Compliance

Click the banner for the site map of NoticeBored.com, the information security awareness service

Compliance with security-related laws & regulations

GigaLaw is our favorite source of up-to-date news stories on legal issues relating to IT. Their blog serves up about 6 interesting hot IT law stories every day - great for just keeping in touch. FindLaw, Stanford Law School’s Center for Internet and Society, Cornell’s Legal Information Institute and Out-law are also well worth a look.

The IT Compliance Institute mysteriously dropped off the web in 2008 but thankfully some of their excellent papers are still available on the Truth 2 Power site. Before the untimely demise, their Unified Compliance Project (UCP) was making excellent plans to simplify, harmonize and perhaps even unify the IT compliance problem between the laws, standards and regs covering the 12 areas shown below:

A reasonable summary of around 20 (mostly US) laws and regs relating to information security and privacy at CSO Online is a reminder of the compliance workload in this area.

An important legal decision in the US courts regarding the ‘purchase’ of software and other intellectual property re-affirms the originator’s rights under typical license agreements to restrict onward sales to third parties. Most software and intellectual property such as NoticeBored is not ‘sold’ to customers like, say, a television, but is provided under a license that restricts its use.

In the wake of the global banking meltdown, Basel III, an update to Basel II currently in preparation, seems likely to tighten up on the requirements for financial institutions to manage their risks. The focus will presumably be on maintaining sufficient cash reserves and managing credit risks, but may include information security risks.

Laws enacted in many countries define roughly similar cybercrimes, where ‘roughly similar’ implies ‘consult competent legal professionals for help to appreciate the details’. This is a relatively dynamic area of law with frequent changes as the legal systems try to catch up with creative cyber criminals, hackers, fraudsters and other miscreants. For example, the Police and Justice Bill 2006 made Denial of Service attacks illegal under British law, something which the earlier Computer Misuse Act 1990 had unfortunately neglected to do. Malware, identity theft, cyberextortion, wiretapping, bugging etc. etc. are covered to differing extents by various legislatures, and interpreted to varying degrees by the courts.

The work continued at Unified Compliance, and has since turned commercial. The Unified Compliance Framework is an attempt to rationalize all the security obligations and control objectives, reducing the burden of compliance against additional laws, regs and standards to addressing just the marginal differences. Great idea in theory, but rather complex to achieve in practice: if you have US$1,000 knocking around in your budget and are feeling overwhelmed by your security compliance obligations, the USF toolkits are surely worth consideration.

US Government site cybercrime.gov offers news on US cybercrime and intellectual property cases and laws.

Visit SpamLaws.com to find out about anti-spam laws in various legislatures, such as CAN-SPAM.

Cryptography is legally regulated in many countries due to its potential use for military and illegal purposes. A useful guide to cryptography laws around the world includes a world map highlighting import controls in the former USSR, China, Vietnam and Tunisia in particular. There’s more at Crypto Law Survey.

The confusion of American privacy laws are covered quite well, we believe, by: The Business Privacy Law Handbook by Charles Kennedy (~US$95 from Amazon). It gives a good account of the legal ramifications of collecting, storing, processing and communicating personal information in the US.

“The landscape of regulatory requirements is an immense challenge. It's just very tough for businesses to keep up with the changing requirements.” said Linda Stutsman, MD of I-4 (the International Information Integrity Institute) in a magazine interview on best practices.

According to Privacy International’s map of personal privacy legislation worldwide, most of Asia (outside the former USSR), Africa and USA are conspicuously lacking in privacy laws.

The quarterly Journal of Digital Forensics, Security and Law makes interesting reading for those in information security and forensics, security education, technology and law.

An article in Wired magazine brings home the realities of cybercrime policing in India. Under-qualified investigators seem unlikely to follow the forensic techniques necessary to gather reliable evidence from IT systems. Given that IT is such an important part of India’s economy, this is a significant concern.

The Practical Guide to HIPAA Privacy and Security Compliance by Kevin Beaver and Rebecca Herold (~US$88 from Amazon) does what it says on the tin. A new version is due to be published in May 2011. In a chatty paper on motivating compliance, Rebecca lists some 25 motivational factors.

“Whatever can go wrong, will go wrong” is Murphy’s law. IT is full of examples that support this assertion, despite the very best efforts of IT quality assurance and testing gurus. The law of gravity, still surprisingly popular after all these years, also has applications in the field of IT: as a scientist trained in the ways of that nice Mr. Newton, I can personally attest to that having dropped and broken two portable PCs ... so far.

Compliance with security standards

Visit our ISO27001security companion website for up-to-date information and pragmatic advice on the ISO27k information security standards and a raft of other related ISO/IEC and non-ISO standards such as the excellent NIST Special Publications. Download the free ISO 27k Toolkit for a set of example ISMS documents and implementation guidance prepared by people actually using the standards, and read the ISO27k FAQ. Thousands of organizations have been certified compliant with ISO/IEC 27001, with many more actively using the ISO27k standards without being formally certified.

Confused by PCI? Clear information here.

A well-written article in [IN]SECURE eZine explains how information security can and indeed should be integrated with the systems development lifecycle (SDLC), using ISO/IEC 27002. There is a useful table linking specific clauses in the ISO standard to SDLC phases.

NIST Special Publication 800-100 Information Security Manual: A Guide for Managers refers throughout to [US Government] agencies but in fact is broadly applicable, containing sound guidance on important areas such as information security governance, investment and metrics, planning, contingency, C&A, incident management and, of course, awareness training and education.

The IT Service Management Forum (itSMF) International, along with the Office of Government and Commerce, both promote ITIL, the IT Infrastructure Library. Development of ITIL appears to be continuing independently from ISO 20000. To find out more about information security in ITIL, read the ITIL v3 security book.

ISACA’s IT Assurance Framework guides assurance professionals such as auditors in the area of internal IT controls.

PCI DSS (Payment Card Industry Data Security Standard) is part of a cluster of standards from the PCI Security Standards Council mandating controls over cardholder data and payment processing systems. PCI DSS version 2 goes into effect at the end of January 2011.

IT risk management and compliance explores compliance pressures on the CIO that relate to managing IT risks, particularly information security.

NIST FIPS PUB 200 defines Minimum Security Requirements for Federal Information and Information Systems.

ISO/IEC 15408 describes the Common Criteria for Information Technology Security Evaluation. Products that are evaluated using Common Criteria have a defined level of assurance as to their information security capabilities that is recognized in most of the world. Unfortunately, the evaluation process is quite costly and slow, and is therefore not widely used apart from in military and government markets.

Compliance with security-related laws & regulations

Compliance with security standards

Related NoticeBored links collections