1 / 21

Compliance Management

Compliance Management. Instruction Objectives. Understand the role of IT policy Define compliance Identify key security components of IA regulation Explore the impact of standards on policy. Overview. The role of policy in Information Assurance Regulatory inputs to organizational policy

cathy
Download Presentation

Compliance Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Compliance Management

  2. Instruction Objectives • Understand the role of IT policy • Define compliance • Identify key security components of IA regulation • Explore the impact of standards on policy

  3. Overview • The role of policy in Information Assurance • Regulatory inputs to organizational policy • Standards inputs to organizational policy

  4. Role of Policy • Policy – the foundation of Cyber Security

  5. Policy Development • Policy is not developed in a vacuum • Various influences • Standards, Guidelines • Law • Organizational goals: Profit, service, etc.

  6. Law and Regulation • Legislative trends • Laws impacting IT: • HIPAA, GLBA, SOX, FISMA • States • Standards: • International • National – NIST

  7. Federal Trends • As technology solutions expand, regulations will grow to protect citizens

  8. HIPAA • Health Insurance Portability and Accountability Act of 1996 • Mandates the development of a healthcare information exchange standard • Requires accountability for the protection of Individually Identifiable Health Information

  9. HIPAA • Standards for Electronic Transactions • Unique Identifiers Standard • Security Rule • Privacy Rule

  10. HIPAA • §164.308 – Administrative safeguards • Security management process: Implement policies and procedures to prevent, detect, contain, and correct security violations • Risk analysis • Risk Management • Sanction Policy • Information systems activity review • Assigned Security Responsibility • Workforce security • Information access management • Security awareness and training • Security reminders • Protection from malicious software • Log-in monitoring • Password management • Security incident procedures • Contingency plan

  11. Graham-Leach-Bliley • Financial Services Modernization Act of 1999 • Updates regulation of the Financial Services industry • TITLE V – Privacy • Mandates publication of Privacy Policy

  12. Sarbanes-Oxley Act • Corporate regulation to ensure accurate publication of financial information • Adds a requirement to audit internal controls • Internal controls = Information Assurance Policies • Formal, auditable policies and practices

  13. FISMA • Federal Information Security Management Act of 2002 • Provides a common security framework for all federal agencies • Decentralized implementation • Generic Federal Template

  14. Generic Federal Template • Mandate electronic interaction • Assign information security responsibility • Assess information security risks • Implement risk-mitigating controls • Train personnel • Report compliance assessment

  15. State Laws • CA 1386 – Mandates disclosure of security breach • Other – Identity Theft, SSNs, Spyware • Resource: National Council of State Legislatures (www.ncsl.org)

  16. Standards • ISO 17799 • Security Policy • System Access Control • Computer and Operations Management • System Development and Maintenance • Physical and Environmental Security • Compliance • Personnel Security • Security Organization • Asset Classification and Control • Business Continuity Management

  17. Standards • NIST – National Institute of Standards and Technology • Publications • ITL Bulletins • FIPS publications • Special publications

  18. Standards Sample • NERC – North American Electricity Reliability Cooperative • Thorough standard for information security policy and compliance • Focuses on Responsibility and Accountability

  19. Standards Sample

  20. Standards Sample

  21. Summary • Legislation tends toward accountability and responsibility. • Many major industries have been required to formalize information security management. • Standards often provide peer-accountability. • These inputs help drive organizational policy.

More Related