INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on...
-
Upload
tracy-stephens -
Category
Documents
-
view
218 -
download
0
Transcript of INFORMATION SECURITY REGULATION COMPLIANCE By Insert name dd/mm/yyyy senior leadership training on...
INFORMATION SECURITY
REGULATION COMPLIANCE
INFORMATION SECURITY
REGULATION COMPLIANCE
ByInsert namedd/mm/yyyy
senior leadership training on the primary regulatory
requirements,
Over view
• aids organizations comply with interagency guidelines on information security standards
• organization summarizes its obligations to protect stakeholders information
• numerous federal, state and international regulations on the protection of information
• enforcement agencies and auditors must accept best practices for guidance that require written policies.
2
Goals of the security standards and guidelines
• establishment and implementation of controls
• maintaining, protecting and asses compliance issues
• identify and remediate vulnerabilities and deviations
• Provide reporting that can prove the organizations compliance.
3
Laws and regulation affecting security regulation compliance.
• The Federal Information Security Management Act (FISMA)
►The head of each [Federal] agency shall delegate to the agency Chief Information Officer ensuring that the agency effectively implements and maintains information security policies, procedures, and control techniques;”
• Sarbanes-Oxley the Sarbanes-Oxley Act of 2002 (SOX).
► Management's Responsibility for Policies
4
Laws and regulation affecting security regulation compliance.
• The Gramm-Leach-Bliley Act (GLBA) ►Each Bank shall implement a comprehensive written information security program [policies] that includes administrative, technical and physical safeguards.”
• Payment Card Industry Data Security Standard (PCIDSS).
►the program is intended to protect cardholder data wherever it resides by ensuring that members, merchants and service providers maintain the highest information security standard
5
Laws and regulation affecting security regulation compliance.
• Health Insurance Portability and Accountability Act (HIPAA)
►Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other
requirements of this subpart.
•Intellectual property law ►for securing and enforcing legal rights to inventions, designs and artistic works.
6
security methods and controls that need to be implemented
• latest and ongoing knowledge of attack sources scenarios and techniques.
• up to date equipment inventories and network maps.
• rapid detection and response capability to react to newly discovered vulnerabilities
• Risk assessment
7
security methods and controls that need implementation
• Network access controls over both internal and external connections
• harden their systems prior to placing them in a production environment.
• malicious codes mitigation
• physical access control
• policy and procedures on user enrollment, change and termination procedures
8
security methods and controls that need implementation
• processes to identify, monitor and address training needs
→Technical training →Security awareness training
→Compliance training
→Audit training
• testing plan that identifies control objectives.
→audit
→security assessments
→vulnerability scans →penetration tests.
9
Inter-agency guidelines and compliance
■categorization of information to be protected
■Refining of controls using a risk assessment procedure.
■documentation of controls in the system security plan
■Access the effectiveness of the controls once they have been implemented
10
interagency guidelines and compliance
■implementation of security controls in appropriate information systems
■authorization of the information systems of processing and monitoring of the security controls on a continuous basis
■Provision of minimum baseline controls standards
■determination of agency level risk to the mission or business case
11
references
Gross, H. (1964). Privacy - its legal protection. New York, N.Y: Dobbs Ferry - Oceana Publications.
Bygrave, L. A. (2002). Data protection law: Approaching its rationale, logic and limits. The Hague [u.a.: Kluwer Law International.
Brotby, W. K. (2009). Information security governance: A practical development and implementation approach. Hoboken, N.J: John Wiley & Sons.
Von, S. S. H., & Von, S. R. (2009). Information security governance. New York: Springer.
Meyler, K. (2013). System Center 2012 Configuration Manager unleashed. Indianapolis, Ind: Sams.
Posthumus, S. M. (2006). Corporate information risk: An information security governance framework
12