180 likes | 321 Views
Chapter 14: Information Security Regulatory Compliance for Critical Infrastruuture. Objectives. Articulate the need for information security at a national level. Understand the intent and objectives of the Federal Information Security Management Act (FISMA).
E N D
Chapter 14: Information Security Regulatory Compliance for Critical Infrastruuture
Objectives • Articulate the need for information security at a national level. • Understand the intent and objectives of the Federal Information Security Management Act (FISMA). • Relate the privacy requirements of the Family Educational Rights and Privacy Act (FERPA) to information security elements.
Objectives cont. • Relate the integrity requirements of the Sarbanes-Oxley Act (SOX) to information security elements. • Develop an information security program that encompasses multiple regulations and requirements.
Introduction Information security regulations have been developed to address the potential for abuses of the confidentiality, integrity, and availability of systems that our economy and our citizens depend upon. This chapter looks at three of these regulations: • Federal Information Security Management Act (FISMA) • Federal Educational Rights and Privacy Act (FERPA) • Sarbanes-Oxley (SOX)
E-Government Is Becoming a Reality Benefits of e-government are: • Efficiency • Cost savings • Increased responsiveness Responsibility of e-government is to ensure: • Confidentiality • Integrity • Availability of the information and information systems used to provide government services
Security at a National Level • Title III of the E-Government Act is FISMA (Federal Information Security Management Act) • Requires every federal agency to develop, document, and implement an information security program
Elements Required for Compliance • Confidentiality of information • Integrity of information • Availability of information • Assurance that security measures are working • Accountability for compliance, headed by the Chief Information Officer of each federal agency
NIST to the Rescue National Institute of Standards and Technology provides guidance: • Standards to be used to categorize information • Guidelines for the types of information to be included in each category • Information security requirements for each category • All guidelines can be downloaded from the NIST site at http://csrc.nist.gov/publications
The FISMA Implementation Project • Development of security standards and guidelines • Development of a program for accrediting organizations to conduct security certification services for federal agencies • Development of a program to validate commercial and government off-the-shelf security tools • The project can be found online at http://csrc.nist.gov/see-cert/ca-proj-phases.html
Protecting the Privacy of Student Records The Family Educational Rights and Privacy Act protects the privacy of student education records. • Applies to all schools that receive funding from the Department of Education • Intent is to protect confidentiality
What Is the Objective of FERPA? FERPA gives students the following rights: • Educational records can be accesses • Records can be disclosed only with student consent • Records can be amended • Complaints can be filed against the school for disclosing records in violation of FERPA
What Is an Educational Record? • A record is anything that contains personally identifiable information • Directory information such as name, address, phone, dates of attendance may be disclosed • Nondirectory information such as ID numbers, race/ethnicity/nationality/gender information, transcripts/grade reports may not be disclosed
It All Started with a Corporate Scandal • Sarbanes-Oxley Act (SOX) was a response to the corporate financial scandals of the 1990s (Enron, WorldCom) • Regulates business processes and corporate accounting • Emphasizes protecting the integrity and availability of financial data
What Does SOX Have to Do with Information Security? • Companies must establish procedures to protect and preserve records and data from: • Destruction • Loss • Unauthorized alteration • Other misuse
Adopting a Control Framework • A control framework is a model or collection of controls that covers all internal controls expected in an organization • Two are generally accepted: • COSO • CobiT®
Relevancy of ISO 17799:2000 • All government regulations covered so far have common elements that are addressed by ISO 17799 • ISO 17799 plus an internal control framework such as COSO or CobiT ® will have incorporated most requirements
Summary • Every organization, public and private, that processes, stores, or transmits information electronically is obligated to secure the information and information systems. • The federal government has recognized that this important task is often overlooked. • Federal agencies, as well as all organizations that access federal information, are subject to FISMA.
Summary (Cont.) • To support compliance activities, the National Institute of Standards and Technology (NIST) has and continues to publish guidance on a variety of topics. • Educational institutions that receive funding from the Department of Education are subject to FERPA. • Publicly traded SEC registered companies must comply with section 404 of SOX.