Compliance Management

Instruction Objectives

• Understand the role of IT policy• Define compliance• Identify key security components of

IA regulation• Explore the impact of standards on

policy

Overview

• The role of policy in Information Assurance

• Regulatory inputs to organizational policy

• Standards inputs to organizational policy

Role of Policy

• Policy – the foundation of Cyber Security

Policy Development

• Policy is not developed in a vacuum• Various influences– Standards, Guidelines– Law– Organizational goals:

Profit, service, etc.

Law and Regulation

• Legislative trends• Laws impacting IT:– HIPAA, GLBA, SOX, FISMA– States

• Standards:– International– National – NIST

Federal Trends

• As technology solutions expand, regulations will grow to protect citizens

HIPAA

• Health Insurance Portability and Accountability Act of 1996

• Mandates the development of a healthcare information exchange standard

• Requires accountability for the protection of Individually Identifiable Health Information

HIPAA

• Standards for Electronic Transactions• Unique Identifiers Standard• Security Rule• Privacy Rule

HIPAA• §164.308 – Administrative safeguards• Security management process: Implement policies and procedures

to prevent, detect, contain, and correct security violations– Risk analysis– Risk Management– Sanction Policy– Information systems activity review

• Assigned Security Responsibility• Workforce security• Information access management• Security awareness and training

– Security reminders– Protection from malicious software– Log-in monitoring– Password management

• Security incident procedures• Contingency plan

Graham-Leach-Bliley

• Financial Services Modernization Act of 1999

• Updates regulation of the Financial Services industry

• TITLE V – Privacy• Mandates publication of Privacy

Policy

Sarbanes-Oxley Act

• Corporate regulation to ensure accurate publication of financial information

• Adds a requirement to audit internal controls

• Internal controls = Information Assurance Policies

• Formal, auditable policies and practices

FISMA

• Federal Information Security Management Act of 2002

• Provides a common security framework for all federal agencies

• Decentralized implementation• Generic Federal Template

Generic Federal Template

• Mandate electronic interaction• Assign information security

responsibility• Assess information security risks• Implement risk-mitigating controls• Train personnel• Report compliance assessment

State Laws

• CA 1386 – Mandates disclosure of security breach

• Other – Identity Theft, SSNs, Spyware• Resource: National Council of State

Legislatures (www.ncsl.org)

Standards

• ISO 17799– Security Policy– System Access Control– Computer and Operations Management– System Development and Maintenance– Physical and Environmental Security– Compliance– Personnel Security– Security Organization– Asset Classification and Control– Business Continuity Management

Standards

• NIST – National Institute of Standards and Technology

• Publications– ITL Bulletins– FIPS publications– Special publications

Standards Sample

• NERC – North American Electricity Reliability Cooperative

• Thorough standard for information security policy and compliance

• Focuses on Responsibility and Accountability

Standards Sample

Standards Sample

Summary

• Legislation tends toward accountability and responsibility.

• Many major industries have been required to formalize information security management.

• Standards often provide peer-accountability.

• These inputs help drive organizational policy.