Model | Governance | Policy & Compliance
The Policy & Compliance (PC) practice focuses on understanding and meeting external legal and regulatory requirements while driving internal security standards to ensure compliance in a way that’s aligned with the business purpose of the organization.
A driving theme for improvement within this practice is describing organization’s standards and 3rd party obligations as application requirements, enabling efficient and automated audits that may be leveraged within the SDLC and continuously demonstrate that all expectations are met.
In a sophisticated form, provision of this practice entails an organization-wide understanding of both internal standards and external compliance drivers while also maintaining low-latency checkpoints with project teams to ensure no project is operating outside expectations without visibility.
| Maturity level | Stream APolicy & Standards | Stream BCompliance Management | |
|---|---|---|---|
| 1 | Identify and document governance and compliance drivers relevant to the organization. | Determine a security baseline representing organization’s policies and standards. | Identify 3rd-party compliance drivers and requirements and map to existing policies and standards. |
| 2 | Establish application-specific security and compliance baseline. | Develop security requirements applicable to all applications. | Publish compliance-specific application requirements and test guidance. |
| 3 | Measure adherence to policies, standards, and 3rd-party requirements. | Measure and report on the status of individual application’s adherence to policies and standards. | Measure and report on individual application’s compliance with 3rd party requirements. |