Introduction
Information is the most valuable asset of any organization. It belongs to the organization itself and sometimes it is public and/or government. Across the world, government and standard bodies have issued a growing number of regulations designed to ensure the triad of information security viz. confidentiality, integrity and availability of personal and corporate data. These mandates apply on a range of industries, from financial institutions to healthcare providers to utilities firms to retailers and beyond. Regulatory compliance is mandate for the organizations as well as individuals. Non-compliant of any applicable regulation can lead to legal action against the organization and/or individuals.
The specific details of these regulations are as varied as the industries they serve. However, most contain sections that require companies to secure each user’s credentials and manage all access to IT-based systems. Taken together, these individual regulatory guidelines point toward a growing consensus of what constitutes best practices in identity management and IT security.
As the organization grows there is mandatory demand of compliance but the problem faced by many organizations are identifying applicable regulations, standards and implementing them effectively. At the same time auditing the same is another concern. This white paper explores these compliance-driven best practices, how unified solutions support them, and how prioritizing their implementation makes good business sense beyond the fulfillment of compliance requirements.
Compliance Requirements
Basically, compliance means conforming to a rule, specific policy, standard or law. To run a business smoothly and for uninterrupted service delivery, organizations are required to comply with certain regulations and/or standards. Regulations have direct impact on business whereas standards do not impact business (if not adhered to) but it may cause violation of certain regulation and lead to create severe impact on business. Therefore organizations have to identify those applicable regulations and standards requirement for their business. It can be categorized as follows:
1. Commercial requirement
2. Legal requirement
Commercial Requirements:
1. Client/customer/stakeholder: requirement of control/condition for invitation to tender.
2. Marketing seen as giving a competitive edge in marketing of products/services.
3. Cash flow/profitability
Legal requirements:
1. Companies trading regulations
2. Copyright, design and patent regulations
3. Data protection requirements
4. Computer misuse
5. Regulations of investigatory powers
6. Control of proprietary software copying
7. Safeguarding organizational records
8. Statutory
9. Criminal or civil obligation
10. Commercial contracts
11. Intellectual property rights
12. Obscene publication act
13. Race relation act
Compliance affects:
1. Information assets
2. Paper documents
3. Software assets
4. Physical assets
5. People
6. Company image and reputation
7. Services
Assessment of legal and business requirement:
1. Identify value for legal and commercial requirements
2. Consider
a. How serious impact to business
i. If legal/contractual or business requirements not fulfilled
b. What consequences for
i. Assets
ii. Whole ISMS
c. How likely this is to happen
3. Results should be used to identify an appropriate value for asset
ISO 27001:2005 reference:
A.15.1 Compliance with legal requirement
Objective: To avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirement.
Risks:
1. Bomb attack
2. Communication infiltration
3. Eavesdropping
4. Illegal import/export of software
5. Illegal use of software
6. Masquerading of user identity
7. Misuse of resources
8. Network access by unauthorized person
9. Theft
10. Unauthorized use of software
11. Use of network facilities in an unauthorized way
12. Use of software in an unauthorized way
Objective: To ensure compliance of systems with organizational security policies and standards.
Risks:
1. Bomb attack
2. Communication infiltration
3. Eavesdropping
4. Failure of communication services
5. Illegal import/export of software
6. Illegal use of software
7. Malicious software (e.g. viruses, worms, Trojan horses etc.)
8. Masquerading of user identity
9. Misuse of resources
10. Network access by unauthorized person
11. Theft
12. Unauthorized use of software
13. Use of network facilities in an unauthorized way
14. Use of software in an unauthorized way
15. Willful damage
A.15.3 Information system audit considerations
Objective: To maximize the effectiveness of and minimize interference to/from the system audit process.
Risks:
1. Communication infiltration
2. Eavesdropping
3. Failure of communication services
4. Illegal import/export of software
5. Malicious software (e.g. viruses, worms, Trojan horses etc.)
6. Masquerading of user identity
7. Misuse of resources
8. Network access by unauthorized person
9. Theft
10. Unauthorized use of software
11. Use of network facilities in an unauthorized way
Purpose of policy:
The purpose of the policy is to protect the information assets owned and used by the computer from all threats whether internal or external, deliberate or accidental and to meet all regulatory and legislative requirements, specifically:
1. GLB Act (Gramm-Leach-Bliley Act)
2. Health Insurance Portability and Accountability Act
3. SOX (Sarbanes Oxley)
4. GISRA/FISMA (Government Information Security Reform Act/Federal Information Security Management Act)
5. FTC (Federal Trade Commission)
6. Children's Online Privacy Protection Act
7. Federal Privacy Act
8. State Laws
9. Basel II
10. Federal Financial Institutions Examination Council (FFIEC) standards
11. North American Electric Reliability Corporation (NERC) / Critical Infrastructure Protection (CIP)
12. Payment Card Industry (PCI) Security Standard
13. Standards for The Protection of Personal Information of Residents of the Commonwealth (201 CMR17.00)
14. Cyber Crime Laws
15. The Computer Fraud and Abuse Act
16. The Electronic Communication Privacy Act of 1986 (ECPA)
NON-Regulatory Sources of Security Obligations:
1. Operating Rules
2. An Attorney's Obligation to Secure Attorney-Client Communications