Dubin reviews how to comply with today's most common government regulations.
Regulations vary from country to country and from state to state within the U.S. On top of all that, additional, industry standards exist to be followed, such as the PCI DSS for companies that issue or accept credit cards (meaning almost every company today). Although it's not a government body, the PCI Security Standards Council wields as much power as one. In the worst-case scenario, it will ban a noncompliant company from using credit cards at all.
Furthermore, if you do business globally, you'll have additional sets of regulatory headaches.
Despite the thicket of different regulations, similar threads run throughout all of them. Organizing your security program along these lines will provide a good first step toward meeting any compliance mandate, even new ones that may arise.
Bear in mind that compliance doesn't equal security. Some regulations do offer a good framework that, if followed to the letter, will take your company far on the road to achieving a high level of information security. However, checking off everything on someone else's checklist will not meet your internal IT-security requirements. You'll need to keep your eye on your own security program while making sure that it meshes with the compliance requirements — a delicate balance, indeed, at times.
Here is a sample of the most common government regulations and industry standards that you'll most likely face in the U.S.:
- The Sarbanes-Oxley Act (SOX). Governs financial institutions and the financial controls that they use to ensure the accuracy of their accounting records. These controls include the IT-security controls that protect those records from unauthorized alteration or disclosure.
- The Graham-Leach-Bliley Act (GLBA). Consists of regulations for protecting customer data in financial institutions.
- The Health Insurance Portability and Accountability Act (HIPAA). Governs the protection of patient data in the health care industry.
- The Federal Financial Institutions Examination Council (FFIEC) guidelines. Regulates the financial industry and contains mandates for protecting online banking transactions. These guidelines are distributed by the Office of the Comptroller of the Currency (OCC), which regulates banks and reviews IT-security controls, among its other oversight functions.
- California SB 1386. Governs the privacy of customer information and the disclosure of breaches for any business that is operating in California.
- The Payment Card Industry (PCI) Data Security Standard (DSS). Regulates companies that issue or accept credit cards. PCI is an industry body that consists of the five largest credit-card companies (Visa, MasterCard, Discover, American Express, and JCB).
Outside the U.S., some of the most common regulations and regulatory bodies are:
- In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA)
- In the EU, Directive 95/46/EC (governs the personal protection of data)
- In the EU, Basel II
- The Hong Kong Monetary Authority
- The Monetary Authority of Singapore
So, how do you comply with all these regulations but prevent your staff from trading other, productive work for the constant gathering of the information that keeps the regulators at bay?
One strategy is to implement an overarching security framework that covers all the bases. Three of the most common are ISO 27001, COBIT, and INFOSEC from the National Security Agency (NSA). These frameworks provide excellent guides for benchmarking an information security program, and strict adherence also ensures compliance with most of the elements of the regulations just cited.
But even if you use these frameworks, you'll still need to make sure that you're compliant with the fine points of each regulation that affects your company. Unfortunately, multiple regulations and overlapping requirements impact most companies. The good news is that these frameworks make it easier to sort out and simultaneously comply with the regulations and requirements.
Another strategy entails working with your internal auditors. Too often, an adversarial relationship exists between auditors and IT departments — particularly IT-security departments. Auditors are perceived as by-the-book nitpickers who interfere with daily operations and ask a lot of meddlesome questions. But, the reality is that auditors can be the allies who both work with you to review your adherence to regulations and make sure that you're in top shape before the regulators come knocking on your door.
Here are the basics for preparing for auditors and regulators:
- Read the rest of Chapter 19: Working with Compliance Auditors and Regulators (.pdf)
- To browse more excerpts from today's top information security books, make sure to check out SearchSecurity.com's Information Security Bookshelf.
Reproduced from the book The Little Black Book of Computer Security Copyright , Penton Technology Media. Reproduced by permission of Penton Media, Inc. Written permission from Penton Media, Inc. is required for all other users.
This was first published in August 2008