Compliance Management. Instruction Objectives. Understand the role of IT policy Define compliance Identify key security components of IA regulation Explore the impact of standards on policy. Overview. The role of policy in Information Assurance Regulatory inputs to organizational policy
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Instruction Objectives • Understand the role of IT policy • Define compliance • Identify key security components of IA regulation • Explore the impact of standards on policy
Overview • The role of policy in Information Assurance • Regulatory inputs to organizational policy • Standards inputs to organizational policy
Role of Policy • Policy – the foundation of Cyber Security
Policy Development • Policy is not developed in a vacuum • Various influences • Standards, Guidelines • Law • Organizational goals: Profit, service, etc.
Law and Regulation • Legislative trends • Laws impacting IT: • HIPAA, GLBA, SOX, FISMA • States • Standards: • International • National – NIST
Federal Trends • As technology solutions expand, regulations will grow to protect citizens
HIPAA • Health Insurance Portability and Accountability Act of 1996 • Mandates the development of a healthcare information exchange standard • Requires accountability for the protection of Individually Identifiable Health Information
HIPAA • Standards for Electronic Transactions • Unique Identifiers Standard • Security Rule • Privacy Rule
HIPAA • §164.308 – Administrative safeguards • Security management process: Implement policies and procedures to prevent, detect, contain, and correct security violations • Risk analysis • Risk Management • Sanction Policy • Information systems activity review • Assigned Security Responsibility • Workforce security • Information access management • Security awareness and training • Security reminders • Protection from malicious software • Log-in monitoring • Password management • Security incident procedures • Contingency plan
Sarbanes-Oxley Act • Corporate regulation to ensure accurate publication of financial information • Adds a requirement to audit internal controls • Internal controls = Information Assurance Policies • Formal, auditable policies and practices
FISMA • Federal Information Security Management Act of 2002 • Provides a common security framework for all federal agencies • Decentralized implementation • Generic Federal Template
Generic Federal Template • Mandate electronic interaction • Assign information security responsibility • Assess information security risks • Implement risk-mitigating controls • Train personnel • Report compliance assessment
State Laws • CA 1386 – Mandates disclosure of security breach • Other – Identity Theft, SSNs, Spyware • Resource: National Council of State Legislatures (www.ncsl.org)
Standards • ISO 17799 • Security Policy • System Access Control • Computer and Operations Management • System Development and Maintenance • Physical and Environmental Security • Compliance • Personnel Security • Security Organization • Asset Classification and Control • Business Continuity Management
Standards • NIST – National Institute of Standards and Technology • Publications • ITL Bulletins • FIPS publications • Special publications
Standards Sample • NERC – North American Electricity Reliability Cooperative • Thorough standard for information security policy and compliance • Focuses on Responsibility and Accountability
Summary • Legislation tends toward accountability and responsibility. • Many major industries have been required to formalize information security management. • Standards often provide peer-accountability. • These inputs help drive organizational policy.