 |
|
|
|||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||
|
|
|
|
 |
|||
 |
|||
|
|
|
|
|
 |
For some reason, ITCi seems now to have pulled out of the UCP (which continues over at Unified Compliance) but has instead set up the Combined Compliance Initiative (CCI).
In a paper on motivating compliance, security awareness guru Rebecca Herold lists some 25 motivational factors.
Compliance with security standards
Consult2Comply offers consultancy support for governance, risk and compliance, and sells a range of British and international standards.
A well-written article in [IN]SECURE eZine explains how information security can and indeed should be
integrated with the systems development lifecycle (SDLC), using ISO/IEC 27002. There is a useful table linking specific clauses in the ISO standard to SDLC phases.
A paper by the IT Governance Institute comparing COBIT to COSO, ITIL, ISO/IEC 27002, FIPS PUB 200,
ISO/IEC TR 13335, ISO/IEC 15408 Common Criteria/ITSEC PRINCE2, PMBOK, TickIT, CMMI, TOGAF, IT Baseline Protection Manual and NIST SP 800-14, includes excellent summaries of all those standards.
Forrester Research’s Michael Rasmussen neatly summarized the pros and cons of ISO/IEC 27002.
Visit our ISO27001security website for up-to-date info and pragmatic advice on the ISO27k information
security management system standards and a raft of other related ISO/IEC and non-ISO standards such as the excellent NIST Special Publications. See our flowchart summarizing a typical ISO/IEC 27002 implementation and ISO/IEC 27001 certification process, implementation guidance and metrics and a small but growing collection of example ISMS documents. Thousands of organizations have been certified
compliant with ISO/IEC 27001 or equivalent national information security management system standards. A case study expounding the commercial value of ISO/IEC 27002 revealed some surprising linkages between
information security management and general business management, plus several indirect benefits that are seldom mentioned elsewhere. The case study is also available in Spanish thanks to our friends at www.iso27000.es.
NIST Special Publication 800-100 Information Security Manual: A Guide for Managers refers throughout
to [US Government] agencies but in fact is broadly applicable, containing sound guidance on important areas such as information security governance, investment and metrics, planning, contingency, C&A, incident
management and, of course, awareness training and education.
IT risk management and compliance explored compliance pressures on the CIO that relate to managing IT risks, particularly information security.
Road Map for Information Security: What to Do After BS 7799 Certification is a members-only paper on the ISACA website that outlines the things necessary to keep the momentum going after an organization gets itself certified against ISO/IEC 27001. We are pleased to note that continuous security awareness is one of the items listed.
NIST FIPS PUB 200 defines Minimum Security Requirements for Federal Information and Information Systems.
The VISA Cardholder Information Security Program includes a security standard designed to ensure that all VISA merchants conform to a common security baseline, plus the associated training, validation and certification processes.
ISO/IEC 15408 describes the Common Criteria for Information Technology Security Evaluation. Products that are evaluated against the Common Criteria have a defined level of assurance as to their information security capabilities that is recognized in most of the world. Unfortunately, the evaluation process is quite costly and slow, and is therefore not very widely used apart from niche markets.
Compliance with laws & regulations
GigaLaw is our favorite source of up-to-date news stories on legal issues relating to IT. Their single daily
digest newsletter serves up about 6 interesting hot IT law stories every day - great for just keeping in touch. FindLaw dotcom, cyberlaw.stanford.edu and out-law dotcom are also worth visiting.
The UK Information Commissioner publishes enforcement notices for organizations caught in contravention of the Data Protection Act. Evidently public humiliation is part of the punishment.
“The landscape of regulatory requirements is an immense challenge. It's just very tough for businesses to keep up with the changing requirements.” said Linda Stutsman, MD of I-4 (the International Information Integrity Institute) in a magazine interview on best practices.
The IT Compliance Institute publishes compliance audit checklists, including one on PCI DSS and another on logging, monitoring and reporting for example. Their FAQ 10 Pitfalls to Avoid in PCI Security Standard Compliance is worth reading, even if you are not subject to PCI DSS.
The quarterly Journal of Digital Forensics, Security and Law makes interesting reading for those in information security and forensics, security education, technology and law.
Cryptography is legally regulated in many countries due to its potential use for military and illegal purposes. Find out about the worldwide situation from CryptoLaw in the Netherlands.
Amongst other police reforms, the Police and Justice Bill 2006 made Denial of Service attacks illegal under British law. The Computer Misuse Act 1990 made it an offence to access a computer or modify data without authority, covering most hacks but not explicitly DoS attacks such as DoS-based extortion.
An article in Wired magazine brings home the realities of cybercrime policing in India. Under qualified investigators seem unlikely to follow the forensic techniques necessary to gather reliable evidence from IT systems.
According to some, the CAN-SPAM Act does not appear to have been very effective in reducing the deluge of spam but it has only been in force about a year so far - a mere bat of an eyelid in legal time. CAN-SPAM is one of a small but growing body of anti-spam laws. Spam has been recognized as a serious problem for a few years but, to give them due credit, conservative lawmakers have moved relatively quickly and are finally responding to spam. For information on anti-spam laws in various legislatures, visit SpamLaws.com.
An ISP whose mail servers were affected by spam has been awarded nearly $1bn by a federal judge in Iowa under the Federal Racketeer Influenced and Corrupt Organizations Act and the Iowa Ongoing Criminal Conduct Act. Collecting the fines may not be entirely successful but the message to spammers is clear enough.
Very succinct summaries of a ‘representative sample’ of US computer crime cases are listed on Cybercrime .gov with links to further information on each case. Another page from the site lists intellectual property cases. Perhaps this information will dispel the myth that computer crimes are a soft option for criminals.
If you are struggling to come to terms with HIPAA, take a look at The Practical Guide to HIPAA Privacy and Security Compliance by Kevin Beaver and Rebecca Herold (~$81 from Amazon).
A useful guide to cryptography laws around the world includes a world map highlighting import controls in the former USSR, China, Vietnam and Tunisia in particular.
“Whatever can go wrong, will go wrong” is Murphy’s law. IT is chock full of examples that support this assertion, though fans of IT quality assurance might claim otherwise. Murphy’s law definitely applies to IT, as indeed does the law of gravity (as a scientist trained in the ways of Newton, I can personally attest to that having dropped and broken two portable PCs ... so far).
A map shows the status of personal privacy legislation worldwide. Most of Asia/Pacific (outside the former USSR), Africa and USA are conspicuously lacking in privacy laws, according to Privacy International anyway.
IT and Sarbanes Oxley [site access requires free registration] makes the point that IT Departments have more to consider than just SOX section 404.
US Government site www.cybercrime.gov presents options to structure information for law enforcement officials, IT workers and the general public.
The financial services industry has a broad range of laws, rules and regulations relating to information security, including privacy and data protection aspects. For instance, the Gramm-Leach-Bliley Act (GLBA) defines the need for financial institutions to protect consumer data. Various law websites carry information on privacy legislation e.g. the Legal Information Institute at Cornell University.
Related NoticeBored links collections
Governance, privacy & data protection, identity theft, accountability, hacking, email security, IT-related fraud and intellectual property
NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.
|
|
|