Compliance:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Compliance With Legal Requirements

The objective of this category is to ensure compliance with all statutory, regulatory, certificatory or contractual obligations.

ISO 17799 and ISO 27002 defines Compliance objectives to avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements; ensure compliance of systems with organizational security policies and standards; and maximize the effectiveness of and to minimize interference to or from the system audit process. This section provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Compliance objectives, as well as guidance for complying with regulations such as GLBA and HIPAA.

Identification of Applicable Statutes, Regulations and Certification Standards

All relevant statutory, regulatory and private certificatory requirements should be identified. The organization's approach to meeting these requirements should be explicitly defined, documented and kept up to date.

Compliance with organizational security policies and technical standards

This category aims to ensure compliance with "internal" organizational policies, procedures and standards.

Periodic review of security processes

Data, data system and data facility controllers should periodically review all security processes within their areas of responsibility to ensure compliance with relevant security policies and standards.

Periodic checks of technical compliance

Data systems should be regularly checked for compliance with security implementation standards, including but not limited to penetration tests and vulnerability assessments.

Compliance Oriented Policy Samples

1. ISO Security Policy
This section provides templates for an Information Security Program Charter and supporting policies that are required to comply with ISO Compliance objectives and clearly state specific requirements for policy compliance and enforcement, as well as actions that may be taken for violations of applicable regulations and laws.


2. Regulatory Compliance (GLBA)
This section contains a GLBA Compliance Matrix that details how this system and other services can be used for GLBA compliance.


3. Regulatory Compliance (HIPAA)
This section contains a HIPAA Compliance Matrix that details how this system and other services can be used for HIPAA compliance.


4. Regulatory Compliance (SOX)
This section contains a Sarbanes-Oxley Compliance Matrix that details how this system and other services can be used for Sarbanes-Oxley compliance.


Protection of confidentiality of personal information

Appropriate policies and procedures should be implemented to ensure the confidentiality of personal data, consistent with statutory, regulatory and private requirements.

Protection of intellectual property rights (IPR)

Appropriate policies and procedures should be implemented to ensure compliance with legal, regulatory and private requirements for all materials for which there may be IPR, including but not limited to proprietary software products.

Protection of organizational records

Appropriate policies and procedures should be implemented to ensure the confidentiality, integrity and availability of organizational records.

Control includes:

  • Categorization of data, consistent with statutory, regulatory, certificatory, contractual and business requirements
  • Creation of data protection policies consistent with this categorization
  • Creation of data retention and data destruction policies consistent with this categorization
  • Implementation of data retention and destruction schedule consistent with policies
  • Appropriate controls to protect records from loss, destruction or falsification during their retention period
  • Appropriate controls to assure appropriate destruction at the end of their retention period


Prevention of misuse of information and information processing facilities

Appropriate policies, procedures and end-user education should be implemented to deter misuse of information and information processing services, systems, equipment and facilities.

Control includes:

  • User awareness of the precise scope of their permitted access
  • User awareness of the monitoring in place to detect unauthorized access
  • A log-on warning message reminding users of access policies and monitoring
  • Intrusion detection/prevention, content inspection and other monitoring activities as appropriate


Regulation of cryptographic controls and other technologies

Appropriate policies and procedures should be implemented to ensure that cryptographic methods and controls, and any other national-security-sensitive technologies, are used in accordance with all relevant laws and regulations.

Information systems audit considerations

This category aims to maximize the effectiveness of and to minimize interference from information system audit processes.

Information systems audit controls

Audit controls should be implemented to allow collection of appropriate audit data on operational systems, while minimizing the risk of disruption to business processes.

Protection of information system audit tools

Access to information system audit tools should be appropriately limited to prevent misuse or compromise.

See Also

ISO-27002:2005 15.1.1
ISO-27002:2005 15.1.4
ISO-27002:2005 15.1.2
ISO-27002:2005 15.1.3
ISO-27002:2005 15.1.5
ISO-27002:2005 15.1.6
ISO-27002:2005 15.2.1
ISO-27002:2005 15.2.2
ISO-27002:2005 15.3.1
ISO-27002:2005 15.3.2

References

  • ISO 17799/27002 - Code of Practice for Information Security Management.