Compliance Gap Remediation Management Framework by Ei7wPM6x


									                                                                                    Page 1 of 3


Original Created By:                   Original Issue Date:      Page:

Original Approved By:                  Revision Date:            Next Review Date:


1.   Summary
2.   Classifications
3.   Ownership & Responsibility
4.   PCI Remediation Project Team
5.   Status & Reporting

1. Summary: This framework will provide a structure to establish gap and remediation
   project ownership.

2. Classifications: compliance/regulatory control gaps and remediation projects and how
   they cross business –lines are classified into 1 of 3 scenarios:

     2.1. Business unit (Single group) with remediation gap(s).
     2.2. Business process across multiple lines of business, with remediation gap(s).
     2.3. Business process with third party.

After a COMPLIANCE/REGULATORY control gap has been identified and confirmed by the
AUDIT MGT. Team and/ or contracted “Qualified Security Assessor” (AUDITOR), the
following process is to be followed.
                                                                                     Page 2 of 3

3. Ownership & Responsibility:

   3.1. The first step is to identify the business owner of the data.
   3.2. The final determination of the party that owns both the gap and the responsibility of
        compliance is the business owner of the in-scope data.
   3.3. For example if a server system, application or process is non-compliant, it is the
        responsibility of the business owner of that data to lead and coordinate the
        remediation project and efforts.
   3.4. Although the remediation efforts and execution may be dependent on those
        engineers, the party responsibility is the owner of the data that brings the system
        and/ or process into scope for COMPLIANCE/REGULATORY and thus making that
        systems and/ or process out of compliance.

          In short it is the data that puts a system in-scope in the first place, so if
          a system is out of compliance, the data owner owns final responsibility
          of the compliance of that system.

4. Remediation Project Team: After gap and remediation ownership has been
   established, create a PCI Remediation Project Team.

   4.1. Team Creation: The “PCI Remediation Project Team” should consist of the following
      4.1.1. Identified and known affected business-lines/groups
      4.1.2. The AUDIT MGT. Team
      4.1.3. Process and/ or technology engineers/support
      4.1.4. Applicable vendors
      4.1.5. When applicable, include contracted Qualified Security Assessor (AUDITOR)

   4.2. Team Responsibilities: After all of the initial parties have been identified and/ or
        contacted, setup a meeting to accomplish the following goals;
      4.2.1. Assign a group PM from either the business unit or the PMO
      4.2.2. Assign all affected business-lines/groups PM’s and/ or POC’s
      4.2.3. Define the PCI control gap
      4.2.4. Discuss remediation options

   4.3. Remediation Options: After remediation options are determined, the following
        process is to be followed:
      4.3.1. Consult remediation options to AUDITOR – AUDIT MGT. Team
      4.3.2. Research remediation options costs – Business-line/groups
      4.3.3. Research remediation impact to business operations – Business-line/groups
                                                                                   Page 3 of 3

   4.4. Remediation Plan: After a remediation option has been agreed upon and reviewed
        by both the AUDIT MGT. and contracted AUDITOR, the following process is to be
      4.4.1. Formulate a remediation plan
      4.4.2. Establish an overall timeline to complete the remediation plan
      4.4.3. Define the business requirements
      4.4.4. Determine budget needs
      4.4.5. Obtain budget approval through appropriate budget sub-group
      4.4.6. Follow corporate SDLC to implement remediation to address the identified gap
      4.4.7. Include the AUDIT MGT. in the project status reporting distribution
      4.4.8. If third parties are involved, confirm that all legal documents are in place with
             the third party entity (i.e. NDA, PCI Compliance standing)
      4.4.9. Schedule periodic site visits to the third party facility with AUDIT MGT. staff
             for facility and process review
      4.4.10.           Log findings and address any compliance issues
      4.4.11.           If compliance issues, contact third party liaison and determine
             remediation path

5. Status & Reporting: Gap/Remediation Project Owners and PM’s are required to keep
   the AUDIT MGT. Team informed of their efforts to move towards compliance. These
   updates are required and requested by upper management so that a high level
   COMPLIANCE/REGULATORY compliance and remediation status can be known and

   5.1. Responsibility: It is the responsibility of the Remediation Project Manager if
        designated or if there is no assigned PM, the responsibility of the business/gap
        owner to report the gap/remediation project status.

   5.2. Report Status to: Gap and remediation project status updates are to be made to the
        AUDIT MGT. Team, specifically the AUDIT MGT. Team project manager.

   5.3. Report Frequency: Remediation project status is required to be communicated at a
        minimum bi-weekly.

   5.4. Report Content: Gap and remediation project status updates should include when
      5.4.1. Defined and assigned “Gap/Remediation Owner/s”
      5.4.2. Project Manager (if assigned)
      5.4.3. “Remediation Project Team” meeting status and schedule
      5.4.4. Remediation strategy status (i.e. strategy development, budgeting, testing)
      5.4.5. Remediation timeline (high level timeline of final implementation/change)

To top