Download - Compliance Management
![Page 1: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/1.jpg)
Compliance Management
![Page 2: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/2.jpg)
Instruction Objectives
• Understand the role of IT policy• Define compliance• Identify key security components of
IA regulation• Explore the impact of standards on
policy
![Page 3: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/3.jpg)
Overview
• The role of policy in Information Assurance
• Regulatory inputs to organizational policy
• Standards inputs to organizational policy
![Page 4: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/4.jpg)
Role of Policy
• Policy – the foundation of Cyber Security
![Page 5: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/5.jpg)
Policy Development
• Policy is not developed in a vacuum• Various influences– Standards, Guidelines– Law– Organizational goals:
Profit, service, etc.
![Page 6: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/6.jpg)
Law and Regulation
• Legislative trends• Laws impacting IT:– HIPAA, GLBA, SOX, FISMA– States
• Standards:– International– National – NIST
![Page 7: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/7.jpg)
Federal Trends
• As technology solutions expand, regulations will grow to protect citizens
![Page 8: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/8.jpg)
HIPAA
• Health Insurance Portability and Accountability Act of 1996
• Mandates the development of a healthcare information exchange standard
• Requires accountability for the protection of Individually Identifiable Health Information
![Page 9: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/9.jpg)
HIPAA
• Standards for Electronic Transactions• Unique Identifiers Standard• Security Rule• Privacy Rule
![Page 10: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/10.jpg)
HIPAA• §164.308 – Administrative safeguards• Security management process: Implement policies and procedures
to prevent, detect, contain, and correct security violations– Risk analysis– Risk Management– Sanction Policy– Information systems activity review
• Assigned Security Responsibility• Workforce security• Information access management• Security awareness and training
– Security reminders– Protection from malicious software– Log-in monitoring– Password management
• Security incident procedures• Contingency plan
![Page 11: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/11.jpg)
Graham-Leach-Bliley
• Financial Services Modernization Act of 1999
• Updates regulation of the Financial Services industry
• TITLE V – Privacy• Mandates publication of Privacy
Policy
![Page 12: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/12.jpg)
Sarbanes-Oxley Act
• Corporate regulation to ensure accurate publication of financial information
• Adds a requirement to audit internal controls
• Internal controls = Information Assurance Policies
• Formal, auditable policies and practices
![Page 13: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/13.jpg)
FISMA
• Federal Information Security Management Act of 2002
• Provides a common security framework for all federal agencies
• Decentralized implementation• Generic Federal Template
![Page 14: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/14.jpg)
Generic Federal Template
• Mandate electronic interaction• Assign information security
responsibility• Assess information security risks• Implement risk-mitigating controls• Train personnel• Report compliance assessment
![Page 15: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/15.jpg)
State Laws
• CA 1386 – Mandates disclosure of security breach
• Other – Identity Theft, SSNs, Spyware• Resource: National Council of State
Legislatures (www.ncsl.org)
![Page 16: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/16.jpg)
Standards
• ISO 17799– Security Policy– System Access Control– Computer and Operations Management– System Development and Maintenance– Physical and Environmental Security– Compliance– Personnel Security– Security Organization– Asset Classification and Control– Business Continuity Management
![Page 17: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/17.jpg)
Standards
• NIST – National Institute of Standards and Technology
• Publications– ITL Bulletins– FIPS publications– Special publications
![Page 18: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/18.jpg)
Standards Sample
• NERC – North American Electricity Reliability Cooperative
• Thorough standard for information security policy and compliance
• Focuses on Responsibility and Accountability
![Page 19: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/19.jpg)
Standards Sample
![Page 20: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/20.jpg)
Standards Sample
![Page 21: Compliance Management](https://reader036.vdocument.in/reader036/viewer/2022062423/56814b1c550346895db8305d/html5/thumbnails/21.jpg)
Summary
• Legislation tends toward accountability and responsibility.
• Many major industries have been required to formalize information security management.
• Standards often provide peer-accountability.
• These inputs help drive organizational policy.