Manage Learn to apply best practices and optimize your operations.

What to tell senior management about regulatory compliance

The IT Governance Institute offers actionable advice for implementing security governance as it relates to regulatory compliance.

In the complimentary Powerpoint presentation Information Security Governance – Top Actions for Security Managers, the IT Governance Institute provides actionable advice on how to implement information security governance. Each slide represents one of 18 questions often asked of security practitioners by senior management, and are designed to uncover information security issues. Here, we take a look at the question of regulatory compliance: considerations regarding the question, sources to assist the security manager in determining the appropriate response, evaluation and performance criteria to determine how effectively the enterprise addresses the security considerations, and security program initiatives detailing steps the enterprise should take.

What information assets are subject to laws and regulations? What has management instituted to assure compliance with them?

Considerations for security managers

Organizations are subject to many laws and regulations based on their jurisdiction, industry, contractual arrangements and legal form (e.g., publicly traded corporation). Many impose strict requirements over the management of information assets, especially the protection of private information such as customer and employee data. A failure to meet these requirements can result in significant penalties, liability and damage to the organization's reputation.

Information Security Governance -- Top actions for security managers

View the entire presentation by IT Governance Institute

Compliance with the multitude of laws and regulations calls for the application of legal expertise within a formal, ongoing program that identifies all relevant requirements, including privacy limitations, intellectual and property rights, and other legal, regulatory, contractual and insurance requirements. The program must then determine the information security measures needed for compliance and ensure those measures are in effect.

Evaluation and performance criteria

Information Sources

  • Privacy acts
  • Incorporating acts
  • Tax acts
  • Telecommunications acts
  • Securities regulations
  • Significant contracts
  • Service level agreements
  • Insurance contracts
  • Other special-purpose legislation (e.g., relating to health, safety, employment)
  • Risk assessment reports

Security procedures

  • Appropriate legal expertise exists, either internally or via an outside firm that is contracted for the purpose.
  • Appropriate expertise exists for specialized regulations (e.g., workers compensation, employment regulations and industry-specific requirements).
  • A compliance officer position exists within the organization, or an individual is accountable for compliance activities.
  • Organization policy requires that all significant contracts are subject to legal review.
  • Documented evidence exists of research into the laws relating to the business. Examples include meeting agendas and minutes with legal counsel, and detailed reports or opinions describing legal obligations.
  • A formal information security process exists that records requirements identified by the previously mentioned processes, and ensures appropriate response via existing information security programs.

Security program initiatives

  • Establish a legal and regulatory compliance committee consisting of representatives from information security, legal counsel, human resources, corporate compliance, and related legal and regulatory experts.
  • Identify and join local special interest groups or forums that address legal and regulatory compliance issues.
  • Establish a requirement for legal representation in risk assessments, and ensure that legal and regulatory needs are addressed in security procedures.

Copyright 2005 Information Systems Audit and Control Association (ISACA). All rights reserved. Used by permission.

This was last published in October 2005

Dig Deeper on Data privacy issues and compliance

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.