COMPLIANCE COUNSELOR
What to tell senior management about regulatory compliance
IT Governance Institute
10.18.2005
Rating: -4.00- (out of 5)
|
| Information Security Governance -- Top actions for security managers |
| View the entire presentation by IT Governance Institute |
|
|
|
|
In the complimentary Powerpoint presentation Information Security Governance – Top Actions for Security Managers, the IT Governance Institute provides actionable advice on how to implement information security governance. Each slide represents one of 18 questions often asked of security practitioners by senior management, and are designed to uncover information security issues. Here, we take a look at the question of regulatory compliance: considerations regarding the question, sources to assist the security manager in determining the appropriate response, evaluation and performance criteria to determine how effectively the enterprise addresses the security considerations, and security program initiatives detailing steps the enterprise should take.
What information assets are subject to laws and regulations? What has management instituted to assure compliance with them?
Considerations for security managers
Organizations are subject to many laws and regulations based on their jurisdiction, industry, contractual arrangements and legal form (e.g., publicly traded corporation). Many impose strict requirements over the management of information assets, especially the protection of private information such as customer and employee data. A failure to meet these requirements can result in significant penalties, liability and damage to the organization's reputation.
|
| Information Sources |
- Privacy acts
- Incorporating acts
- Tax acts
- Telecommunications acts
- Securities regulations
- Signifcant contracts
- Service level agreements
- Insurance contracts
- Other special-purpose legislation (e.g., relating to health, safety, employment)
- Risk assessment reports
- Security procedures
|
|
|
|
|
Compliance with the multitude of laws and regulations calls for the application of legal expertise within a formal, ongoing program that identifies all relevant requirements, including privacy limitations, intellectual and property rights, and other legal, regulatory, contractual and insurance requirements. The program must then determine the information security measures needed for compliance and ensure those measures are in effect.
Evaluation and performance criteria
- Appropriate legal expertise exists, either internally or via an outside firm that is contracted for the purpose.
- Appropriate expertise exists for specialized regulations (e.g., workers compensation, employment regulations and industry-specific requirements).
- A compliance officer position exists within the organization, or an individual is accountable for compliance activities.
- Organization policy requires that all significant contracts are subject to legal review.
- Documented evidence exists of research into the laws relating to the business. Examples include meeting agendas and minutes with legal counsel, and detailed reports or opinions describing legal obligations.
- A formal information security process exists that records requirements identified by the previously mentioned processes, and ensures appropriate response via existing information security programs.
Security program initiatives
- Establish a legal and regulatory compliance committee consisting of representatives from information security, legal counsel, human resources, corporate compliance, and related legal and regulatory experts.
- Identify and join local special interest groups or forums that address legal and regulatory compliance issues.
- Establish a requirement for legal representation in risk assessments, and ensure that legal and regulatory needs are addressed in security procedures.
Copyright 2005 Information Systems Audit and Control Association (ISACA). All rights reserved. Used by permission.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
|
|
BROWSE BY TAG
Compliance Counselor,
Security Audit, Compliance and Standards,
Gramm-Leach-Bliley Act (GLBA),
FISMA,
HIPAA,
Data Privacy and Protection,
Sarbanes-Oxley Act,
General,
Infosec-Related Regs,
Compliance,
Compliance leadership,
People & policy,
Enterprise Data Protection,
Identity Theft and Data Security Breaches, VIEW ALL TAGS
|
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
