In the complimentary Powerpoint presentation Information Security Governance – Top Actions for Security Managers, the IT Governance Institute provides actionable advice on how to implement information security governance. Each slide represents one of 18 questions often asked of security practitioners by senior management, and are designed to uncover information security issues. Here, we take a look at the question of regulatory compliance: considerations regarding the question, sources to assist the security manager in determining the appropriate response, evaluation and performance criteria to determine how effectively the enterprise addresses the security considerations, and security program initiatives detailing steps the enterprise should take.
What information assets are subject to laws and regulations? What has management instituted to assure compliance with them?
Considerations for security managers
Organizations are subject to many laws and regulations based on their jurisdiction, industry, contractual arrangements and legal form (e.g., publicly traded corporation). Many impose strict requirements over the management of information assets, especially the protection of private information such as customer and employee data. A failure to meet these requirements can result in significant penalties, liability and damage to the organization's reputation.
Compliance with the multitude of laws and regulations calls for the application of legal expertise within a formal, ongoing program that identifies all relevant requirements, including privacy limitations, intellectual and property rights, and other legal, regulatory, contractual and insurance requirements. The program must then determine the information security measures needed for compliance and ensure those measures are in effect.
Evaluation and performance criteria
- Appropriate legal expertise exists, either internally or via an outside firm that is contracted for the purpose.
- Appropriate expertise exists for specialized regulations (e.g., workers compensation, employment regulations and industry-specific requirements).
- A compliance officer position exists within the organization, or an individual is accountable for compliance activities.
- Organization policy requires that all significant contracts are subject to legal review.
- Documented evidence exists of research into the laws relating to the business. Examples include meeting agendas and minutes with legal counsel, and detailed reports or opinions describing legal obligations.
- A formal information security process exists that records requirements identified by the previously mentioned processes, and ensures appropriate response via existing information security programs.
Security program initiatives
- Establish a legal and regulatory compliance committee consisting of representatives from information security, legal counsel, human resources, corporate compliance, and related legal and regulatory experts.
- Identify and join local special interest groups or forums that address legal and regulatory compliance issues.
- Establish a requirement for legal representation in risk assessments, and ensure that legal and regulatory needs are addressed in security procedures.
Copyright 2005 Information Systems Audit and Control Association (ISACA). All rights reserved. Used by permission.
This was first published in October 2005