​
Cybersecurity Compliance
Contents
Introduction
(1) Assess
(2) Draft
(3) Implement
(4) Evaluate
(5) Continuously Monitor
A cybersecurity compliance program is an organization-wide cycle of promoting security controls commensurate to the organization's risk acceptance. The Department of Justice compliance program evaluation guidance lists three characteristics of an effective compliance program:
(1) The program is well designed;
(2) The organization applies the program in good faith; and
(3) The program works.
The steps outlined bellow should assist your organization in designing, applying, and improving a cybersecurity compliance program.​​ This guide divides the cybersecurity compliance process into five phases:
​
​
​
​
​
​
The development of a cybersecurity compliance program begins with a compliance self-audit. Based on the audit's results, the appropriate organization members define the organization's information and communications technology (ICT) resources, cybersecurity requirements, and interested third parties to develop standard operating procedures and organization policies. All members of the organization then implement the new policies and procedures, and compliance personnel assess the program's effectiveness. The organization revises its policies and procedures and takes remedial action based on the assessment's results. IT personnel continue to monitor the program's effectiveness, while the organization's senior management monitors for any changes that may effect the organization's risk tolerance.
Risk Analysis
Phase 0
​The Department of Justice compliance program evaluation guidance lists three characteristics of an effective compliance program:
(1) The program is well designed;
(2) The organization applies the program in good faith; and
(3) The program works.
A cybersecurity compliance program is an organization-wide cycle of promoting security controls commensurate to the organization's risk acceptance. Fundamental components of the program include an organization's risk management framework and continuous monitoring strategy.
​
​
This guidance divides the cybersecurity compliance process into five phases:
(1) Identify & Assign
(2) Draft
(3) Implement
(4) Assess & Review
(5) Continuously Monitor
The development of a cybersecurity compliance program begins with a compliance self-audit. Based on the audit's results, the appropriate organization members define the organization's information and communications technology (ICT) resources, cybersecurity requirements, and interested third parties to develop standard operating procedures and organization policies. All members of the organization then implement the new policies and procedures, and compliance personnel assess the program's effectiveness. The organization revises its policies and procedures and takes remedial action based on the assessment's results. IT personnel continue to monitor the program's effectiveness, while the organization's senior management monitors for any changes that may effect the organization's risk tolerance.
Assess
Phase 1
​The Department of Justice compliance program evaluation guidance lists three characteristics of an effective compliance program:
(1) The program is well designed;
(2) The organization applies the program in good faith; and
(3) The program works.
A cybersecurity compliance program is an organization-wide cycle of promoting security controls commensurate to the organization's risk acceptance. Fundamental components of the program include an organization's risk management framework and continuous monitoring strategy.
​
​
This guidance divides the cybersecurity compliance process into five phases:
(1) Identify & Assign
(2) Draft
(3) Implement
(4) Assess & Review
(5) Continuously Monitor
The development of a cybersecurity compliance program begins with a compliance self-audit. Based on the audit's results, the appropriate organization members define the organization's information and communications technology (ICT) resources, cybersecurity requirements, and interested third parties to develop standard operating procedures and organization policies. All members of the organization then implement the new policies and procedures, and compliance personnel assess the program's effectiveness. The organization revises its policies and procedures and takes remedial action based on the assessment's results. IT personnel continue to monitor the program's effectiveness, while the organization's senior management monitors for any changes that may effect the organization's risk tolerance.
Draft
Phase 2
​The Department of Justice compliance program evaluation guidance lists three characteristics of an effective compliance program:
(1) The program is well designed;
(2) The organization applies the program in good faith; and
(3) The program works.
A cybersecurity compliance program is an organization-wide cycle of promoting security controls commensurate to the organization's risk acceptance. Fundamental components of the program include an organization's risk management framework and continuous monitoring strategy.
