III.D.4     Policy Compliance

Management should develop, implement, and monitor a process to measure IT compliance with the institution's established policies. In addition to the traditional reliance on internal and third-party audit functions, the institution should perform periodic self-assessments. The scope and frequency of self-assessments depend on the scale and historical performance of the IT function. Self-assessments provide management with an understanding of whether the institution is in compliance with the policies approved by the board.


Previous Section
III.D.3 Service Level Agreements
Next Section
III.D.5 Effectiveness of Controls