FAQ - Egan As a security professional, it is important to understand how to design and implement various Information Security (IS) programs, that may require compliance to a particular Government regulation. Listed below are some information I have gathered, describing particular standards and regulations, that are essential to follow in any IS implementation. CobiT 4.1 - IT Governance guidance ITIL v3.0 - IT Service Management guidance ISO/IEC 17799:2005 - Information Security Standard Sarbanes-Oxley - Regulation PCI v1.1 - Security Standard Gramm-Leach-Bliley Act (GLB) - Regulation Health Insurance Portability and Accountability Act (HIPAA) - Regulation CobiT 4.1 - IT Governance guidance Control Objectives for Information and related Technology (COBIT) is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework. Back to Top ITIL v3.0 - IT Service Management guidance IT Infrastructure Library (ITIL) for IT Service Management was developed by the UK's Office of Government Commerce as a library of best practice processes for IT service management. Widely adopted around the world, ITIL® is now supported by ISO/IEC 20000 (was BS 15000), against which independent certification can be achieved. The ITILv3 model contains the processes needed to manage services within the lifecycle structure. The core practices of Service Management life stages are then supported by more detailed complementary content specific to industry, stakeholder and practice topics. This makes the library more practical, easier to use and provides guidance specific to various stakeholder viewpoints. Back to Top ISO/IEC 17799:2005 - Information Security Standard ISO 17799:2005 is actually "a comprehensive set of controls comprising best practices in information security". It is essentially, in part (extended), an internationally recognized generic information security standard. Its predecessor, titled BS7799-1, has existed in various forms for a number of years, although the standard only really gained widespread recognition following publication by ISO (the International Standards Organization) in December of 2000. Formal certification and accreditation were also introduced around the same time. The ISO 17799 standard comprises ten prime sections: Security Policy System Access Control Computer & Operations Management System Development and Maintenance Physical and Environmental Security Compliance Personnel Security Security Organization Asset Classification and Control Business Continuity Management (BCM) Having said all that, I was partial to NSA's National Institute of Standards and Technology NIST-800 series, since I had become so intimate with the Federal Information Processing Standards (FIPS) at CyberGuard and Thales e-Security. But now I have become more involved with CobiT, and I have shifted my preference towards the ISACA managed guidelines and IT best practices. Back to Top Sarbanes-Oxley - Regulation The Sarbanes-Oxley Act (SOX) of 2002 is mandatory. ALL public organizations, large and small, MUST comply. The legislation came into force in 2002 and introduced major changes to the regulation of financial practice and corporate governance. Named after Senator Paul Sarbanes and Representative Michael Oxley, who were its main architects, it also set a number of deadlines for compliance. The Sarbanes-Oxley Act is arranged into eleven titles. As far as compliance is concerned, the most important sections within these are often considered to be 302, 401, 404, 409, 802 and 906. Back to Top PCI v1.1 - Security Standard The Payment Card Industry (PCI) Data Security Standard (DSS), was developed by the major credit card companies as a guideline to help organizations that process card payments prevent credit card fraud, cracking and various other security vulnerabilities and threats. A company processing, storing, or transmitting payment card data must be PCI DSS compliant or risk losing their ability to process credit card payments and being audited and/or fined. Merchants and payment card service providers must validate their compliance periodically. This validation gets conducted by auditors - i.e. persons who are the PCI DSS Qualified Security Assessors (QSAs). These PCI DSS requirements are organized in 6 logically related groups, which are called “control objectives.” Back to Top Gramm-Leach-Bliley Act (GLB) - Regulation Gramm-Leach-Bliley Act (GLB) - The Financial Modernization Act of 1999, also known as the "Gramm-Leach-Bliley Act" or GLB Act, includes provisions to protect consumers’ personal financial information held by financial institutions. There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions. Back to Top Health Insurance Portability and Accountability Act (HIPAA) - Regulation Health Insurance Portability and Accountability Act (HIPAA) was enacted by US Congress in 1996. The regulations address security and privacy of health related data. HIPPA also protects health insurance coverage for workers and families when they change job or loose their jobs. Back to Top |About| |Services| |Security Architecture| |Compliance| |CISA| |FAQ| |Internet Links| |News|