so it's worthwhile to know if your enterprise is ready for this level of commitment.

• The "Compliance Management Software Readiness Assessment" will help you determine if a software package is necessary for monitoring ongoing compliance efforts. This tool examines factors including business goals, organizational commitment, environmental and process realities, existing applications, and training and support to calculate and visually present a readiness level.

Enterprises with compliance mandates are often required to hold third parties, such as service providers, to a legislated or otherwise prescribed level of compliance (e.g. SAS 70, HIPAA Trading Partner Agreement Clause). In this step, evaluate these third parties for suitability to a set of required standards.

• The "Service Provider Compliance Assessment" is an in-depth survey which can be used by you or sent to prospective vendors to assess the viability of a third party as a partner where compliance issues make the enterprise accountable for employing only compliance-certified business partners.