​
​
This guidance divides the cybersecurity compliance process into five phases:
(1) Identify & Assign
(2) Draft
(3) Implement
(4) Assess & Review
(5) Continuously Monitor
The development of a cybersecurity compliance program begins with a compliance self-audit. Based on the audit's results, the appropriate organization members define the organization's information and communications technology (ICT) resources, cybersecurity requirements, and interested third parties to develop standard operating procedures and organization policies. All members of the organization then implement the new policies and procedures, and compliance personnel assess the program's effectiveness. The organization revises its policies and procedures and takes remedial action based on the assessment's results. IT personnel continue to monitor the program's effectiveness, while the organization's senior management monitors for any changes that may effect the organization's risk tolerance.
Implement
Phase 3
​The Department of Justice compliance program evaluation guidance lists three characteristics of an effective compliance program:
(1) The program is well designed;
(2) The organization applies the program in good faith; and
(3) The program works.
A cybersecurity compliance program is an organization-wide cycle of promoting security controls commensurate to the organization's risk acceptance. Fundamental components of the program include an organization's risk management framework and continuous monitoring strategy.
​
​
This guidance divides the cybersecurity compliance process into five phases:
(1) Identify & Assign
(2) Draft
(3) Implement
(4) Assess & Review
(5) Continuously Monitor
The development of a cybersecurity compliance program begins with a compliance self-audit. Based on the audit's results, the appropriate organization members define the organization's information and communications technology (ICT) resources, cybersecurity requirements, and interested third parties to develop standard operating procedures and organization policies. All members of the organization then implement the new policies and procedures, and compliance personnel assess the program's effectiveness. The organization revises its policies and procedures and takes remedial action based on the assessment's results. IT personnel continue to monitor the program's effectiveness, while the organization's senior management monitors for any changes that may effect the organization's risk tolerance.
Evaluate
Phase 4
​The Department of Justice compliance program evaluation guidance lists three characteristics of an effective compliance program:
(1) The program is well designed;
(2) The organization applies the program in good faith; and
(3) The program works.
A cybersecurity compliance program is an organization-wide cycle of promoting security controls commensurate to the organization's risk acceptance. Fundamental components of the program include an organization's risk management framework and continuous monitoring strategy.
​
​
This guidance divides the cybersecurity compliance process into five phases:
(1) Identify & Assign
(2) Draft
(3) Implement
(4) Assess & Review
(5) Continuously Monitor
The development of a cybersecurity compliance program begins with a compliance self-audit. Based on the audit's results, the appropriate organization members define the organization's information and communications technology (ICT) resources, cybersecurity requirements, and interested third parties to develop standard operating procedures and organization policies. All members of the organization then implement the new policies and procedures, and compliance personnel assess the program's effectiveness. The organization revises its policies and procedures and takes remedial action based on the assessment's results. IT personnel continue to monitor the program's effectiveness, while the organization's senior management monitors for any changes that may effect the organization's risk tolerance.
Continuously Monitor
Phase 5
​The Department of Justice compliance program evaluation guidance lists three characteristics of an effective compliance program:
(1) The program is well designed;
(2) The organization applies the program in good faith; and
(3) The program works.
A cybersecurity compliance program is an organization-wide cycle of promoting security controls commensurate to the organization's risk acceptance. Fundamental components of the program include an organization's risk management framework and continuous monitoring strategy.
​
​
This guidance divides the cybersecurity compliance process into five phases:
(1) Identify & Assign
(2) Draft
(3) Implement
(4) Assess & Review
(5) Continuously Monitor
The development of a cybersecurity compliance program begins with a compliance self-audit. Based on the audit's results, the appropriate organization members define the organization's information and communications technology (ICT) resources, cybersecurity requirements, and interested third parties to develop standard operating procedures and organization policies. All members of the organization then implement the new policies and procedures, and compliance personnel assess the program's effectiveness. The organization revises its policies and procedures and takes remedial action based on the assessment's results. IT personnel continue to monitor the program's effectiveness, while the organization's senior management monitors for any changes that may effect the organization's risk tolerance.