ITAC-12

Do you have a documented and implemented process for verifying accessibility conformance?

Explanation

This question is asking whether your organization has a formal, documented process for ensuring that your IT products and services meet accessibility standards, and whether you actually follow this process in practice. Accessibility in IT refers to designing and developing technology that can be used by people with various disabilities, including visual, auditory, physical, speech, cognitive, and neurological disabilities. This includes making websites, applications, and other digital content usable by people who use assistive technologies like screen readers, voice recognition software, or alternative input devices. This question is included in a security assessment for several reasons: 1. Compliance: Many jurisdictions have legal requirements for accessibility (e.g., Section 508 in the US federal government, ADA, WCAG standards). Non-compliance can lead to legal and financial risks. 2. Risk Management: Accessibility issues can represent business and reputational risks, especially for organizations serving the public sector or diverse user populations. 3. Inclusive Security: Security controls and features should be accessible to all users, including those with disabilities. If security features aren't accessible, they might be bypassed or used incorrectly. To best answer this question, you should: 1. Describe your formal accessibility testing and verification process 2. Mention which standards you follow (e.g., WCAG 2.1 AA) 3. Explain how this process is integrated into your development lifecycle 4. Describe the tools, testing methods, and personnel involved 5. Mention any third-party audits or certifications 6. Provide evidence that the process is actually implemented, not just documented

Example Responses

Example Response 1

Yes, our organization has a comprehensive accessibility conformance verification process that is fully documented and implemented We follow WCAG 2.1 AA standards for all our web applications and Section 508 requirements for federal clients Our process includes: 1) Automated testing using axe-core and WAVE tools during development; 2) Manual testing with assistive technologies including NVDA and JAWS screen readers; 3) User testing with individuals who have various disabilities; 4) Formal accessibility reviews at key development milestones; and 5) Annual third-party accessibility audits Our development teams receive annual accessibility training, and we maintain Voluntary Product Accessibility Templates (VPATs) for all our products Accessibility requirements are integrated into our product requirements, and we track accessibility issues in our bug tracking system with the same priority as security and functional issues We can provide our accessibility conformance testing documentation and recent audit results upon request.

Example Response 2

Yes, we have implemented a documented accessibility verification process that is integrated into our software development lifecycle Our process follows a shift-left approach where accessibility is considered from the design phase We maintain an Accessibility Playbook that documents our standards (WCAG 2.1 AA), testing procedures, and remediation workflows Each quarter, our dedicated accessibility team performs comprehensive audits of our products using both automated tools (SiteImprove, axe DevTools) and manual testing techniques We employ a full-time accessibility specialist who oversees this program and provides training to our development teams All new features undergo accessibility review before release, and we conduct annual training for all product development staff We document our conformance through regularly updated Accessibility Conformance Reports (ACRs) and maintain a public-facing accessibility statement on our website that includes contact information for users to report accessibility issues.

Example Response 3

No, we currently do not have a formal, documented process for verifying accessibility conformance While our developers are aware of accessibility best practices and make efforts to implement accessible features when possible, we have not established standardized testing procedures or documentation requirements We occasionally use automated accessibility checking tools during development, but this is done on an ad-hoc basis rather than as part of a systematic process We recognize this is an area for improvement in our organization, and we are currently working to develop a formal accessibility program Our roadmap includes establishing accessibility standards based on WCAG 2.1, implementing regular testing procedures, providing staff training, and documenting our conformance levels We expect to have this program in place within the next six months.

Context

Tab: IT Accessibility
Category: IT Accessibility