Tracking the IT controls that are in place for an organization doesn’t have to be a nightmare. It also doesn’t have to be expensive. It should however be organized and easy to publish.
In the past I’ve used a custom list in a Microsoft SharePoint site for several of my clients. These clients already had a SharePoint infrastructure so it was a good starting point. While SharePoint is flexible, it is not ubiquitous. There has to be a better way.
When going into an engagement we had our trusty, dusty spreadsheet of common control objectives, the control statement, testing frequency, etc. If you’re anything like me, spreadsheets are ok for about the first two pages, then I get bored and/or frustrated. I want more.
We’ve begun developing an application which will not only track the control statements and map them to compliance objectives such as SOX, HIPAA, FISMA and PCI; it will also allow you to copy in your policy statements, control test cases and testing evidence. This information is all being stored in a backend database which can be queried and reported on.
There are tools on the market today which do this and a zillion other things with high entry points. What about the organizations that wants to start small and grow into it? Or the consultant who works primarily in the SMB market where $100K just can’t be justified? That’s the market we hope to tap with this.
As with most inventions, this started out as something we needed internally to reduce the time and effort with our engagements. It filled a void. Hopefully we’ll be able to help you fill a void as well. We’re still in the development stages on this but hope to have an alpha release shortly. If you’d be interested in testing the application drop me a line.