Compliance:: Difference between revisions
No edit summary |
No edit summary |
||
(8 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== | ==Compliance With Legal Requirements== | ||
The objective of this category is to ensure compliance with all statutory, regulatory, certificatory or contractual obligations.<br> | |||
<br> | <br> | ||
:1. [[ISO Security Policy''']]<br> | ISO 17799 and ISO 27002 defines Compliance objectives to avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements; ensure compliance of systems with organizational security policies and standards; and maximize the effectiveness of and to minimize interference to or from the system audit process. This section provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Compliance objectives, as well as guidance for complying with regulations such as GLBA and HIPAA.<br> | ||
<br> | |||
==Identification of Applicable Statutes, Regulations and Certification Standards== | |||
All relevant statutory, regulatory and private certificatory requirements should be identified. The organization's approach to meeting these requirements should be explicitly defined, documented and kept up to date. | |||
==Compliance with organizational security policies and technical standards== | |||
This category aims to ensure compliance with "internal" organizational policies, procedures and standards. | |||
===Periodic review of security processes=== | |||
Data, data system and data facility controllers should periodically review all security processes within their areas of responsibility to ensure compliance with relevant security policies and standards. | |||
===Periodic checks of technical compliance=== | |||
Data systems should be regularly checked for compliance with security implementation standards, including but not limited to penetration tests and vulnerability assessments. | |||
===Compliance Oriented Policy Samples=== | |||
:1. [[Security_Policy:|'''ISO Security Policy''']]<br> | |||
:This section provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Compliance objectives and clearly state specific requirements for policy compliance and enforcement, as well as actions that may be taken for violations of applicable regulations and laws.<br> | :This section provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Compliance objectives and clearly state specific requirements for policy compliance and enforcement, as well as actions that may be taken for violations of applicable regulations and laws.<br> | ||
<br> | <br> | ||
:2. [[Regulatory Compliance (GLBA)''']]<br> | :2. [[GLBA_Policy_References:|'''Regulatory Compliance (GLBA)''']]<br> | ||
:This section contains a GLBA Compliance Matrix that details how this system and other services can be used for GLBA compliance.<br> | :This section contains a GLBA Compliance Matrix that details how this system and other services can be used for GLBA compliance.<br> | ||
<br> | <br> | ||
:3. [[Regulatory Compliance (HIPAA)''']]<br> | :3. [[HIPAA_Policy_References:|'''Regulatory Compliance (HIPAA)''']]<br> | ||
:This section contains a HIPAA Compliance Matrix that details how this system and other services can be used for | :This section contains a HIPAA Compliance Matrix that details how this system and other services can be used for HIPAA compliance.<br> | ||
<br> | |||
:4. [[SOX_Policy_References:|'''Regulatory Compliance (SOX)''']]<br> | |||
:This section contains a Sarbanes-Oxley Compliance Matrix that details how this system and other services can be used for Sarbanes-Oxley compliance.<br> | |||
<br> | |||
==Protection of confidentiality of personal information== | |||
Appropriate policies and procedures should be implemented to ensure the confidentiality of personal data, consistent with statutory, regulatory and private requirements. | |||
===Protection of intellectual property rights (IPR)=== | |||
Appropriate policies and procedures should be implemented to ensure compliance with legal, regulatory and private requirements for all materials for which there may be IPR, including but not limited to proprietary software products. | |||
===Protection of organizational records=== | |||
Appropriate policies and procedures should be implemented to ensure the confidentiality, integrity and availability of organizational records.<br> | |||
<br> | |||
'''Control includes:'''<br> | |||
<br> | |||
* Categorization of data, consistent with statutory, regulatory, certificatory, contractual and business requirements<br> | |||
* Creation of data protection policies consistent with this categorization<br> | |||
* Creation of data retention and data destruction policies consistent with this categorization<br> | |||
* Implementation of data retention and destruction schedule consistent with policies<br> | |||
* Appropriate controls to protect records from loss, destruction or falsification during their retention period<br> | |||
* Appropriate controls to assure appropriate destruction at the end of their retention period<br> | |||
<br> | |||
===Prevention of misuse of information and information processing facilities=== | |||
Appropriate policies, procedures and end-user education should be implemented to deter misuse of information and information processing services, systems, equipment and facilities.<br> | |||
<br> | |||
'''Control includes:'''<br> | |||
<br> | |||
* User awareness of the precise scope of their permitted access<br> | |||
* User awareness of the monitoring in place to detect unauthorized access<br> | |||
* A log-on warning message reminding users of access policies and monitoring<br> | |||
* Intrusion detection/prevention, content inspection and other monitoring activities as appropriate<br> | |||
<br> | <br> | ||
===Regulation of cryptographic controls and other technologies=== | |||
Appropriate policies and procedures should be implemented to ensure that cryptographic methods and controls, and any other national-security-sensitive technologies, are used in accordance with all relevant laws and regulations. | |||
==Information systems audit considerations== | |||
This category aims to maximize the effectiveness of and to minimize interference from information system audit processes. | |||
===Information systems audit controls=== | |||
Audit controls should be implemented to allow collection of appropriate audit data on operational systems, while minimizing the risk of disruption to business processes. | |||
===Protection of information system audit tools=== | |||
Access to information system audit tools should be appropriately limited to prevent misuse or compromise. | |||
==See Also== | |||
ISO-27002:2005 15.1.1<br> | |||
ISO-27002:2005 15.1.4<br> | |||
ISO-27002:2005 15.1.2<br> | |||
ISO-27002:2005 15.1.3<br> | |||
ISO-27002:2005 15.1.5<br> | |||
ISO-27002:2005 15.1.6<br> | |||
ISO-27002:2005 15.2.1<br> | |||
ISO-27002:2005 15.2.2<br> | |||
ISO-27002:2005 15.3.1<br> | |||
ISO-27002:2005 15.3.2<br> | |||
==References== | |||
* ISO 17799/27002 - Code of Practice for Information Security Management. |
Latest revision as of 12:41, 25 May 2007
Compliance With Legal Requirements
The objective of this category is to ensure compliance with all statutory, regulatory, certificatory or contractual obligations.
