INFORMATION SECURITY

REGULATION COMPLIANCE

INFORMATION SECURITY

REGULATION COMPLIANCE

ByInsert namedd/mm/yyyy

senior leadership training on the primary regulatory

requirements,

Over view

• aids organizations comply with interagency guidelines on information security standards

• organization summarizes its obligations to protect stakeholders information

• numerous federal, state and international regulations on the protection of information

• enforcement agencies and auditors must accept best practices for guidance that require written policies.

2

Goals of the security standards and guidelines

• establishment and implementation of controls

• maintaining, protecting and asses compliance issues

• identify and remediate vulnerabilities and deviations

• Provide reporting that can prove the organizations compliance.

3

Laws and regulation affecting security regulation compliance.

• The Federal Information Security Management Act (FISMA)

►The head of each [Federal] agency shall delegate to the agency Chief Information Officer ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques;”

• Sarbanes-Oxley the Sarbanes-Oxley Act of 2002 (SOX).

► Management's Responsibility for Policies

4

Laws and regulation affecting security regulation compliance.

• The Gramm-Leach-Bliley Act (GLBA) ►Each Bank shall implement a comprehensive written information security program [policies] that includes administrative, technical and physical safeguards.”

• Payment Card Industry Data Security Standard (PCIDSS).

►the program is intended to protect cardholder data wherever it resides by ensuring that members, merchants and service providers maintain the highest information security standard

5

Laws and regulation affecting security regulation compliance.

• Health Insurance Portability and Accountability Act (HIPAA)

►Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other

requirements of this subpart.

•Intellectual property law ►for securing and enforcing legal rights to inventions, designs and artistic works.

6

security methods and controls that need to be implemented

• latest and ongoing knowledge of attack sources scenarios and techniques.

• up to date equipment inventories and network maps.

• rapid detection and response capability to react to newly discovered vulnerabilities

• Risk assessment

7

security methods and controls that need implementation

• Network access controls over both internal and external connections

• harden their systems prior to placing them in a production environment.

• malicious codes mitigation

• physical access control

• policy and procedures on user enrollment, change and termination procedures

8

security methods and controls that need implementation

• processes to identify, monitor and address training needs

→Technical training →Security awareness training

→Compliance training

→Audit training

• testing plan that identifies control objectives.

→audit

→security assessments

→vulnerability scans →penetration tests.

9

Inter-agency guidelines and compliance

■categorization of information to be protected

■Refining of controls using a risk assessment procedure.

■documentation of controls in the system security plan

■Access the effectiveness of the controls once they have been implemented

10

interagency guidelines and compliance

■implementation of security controls in appropriate information systems

■authorization of the information systems of processing and monitoring of the security controls on a continuous basis

■Provision of minimum baseline controls standards

■determination of agency level risk to the mission or business case

11

references

Gross, H. (1964). Privacy - its legal protection. New York, N.Y: Dobbs Ferry - Oceana Publications.

Bygrave, L. A. (2002). Data protection law: Approaching its rationale, logic and limits. The Hague [u.a.: Kluwer Law International.

Brotby, W. K. (2009). Information security governance: A practical development and implementation approach. Hoboken, N.J: John Wiley & Sons.

Von, S. S. H., & Von, S. R. (2009). Information security governance. New York: Springer.

Meyler, K. (2013). System Center 2012 Configuration Manager unleashed. Indianapolis, Ind: Sams.

Posthumus, S. M. (2006). Corporate information risk: An information security governance framework

12