Dated 2010. Pending updated information
Public and Private organizations are highly regulated and must comply with a multitude of global and national regulatory directives, including privacy, industry and process regulations. An examination of these regulations reveal similarities and overlapping management, documentation, control and audit procedures, which can overwhelm efforts to identify and manage compliance risk effectively and efficiently. Note: According to IDC, the average $500M corporation is subject to 35-40 regulatory mandates.
In addition, there is an increased degree of attention being given to the relationship between security standards and business objectives. This relationship reinforces business competitive advantage as increased customer satisfaction, due to the maintenance of a reliable & secure network translates into customer loyalty – web.
Organizations that adopt a more sensible, cross-regulatory and collaborative approach to managing compliance, will alleviate increasing costs and complexity while gaining valuable insight into the risks to key business processes. This approach minimizes legal action and penalties while maintaining a company’s brand and reputation.
An important first step to this approach is to comprehend the entire regulatory spectrum (rules, standards, policies, etc) to which your organization is subject to. Then construct a risk and control matrix (RACM), identifying risk rating, categories, etc that addresses this spectrum – providing room for flexibility and modification. Generally you would find that a defined RACM control often satisfies a number of different rules, standards, etc, thus greatly optimizing compliance cost. Note: We start the RACM using the principle SUCOP – ITBP.
Organizations should have a better comprehension of compliance risks and requirements before designing IT Policies & Procedures.
What is a Standard?
Standard is a formal, brief, and high-level statement or plan that embraces an organization’s general beliefs, goals, objectives, and acceptable procedures for a specified subject area. Standards are usually written to describe the requirements for various technology configurations (e.g., Firewall set-up, O/S or router protocols). It is meant to convey a mandatory action or rule and is written in conjunction with a policy – SANS
Policies are guidelines that regulate organizational affairs and behavior. They control the conduct of people and activities of the systems and is a type of position statement. Procedures are step by step process defining and detailing the policy guidelines and requirements.
There are in-numerable IT related Standards, Regulations, Framework, etc, and some are appended below;
Sarbanes Oxley Regulation - July 30 2002
Named after sponsors U.S. Senator Paul Sarbanes (D- MD ) and U.S. Representative Michael G. Oxley (R-OH), the act was approved by the House by a vote of 423-3 and by the Senate 99-0). The legislation set new or enhanced standards for all U.S. public company boards, management and public accounting firms. The act creates a new, quasi-public agency, the Public Company Accounting Oversight Board , or PCAOB, charged with overseeing, regulating, inspecting and disciplining accounting firms in their roles as auditors of public companies. The act also covers issues such as auditor independence, corporate governance , internal control assessment, and enhanced financial disclosure
Health Information Portability and Accountability Act - 1996
This regulation requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. It also addresses the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
ISO/IEC 27000-series
ISO/IEC 27000 series comprises information security standards published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The series provides best practice recommendations on information security management, risks and controls within the context of an overall Information Security Management System (ISMS), similar in design to management systems for quality assurance (the ISO 9000 series) and environmental protection (the ISO 14000 series).
Payment Card Industry Data Security Standard
Payment Card Industry Data Security Standard is a worldwide information security standard assembled by the Payment Card Industry Security Standards Council (PCI SSC). The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or pass cardholder information from any card branded with the logo of one of the card brands
Control Objectives for Information and related Technology
Control Objectives for Information and related Technology is a set of best practices (framework) for information technology (IT) management created by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI) in 1996. COBIT provides managers , auditors , and IT users with a set of generally accepted measures , indicators, processes and best practices to assist them in maximizing the benefits derived through the use of information technology and developing appropriate IT governance and control in a company.
Occupational Safety and Health Act 1970
Its mission is to prevent work-related injuries, illnesses, and deaths by issuing and enforcing rules (called standards) for workplace safety and health.
Network Equipment-Building System
Network Equipment-Building System is the most common set of safety, spatial and environmental design guidelines applied to telecommunications equipment in the United States. It is an industry requirement, but not a legal requirement. NEBS was developed by Bell Labs in the 1970s to standardize equipment that would be installed in a central office. The objective was to make it easier for a vendor to design equipment compatible with a typical Regional Bell Operating Company ( RBOC ) central office (CO).
National Institute of Standards and Technology
National Institute of Standards and Technology ( NIST ), known between 1901 and 1988 as the National Bureau of Standards ( NBS ), is a measurement standards laboratory which is a non-regulatory agency of the United States Department of Commerce . The institute’s official mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science , standards , and technology in ways that enhance economic security and improve quality of life .
Gramm-Leach-Bliley Act
The Financial Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule , the Safeguards Rule and pretexting provisions.
COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative which studied the causal factors that can lead to fraudulent financial reporting. COSO defines internal control as a process, effected by an entity’s board of directors, management and other personnel. This process is designed to provide reasonable assurance regarding the achievement of objectives in effectiveness and efficiency of operations, reliability of financial reporting, and compliance with applicable laws and regulations.
- Internal control is a process. It is a means to an end, not an end in itself.
- Internal control is not merely documented by policy manuals and forms. Rather, it is put in by people at every level of an organization.
- Internal control can provide only reasonable assurance, not absolute assurance, to an entity’s management and board.
- Internal control is geared to the achievement of objectives in one or more separate but overlapping categories.
Other Standards, rules and regulation will be researched and appropriate compliance approach shall be constructed.