ISO 17799 and ISO 27002 defines Compliance objectives to avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements; ensure compliance of systems with organizational security policies and standards; and maximize the effectiveness of and to minimize interference to or from the system audit process. This section provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Compliance objectives, as well as guidance for complying with regulations such as GLBA and HIPAA.
Identification of Applicable Statutes, Regulations and Certification Standards
All relevant statutory, regulatory and private certificatory requirements should be identified. The organization's approach to meeting these requirements should be explicitly defined, documented and kept up to date.
Compliance with organizational security policies and technical standards
This category aims to ensure compliance with "internal" organizational policies, procedures and standards.
Periodic review of security processes
Data, data system and data facility controllers should periodically review all security processes within their areas of responsibility to ensure compliance with relevant security policies and standards.
Periodic checks of technical compliance
Data systems should be regularly checked for compliance with security implementation standards, including but not limited to penetration tests and vulnerability assessments.
Compliance Oriented Policy Samples
- 1. ISO Security Policy
- This section provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Compliance objectives and clearly state specific requirements for policy compliance and enforcement, as well as actions that may be taken for violations of applicable regulations and laws.
- 2. Regulatory Compliance (GLBA)
- This section contains a GLBA Compliance Matrix that details how this system and other services can be used for GLBA compliance.
- 3. Regulatory Compliance (HIPAA)
- This section contains a HIPAA Compliance Matrix that details how this system and other services can be used for HIPAA compliance.
- 4. Regulatory Compliance (SOX)
- This section contains a Sarbanes-Oxley Compliance Matrix that details how this system and other services can be used for Sarbanes-Oxley compliance.
Protection of confidentiality of personal information
Appropriate policies and procedures should be implemented to ensure the confidentiality of personal data, consistent with statutory, regulatory and private requirements.
Protection of intellectual property rights (IPR)
Appropriate policies and procedures should be implemented to ensure compliance with legal, regulatory and private requirements for all materials for which there may be IPR, including but not limited to proprietary software products.
Protection of organizational records
Appropriate policies and procedures should be implemented to ensure the confidentiality, integrity and availability of organizational records.
Control includes:
- Categorization of data, consistent with statutory, regulatory, certificatory, contractual and business requirements
- Creation of data protection policies consistent with this categorization
- Creation of data retention and data destruction policies consistent with this categorization
- Implementation of data retention and destruction schedule consistent with policies
- Appropriate controls to protect records from loss, destruction or falsification during their retention period
- Appropriate controls to assure appropriate destruction at the end of their retention period
Prevention of misuse of information and information processing facilities
Appropriate policies, procedures and end-user education should be implemented to deter misuse of information and information processing services, systems, equipment and facilities.
Control includes:
- User awareness of the precise scope of their permitted access
- User awareness of the monitoring in place to detect unauthorized access
- A log-on warning message reminding users of access policies and monitoring
- Intrusion detection/prevention, content inspection and other monitoring activities as appropriate
Regulation of cryptographic controls and other technologies
Appropriate policies and procedures should be implemented to ensure that cryptographic methods and controls, and any other national-security-sensitive technologies, are used in accordance with all relevant laws and regulations.
Information systems audit considerations
This category aims to maximize the effectiveness of and to minimize interference from information system audit processes.
Information systems audit controls
Audit controls should be implemented to allow collection of appropriate audit data on operational systems, while minimizing the risk of disruption to business processes.
Protection of information system audit tools
Access to information system audit tools should be appropriately limited to prevent misuse or compromise.
See Also
ISO-27002:2005 15.1.1
ISO-27002:2005 15.1.4
ISO-27002:2005 15.1.2
ISO-27002:2005 15.1.3
ISO-27002:2005 15.1.5
ISO-27002:2005 15.1.6
ISO-27002:2005 15.2.1
ISO-27002:2005 15.2.2
ISO-27002:2005 15.3.1
ISO-27002:2005 15.3.2
References
- ISO 17799/27002 - Code of Practice for Information Security Management.