Information Security Awareness: It’s the Law

SJSU

- Employers are required to provide

Awareness Trainings on information

security.

- Employees must understand the legal

requirements of information security.

This is a short recap of applicable Laws

and Regulations.

It is intended to show that information

security is a serious legal matter.

4 Main Laws:

what they are about.

1. SOA (Sarbanes-Oxley Act )

Purpose of SOA: To prevent fraud.

CEO and CFO must personally certify the periodic financial disclosures and information integrity (security).

Information technology professionals have effective accountability in internal controls around the financial reporting.

(cont’d)

o Passed in response to a number of major corporate and accounting scandals involving prominent companies in the United States.

o Requires corporations to choose a recognized framework on which to base their internal controls.

2. GLB (Gramm-Leach-Bliley Act)

Organization must develop and implement an appropriate information security program based upon size, nature and sensitivity of organization.

To insure the security & confidentiality of customer data.

To protect against any reasonably anticipated threats or hazards to the security or integrity of such data.

To protect against unauthorized access to or use of such data that would result in substantial harm or inconvenience to any customer.

3. CSA (Computer Security Act)

Purpose of CSA: To improve security and privacy of sensitive information in Federal computer systems.

Must provide mandatory periodic training in computer security awareness.

4. FISMA Federal Information Security Management(not to be confused with the FISMA audit)

Purpose of FISMA: To protect the government’s information, operations and assets, based on a comprehensive framework.

Requires agency officials (e.g. CFO) to conduct annual reviews of the agency’s information security program then report findings to OMB.

4 Main Standards

1. ISO/IEC 17799:2000 (International Standards Organization)

(International Electrotechnical Organization)

Purpose of ISO/IEC 17799: To address topics in terms of policies and general good practices.

To establish a code of practices via guidelines and how-to’s for areas currently considered important when implementing or maintaining information security management.

(cont’d)

To provide a management standard that deals with an audit of the non-technical issues relating to installed IT systems.

ISO/IEC standards are used for IT compliance to Sarbanes-Oxley.

ISO/IEC 17799 is not designed to support an in-depth organizational information security review.

2. COSO (Committee of Sponsoring Organization)

Implication of COSO: Full assessment of information security risk must be done.

SEC recommended COSO’s internal control framework as a basis for interpretation and enforcement of Sarbanes-Oxley.

Specifically requires formal risk assessment be performed to evaluate the internal and external factors that impact an organization’s performance.

COSO standards are used for IT compliance to Sarbanes-Oxley.

3. COBIT (Control Objectives for Information Technology )

Purpose of COBIT: To emphasize the IT perspective of COSO’s framework.

A comprehensive approach for managing risk and control of information technology.

COBIT standards are used for IT compliance to Sarbanes-Oxley.

4. NIST (National Institute of Standards and Technology)

Purpose of NIST: To develop and apply technology, measurement and standards.

Computer Research Center at NIST focuses on 4 major areas:Cryptographic Standards and ApplicationsSecurity Testing Security Research / Emerging TechnologiesSecurity Management and Guidance

NIST standards are used for IT compliance to Sarbanes-Oxley.

Other applicable standards

regulating Info Security :

1. OMB Circular No. A-130 Purpose of OMB Circular No. A-130: To establish

policies and guidelines for the management of information resources.

To provide a minimum set of controls to be included in automated information security programs.

The rules should be in writing and will form the basis for security awareness training.

2. HIPAA (Health Insurance Portability And Accountability )

Purpose of HIPAA:

To protect the confidentiality, integrity and availability of individual’s information by controlling and monitoring information access.

To develop security standards to prevent unauthorized use, inadvertent or intentional.

Information security is about

protecting individual privacy

and preventing identity theft.

It is a job requirement

– and it is the Law.

Recap: List of Laws & Regulations:

SOA (Sarbanes-Oxley Act) GLB (Gramm-Leach-Bliley Act) CSA (Computer Security Act)

FISMA (Federal Information Security Management)

ISO/IEC 17799:2000 COSO (Committee of Sponsoring Organization) COBIT (Control Objectives for Information Technology)

NIST (National Institute of Standards and Technology)

OMB Circular No. A-130 HIPAA (Health Insurance Portability and Accountability)

End