"Other requirements are likely to be subject to interpretation, as well. The level of reliability (or maturity) of certain practices and the level of documentation required may be less than the levels described in COBIT. COBIT publications describe multiple stages of reliability of a control as corresponding to the following descriptions, in increasing level of reliability…"
To learn more about complying with SOX, read Measuring compliance from SOX Security School in our Compliance All-in-One Guide.
2. Answer: a. PCI Data Security Standard
PCI stipulates that all Level 1 merchants -- those who process more than six million credit card transactions per year -- must conduct an annual on-site audit of their security systems and procedures. The assessment may be conducted by internal staff (and must include a signoff from a C-level officer) or by a third party.
To learn more about PCI Data Security Standard, read PCI Data Security Standard: How to survive an audit, or visit the Infosec-related regulations section in our Compliance All-in-One Guide.
3. Answer: a. COSO
Frameworks such as the Control Objectives for Information and related Technology (COBIT) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework aid regulatory compliance, but don't provide actual risk management methodologies. Rather, they include some high-level goals for risk management as part of their overall scope. While COBIT helps a company define risk goals at an operational level, COSO helps a company define organizational risks at a business level.
To learn how COBIT, COSO and ISO 17799 differ, read Alphabet soup: Understanding standards for risk management and compliance in our Compliance All-in-One Guide.
4. Answer: False
Information Lifecycle Management (ILM): a comprehensive strategy for valuing, cataloging and protecting information assets. It is tied to regulatory compliance as well. ILM, while similar to DLM, operates on information, not raw data. Decisions are driven by the content of the information, requiring policies to take into account the context of the information.
To learn how to develop a proper data protection strategy, read this book chapter excerpt from Data Protection and Lifecycle Management by Tom Petrocelli, in our Compliance All-in-One Guide
5. Answer: d. All of the above
With the change in the legislative climate (the passing of SOX, GLBA and HIPAA), organizations can no longer afford to relegate information security policies to the back burner. Information security professionals must therefore spur the organization into action. Let's look at several ways you can enlist help from inside and outside your organization.
- Get executive management involved
- Get the Board of Directors involved
- Get your auditors involved
- Get the organization involved
- Utilize existing policy resources from reputable sources
- Talk to business peers
- Train employees
This was first published in July 2006