Tip

What to tell senior management about regulatory compliance

    Requires Free Membership to View

Information Security Governance -- Top actions for security managers
View the entire presentation by IT Governance Institute

In the complimentary Powerpoint presentation Information Security Governance – Top Actions for Security Managers, the IT Governance Institute provides actionable advice on how to implement information security governance. Each slide represents one of 18 questions often asked of security practitioners by senior management, and are designed to uncover information security issues. Here, we take a look at the question of regulatory compliance: considerations regarding the question, sources to assist the security manager in determining the appropriate response, evaluation and performance criteria to determine how effectively the enterprise addresses the security considerations, and security program initiatives detailing steps the enterprise should take.

What information assets are subject to laws and regulations? What has management instituted to assure compliance with them?

Considerations for security managers

Organizations are subject to many laws and regulations based on their jurisdiction, industry, contractual arrangements and legal form (e.g., publicly traded corporation). Many impose strict requirements over the management of information assets, especially the protection of private information such as customer and employee data. A failure to meet these requirements can result in significant penalties, liability and damage to the organization's reputation.

Information Sources
  • Privacy acts
  • Incorporating acts
  • Tax acts
  • Telecommunications acts
  • Securities regulations
  • Signifcant contracts
  • Service level agreements
  • Insurance contracts
  • Other special-purpose legislation (e.g., relating to health, safety, employment)
  • Risk assessment reports
  • Security procedures

Compliance with the multitude of laws and regulations calls for the application of legal expertise within a formal, ongoing program that identifies all relevant requirements, including privacy limitations, intellectual and property rights, and other legal, regulatory, contractual and insurance requirements. The program must then determine the information security measures needed for compliance and ensure those measures are in effect.

Evaluation and performance criteria

  • Appropriate legal expertise exists, either internally or via an outside firm that is contracted for the purpose.
  • Appropriate expertise exists for specialized regulations (e.g., workers compensation, employment regulations and industry-specific requirements).
  • A compliance officer position exists within the organization, or an individual is accountable for compliance activities.
  • Organization policy requires that all significant contracts are subject to legal review.
  • Documented evidence exists of research into the laws relating to the business. Examples include meeting agendas and minutes with legal counsel, and detailed reports or opinions describing legal obligations.
  • A formal information security process exists that records requirements identified by the previously mentioned processes, and ensures appropriate response via existing information security programs.

Security program initiatives

  • Establish a legal and regulatory compliance committee consisting of representatives from information security, legal counsel, human resources, corporate compliance, and related legal and regulatory experts.
  • Identify and join local special interest groups or forums that address legal and regulatory compliance issues.
  • Establish a requirement for legal representation in risk assessments, and ensure that legal and regulatory needs are addressed in security procedures.

Copyright 2005 Information Systems Audit and Control Association (ISACA). All rights reserved. Used by permission.


This was first published in October 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.