The following is an excerpt from the book, The Little Black Book of Computer Security, 2nd Edition. In this section of Chapter 19: Working with Compliance Auditors and Regulators (.pdf), author Joel Dubin reviews how to comply with today's most common government regulations.
Not only do you have to contend with meeting your own, internal IT-security standards, but you also have to face a wide
array of government regulations and industry standards. Sometimes, it seems
like you spend more time and resources on complying with these regulations
and standards than on actually doing any business.
Regulations vary from country to country and from state to state within
the U.S. On top of all that, additional, industry standards exist to be followed,
such as the PCI DSS for companies that issue or accept credit cards (meaning
almost every company today). Although it's not a government body, the PCI
Security Standards Council wields as much power as one. In the worst-case
scenario, it will ban a noncompliant company from using credit cards at all.
Furthermore, if you do business globally, you'll have additional sets of
regulatory headaches.
Despite the thicket of different regulations, similar threads run throughout
all of them. Organizing your security program along these lines will provide
a good first step toward meeting any compliance mandate, even new
ones that may arise.
Important
Bear in mind that compliance doesn't equal security. Some regulations
do offer a good framework that, if followed to the letter,
will take your company far on the road to achieving a high level
of information security. However, checking off everything on
someone else's checklist will not meet your internal IT-security
requirements. You'll need to keep your eye on your own security
program while making sure that it meshes with the compliance
requirements — a delicate balance, indeed, at times.
Here is a sample of the most common government regulations and
industry standards that you'll most likely face in the U.S.:
- The Sarbanes-Oxley Act (SOX). Governs financial institutions and
the financial controls that they use to ensure the accuracy of their
accounting records. These controls include the IT-security controls
that protect those records from unauthorized alteration or disclosure.
- The Graham-Leach-Bliley Act (GLBA). Consists of regulations for
protecting customer data in financial institutions.
- The Health Insurance Portability and Accountability Act (HIPAA).
Governs the protection of patient data in the health care industry.
- The Federal Financial Institutions Examination Council (FFIEC)
guidelines. Regulates the financial industry and contains mandates for
protecting online banking transactions. These guidelines are
distributed by the Office of the Comptroller of the Currency (OCC),
which regulates banks and reviews IT-security controls, among its
other oversight functions.
- California SB 1386. Governs the privacy of customer information and
the disclosure of breaches for any business that is operating in
California.
- The Payment Card Industry (PCI) Data Security Standard (DSS).
Regulates companies that issue or accept credit cards. PCI is an
industry body that consists of the five largest credit-card companies
(Visa, MasterCard, Discover, American Express, and JCB).
Outside the U.S., some of the most common regulations and regulatory
bodies are:
- In Canada, the Personal Information Protection and Electronic
Documents Act (PIPEDA)
- In the EU, Directive 95/46/EC (governs the personal protection
of data)
- In the EU, Basel II
- The Hong Kong Monetary Authority
- The Monetary Authority of Singapore
So, how do you comply with all these regulations but prevent your staff
from trading other, productive work for the constant gathering of the information
that keeps the regulators at bay?
One strategy is to implement an overarching security framework that
covers all the bases. Three of the most common are ISO 27001, COBIT, and
INFOSEC from the National Security Agency (NSA). These frameworks
provide excellent guides for benchmarking an information security program,
and strict adherence also ensures compliance with most of the elements of the
regulations just cited.
But even if you use these frameworks, you'll still need to make sure that
you're compliant with the fine points of each regulation that affects your
company. Unfortunately, multiple regulations and overlapping requirements
impact most companies. The good news is that these frameworks make it
easier to sort out and simultaneously comply with the regulations and
requirements.
Another strategy entails working with your internal auditors. Too often,
an adversarial relationship exists between auditors and IT departments —
particularly IT-security departments. Auditors are perceived as by-the-book
nitpickers who interfere with daily operations and ask a lot of meddlesome
questions. But, the reality is that auditors can be the allies who both work
with you to review your adherence to regulations and make sure that you're in
top shape before the regulators come knocking on your door.
Here are the basics for preparing for auditors and regulators:
Reproduced from the book The Little Black Book of Computer Security Copyright [2008], Penton Technology Media. Reproduced by permission of Penton Media, Inc. Written permission from Penton Media, Inc. is required for all other users.
