Search in ISMS Guides


Tuesday, August 21, 2007

ISO 17799 — Compliance

Compliance has become one of the most talked about security issues in American business. Banks and financial institutes have had government oversight for decades. New compliance requirements have been imposed upon many organizations.

Recent financial reporting irregularities prompted Congressional action in which public companies must comply to the financial and accounting disclosure of information act known as Sarbannes-Oxley (SOX). Recent trends with identity theft and fraud, any business — small or large — that accepts credit cards, require businesses to abide by the industry’s Payment Card Industry’s Data Security Standard (PCI DSS). For the healthcare industry, organizations must adhere to the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The ISO 17799 section on compliance has as its objective to help organizations avoid breaches of any criminal and civil law, statutory, regulatory or contractual obligations and of any security requirements. This section marries IT, legal, accounting and security.

Intellectual Property Rights

This is all about patents, trademarks, copyrights including software, and trade secrets. Some recommendations on what an organization can do to help safeguard their IP include: know what you’ve got, prioritize it, label it, lock it, educate employees, know your tools, think holistically, and apply a counter-intelligence mindset. IP protection responsibilities spans the entire organization from the IT systems and facilities to the users, owners and management.

Safeguarding of Organizational Records

Organizational records — hard or soft copies — should be protected from loss, destruction and falsification. Whether these records are accounting, database, transaction and audit logs or operational procedures, all are stored on various paper, microfiche, magnetic, optical media and must adhere to some retention period. Records are useful for business (financial status with respect to shareholders, partners and auditors) as well as precaution required by statutory or regulatory rules, and defense against potential civil or criminal action.

Data Protection and Privacy of Personal Information

Identity theft is only going to get worse. Penalties for organizations that fail to use due diligence at collecting,
processing, disseminating and storing personal information will become more frequent and sever. Large companies will appoint a data protection officer. Smaller organizations need to assign someone to oversee this protection requrieemnt — defining it, creating policies for it, and enforcing it.

Prevention of Misuse of Information Processing Facilities

Management must ensure that business, network and computer equipment and facilities re only used for authorized business purposes. Too many people use their employer’s resources for their personal use. The policies must clearly state was is permitted — everything else is denied — and properly enforced.

Regulation of Cryptographic Controls

Over the past few years, restrictions on commercially available cryptographic technologies have been minimizes. But do not assume that all countries you require secure communications with will allow your chosen cryptographic solutions.

Collection of Evidence

In the unlikely event you need to support an action; i.e., legal, against a person or organization, it is essential your methods of collecting and safeguarding materials follow proper processes and procedures. There are rules for evidence; i.e., the chain of evidence, related documentation and media. Making sure that the evidence is admissibility will be a huge factor in the outcome of your case.

Like most ISO 17799 areas, compliance belongs under the organization’s security policy. Regular reviews and audits of compliance policies will help enforce the policies and provide a means for an active closed-loop corrective action program.

Author : Jeff Hayes

No comments: