Information technology is becoming compliance driven. The US Sarbanes-Oxley Act and the Health Insurance Portability and Accountability Act (HIPAA) are just two of the many legislative initiatives that are changing how IT services are managed. IT professionals are now subject to numerous internal and external audits, with a focus on IT internal controls. The challenge is to continue performing as a value-driven organization while complying with regulatory oversight. In this thesis, a compliance-driven process improvement framework based on security policy lifecycle is proposed and discussed. This framework not only incorporates the concept of continuous auditing for automated compliance but also considers ITIL’s change management for process improvement. To illustrate how this framework can be used to guide security policy enforcement, a special focus is placed on how policies can be transformed to security control and auditing rules using a disclosure centric analysis. Finally, an implementation with real case scenarios using commercially available technology is constructed to demonstrate the feasibility and benefits of such compliance-driven process.