Enabling Processes
Enabling Processes
Enabling Processes
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Monitor, Evaluate and Assess<br />
214<br />
: ENABLING PROCESSES<br />
MEA03 Process Practices, Inputs/Outputs and Activities<br />
Management Practice Inputs Outputs<br />
MEA03.01 Identify external<br />
compliance requirements.<br />
On a continuous basis, identify and monitor for changes<br />
in local and international laws, regulations and other<br />
external requirements that must be complied with from<br />
an IT perspective.<br />
From Description Description To<br />
Outside COBIT Legal and regulatory<br />
compliance requirements<br />
Compliance requirements<br />
register<br />
Log of required<br />
compliance actions<br />
Activities<br />
1. Assign responsibility for identifying and monitoring any changes of legal, regulatory and other external contractual requirements relevant to the use of<br />
IT resources and the processing of information within the business and IT operations of the enterprise.<br />
2. Identify and assess all potential compliance requirements and the impact on IT activities in areas such as data flow, privacy, internal controls, financial<br />
reporting, industry-specific regulations, intellectual property, health and safety.<br />
3. Assess the impact of IT-related legal and regulatory requirements on third-party contracts related to IT operations, service providers and business<br />
trading partners.<br />
4. Obtain independent counsel, where appropriate, on changes to applicable laws, regulations and standards.<br />
5. Maintain an up-to-date log of all relevant legal, regulatory and contractual requirements, their impact and required actions.<br />
6. Maintain a harmonised and integrated overall register of external compliance requirements for the enterprise.<br />
Management Practice Inputs Outputs<br />
MEA03.02 Optimise response to<br />
From Description Description To<br />
external requirements.<br />
������ ��� ������ ��������� ����������� ����������<br />
procedures and methodologies to ensure that legal,<br />
regulatory and contractual requirements are addressed<br />
Updated policies,<br />
principles, procedures<br />
and standards<br />
APO01.07<br />
APO01.08<br />
and communicated. Consider industry standards,<br />
Communications of EDM01.01<br />
codes of good practice, and best practice guidance for<br />
changed compliance All APO<br />
adoption and adaptation.<br />
Activities<br />
requirements<br />
All BAI<br />
All DSS<br />
All MEA<br />
�� ��������� ������ ��� ������ ��������� ����������� ���������� ���������� ��� ������������� ��� ����� ������������� �� �������� ��������� ����������<br />
and addressing enterprise risk using internal and external experts, as required.<br />
2. Communicate new and changed requirements to all relevant personnel.<br />
Management Practice Inputs Outputs<br />
MEA03.03 Confirm external compliance.<br />
From Description Description To<br />
Confirm compliance of policies, principles, standards,<br />
procedures and methodologies with legal, regulatory<br />
BAI05.06 Compliance audit results Identified compliance gaps MEA02.08<br />
and contractual requirements.<br />
BAI09.05 Results of installed licence<br />
audits<br />
Compliance confirmations EDM01.03<br />
BAI10.05 Licence deviations<br />
DSS01.04 Insurance policy reports<br />
Activities<br />
1. Regularly evaluate organisational policies, standards, procedures and methodologies in all functions of the enterprise to ensure compliance with<br />
relevant legal and regulatory requirements in relation to the processing of information.<br />
2. Address compliance gaps in policies, standards and procedures on a timely basis.<br />
3. Periodically evaluate business and IT processes and activities to ensure adherence to applicable legal, regulatory and contractual requirements.<br />
4. Regularly review for recurring patterns of compliance failures. Where necessary, improve policies, standards, procedures, methodologies, and<br />
associated processes and activities.<br />
Personal Copy of: Mr. Dong Hong Wang<br />
Internal<br />
Internal