One of the questions asked most frequently is, "Do we really need to have an Information Security awareness and training program?" The question is often followed up by a statement calling into question the perceived value of awareness and training. The standard response is typically along the lines of, "Yes. It is required and, perhaps more importantly, the right thing to do."
Setting aside the value-based approach of 'doing the right thing' to keep information secure and private, most people are surprised to learn Information Security awareness and training is a compliance obligation often required by law, industry regulation, and or business contract. Additionally, it is called out in numerous 'best practice' frameworks.
So, in the spirit of ongoing Information Security awareness and to assist those who have requested more information on this subject, listed here are just a few of the numerous laws, regulations, and frameworks applicable to North America. Bear in mind some are industry specific.
Laws and Regulations (North America)
1. Health Information Portability and Accountability Act (HIPAA): §164.3
2. Canada Personal Information Protection Electronic Documents Act (PIPEDA): Schedule 1 Clause 4.1.4(c), Scedule 1 Clause 4.7.4
3. Privacy Act of 1974: §552a(e)(9)
4. Fair and Accurate Credit Transactions Act (FACTA): §151, §213(d)
5. FACTA Red Flag Rule: §41.90(e)(3), §222.90(e)(3), §334.90(e)(9), §571.90(e)(9), §681.2(e)(9), §717.90(e)(9)
6. Leahy Personal Data Privacy Security Act: §302(b)
7. FFIEC Information Security: Page 7, Page 62
8. NERC: CIP-004-1
9. FDA 21 CFR Pt 11: §11.10(i)
10. Massachusetts 201 CMR 17.00: §17.04(8)
Business Contracts
1. Payment Card Industry Data Security Standard (PCI DSS): §12.6
'Best Practice' Frameworks
1. ISO 17799 / ISO 27002: §8.2.2
2. ITIL Security Management: §4.2.2.2
3. AICPA Privacy: ID 1.1.1
4. NIST 800: numerous publications
Thursday, July 29, 2010
Thursday, July 15, 2010
More Than Just Being Compliant
There is more to Information Security awareness than just compliance with any number of laws and regulations. Awareness and training typically deals with the qualitative. Much of what we do to help keep information secure and private is tied directly to people, their roles, and cultivating a 'culture of awareness' within the organization. Spending time with people, both 1-to-1 and 1-to-many, is essential in helping them better understand how to mitigate risk to the organization within their job role. Their secure business practices then aggregate to meeting applicable compliance obligations.
For example, without awareness, how are IT people supposed to know that they ought to be designing and using technical controls? How is management supposed to understand the information security risks the organization faces on a daily basis, or their part in ensuring that those risks are brought under control? In other words, security awareness is much more than just an annual briefing of the troops. Regular employees need to appreciate that they may be scammed and exploited for their access to corporate and personal information, and that there are numerous security controls that depend on them being alert and reacting appropriately to threats that may materialize at any time.
For example, without awareness, how are IT people supposed to know that they ought to be designing and using technical controls? How is management supposed to understand the information security risks the organization faces on a daily basis, or their part in ensuring that those risks are brought under control? In other words, security awareness is much more than just an annual briefing of the troops. Regular employees need to appreciate that they may be scammed and exploited for their access to corporate and personal information, and that there are numerous security controls that depend on them being alert and reacting appropriately to threats that may materialize at any time.
Subscribe to:
Comments (Atom)