The Sarbanes Oxley Act became law in 2002 in the wake of the Enron financial scandal. Its focus is setting rules for the ways that public organizations and accounting firms should handle corporate governance and financial disclosures – it is not specifically concerned with information security.
However, there are a number of sections of the act which impact information security management including:
1. Section 302 which requires the CEO and CFO to certify that the organization’s financial reports are true and accurate, and that the organization has put in place adequate controls over financial reporting and disclosure.
2. Section 404 which describes the required controls, and requires outside auditors to certify that the controls exist and are adequate.
3. Section 409 which requires publicly traded companies to promptly report any changes in financial condition or reporting that might be material to investors which might (potentially) include, an information security problem.
4. Section 802 which requires organizations and their auditors to retain accounting documents and work papers (both paper and electronic) for a minimum of seven years.
Since a problem that results from improperly secured financial data would be as much a violation of the law as any other kind of event, there is an implied requirement that organizations implement sound information security practices.
Compliance with the law from the point of view of information security is often demonstrated by developing management systems that follow one of the well-established security and/or IT management frameworks such as ISO 17799 or COBIT – all of which include security awareness training as a fundamental component.
Thursday, June 30, 2011
Wednesday, June 22, 2011
ISO 27002 and Security Awareness Training
ISO/IEC 27002:2005(E) ("Information technology – Security techniques – Code of practice for information security management") is a widely-used guide to information security management that reflects accepted best practice, and which is used in businesses and government organizations around the world.
Security awareness training is a key component of the ISO 27002 overall management system. It’s listed as one of the 7 "common practices for information security", and it’s also one of 10 factors that are highlighted as "critical" for the successful implementation of information security processes within an organization.
The core recommendations that relate to information security awareness and training are encapsulated in §8.2.2 of the standard where it says:
Control
All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
Implementation Guidance
Awareness training should commence with a formal induction process designed to introduce the organization’s security policies and expectations before access to information or services is granted.
Ongoing training should include security requirements, legal responsibilities and business controls, as well as training in the correct use of information processing facilities e.g. log-on procedure, use of software packages and information on the disciplinary process (see 8.2.3).
Other Information
The security awareness, education, and training activities should be suitable and relevant to the person’s role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents (see also 13.1).
In addition to this section, security awareness is also referenced in the standard in §0.6, §0.7, §5.1.1, §6.1.1, §6.1.2, and §6.2.3. The special cases of training related to mobile computing and business continuity are referenced in §11.7.1 and §14.1.4.
Security awareness training is a key component of the ISO 27002 overall management system. It’s listed as one of the 7 "common practices for information security", and it’s also one of 10 factors that are highlighted as "critical" for the successful implementation of information security processes within an organization.
The core recommendations that relate to information security awareness and training are encapsulated in §8.2.2 of the standard where it says:
Control
All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function.
Implementation Guidance
Awareness training should commence with a formal induction process designed to introduce the organization’s security policies and expectations before access to information or services is granted.
Ongoing training should include security requirements, legal responsibilities and business controls, as well as training in the correct use of information processing facilities e.g. log-on procedure, use of software packages and information on the disciplinary process (see 8.2.3).
Other Information
The security awareness, education, and training activities should be suitable and relevant to the person’s role, responsibilities and skills, and should include information on known threats, who to contact for further security advice and the proper channels for reporting information security incidents (see also 13.1).
In addition to this section, security awareness is also referenced in the standard in §0.6, §0.7, §5.1.1, §6.1.1, §6.1.2, and §6.2.3. The special cases of training related to mobile computing and business continuity are referenced in §11.7.1 and §14.1.4.
Thursday, June 16, 2011
COBIT and Security Awareness Training
COBIT (Control Objectives for Information and Related Technology) was developed by the Information Systems Audit and Control Association (ISACA), and the IT Governance Institute (ITGI). It’s a much broader standard than ISO 27000 since it applies to the entire IT structure of an organization (rather than just information security) and provides a mechanism for assessing the maturity of an organization’s IT processes in 34 areas.
COBIT doesn’t have a section dedicated to information security awareness and training, but there are specific references to it in the following sections:
PO6 Communicate management aims and direction
PO7 Manage IT human resources
DS5 Ensure systems security
DS7 Educate and train users
Although COBIT makes no specific recommendations as to best practices, it does provide a series of maturity models that enable an organization to gauge how well it is doing. The COBIT maturity model for training (DS7 – Educate and Train Users) specifies the following requirements for each of its 5 maturity levels:
Level Definition Requirement
0 Non-Existent - There is a complete lack of any training and education program.
1 Initial/Ad Hoc - Employees have been identifying and attending training courses on their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices.
2 Repeatable but Intuitive - Informal training and education classes are taught that address the issues of ethical conduct and system security awareness and practices.
3 Defined Process - Formal classes are given to employees in ethical conduct and in system security awareness and practices, training and education processes are monitored.
4 Managed and Measurable - All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance.
5 Optimized - Sufficient budgets, resources, facilities and instructors are provided for the training and education programs. There is a positive attitude with respect to ethical conduct and system security principles.
COBIT doesn’t have a section dedicated to information security awareness and training, but there are specific references to it in the following sections:
PO6 Communicate management aims and direction
PO7 Manage IT human resources
DS5 Ensure systems security
DS7 Educate and train users
Although COBIT makes no specific recommendations as to best practices, it does provide a series of maturity models that enable an organization to gauge how well it is doing. The COBIT maturity model for training (DS7 – Educate and Train Users) specifies the following requirements for each of its 5 maturity levels:
Level Definition Requirement
0 Non-Existent - There is a complete lack of any training and education program.
1 Initial/Ad Hoc - Employees have been identifying and attending training courses on their own. Some of these training courses have addressed the issues of ethical conduct, system security awareness and security practices.
2 Repeatable but Intuitive - Informal training and education classes are taught that address the issues of ethical conduct and system security awareness and practices.
3 Defined Process - Formal classes are given to employees in ethical conduct and in system security awareness and practices, training and education processes are monitored.
4 Managed and Measurable - All employees receive ethical conduct and system security awareness training. All employees receive the appropriate level of system security practices training in protecting against harm from failures affecting availability, confidentiality and integrity. Management monitors compliance.
5 Optimized - Sufficient budgets, resources, facilities and instructors are provided for the training and education programs. There is a positive attitude with respect to ethical conduct and system security principles.
Wednesday, June 8, 2011
HIPAA Privacy and Security Rules, and Security Awareness Training
HIPAA – the Health Insurance Portability and Accountability Act – is federal legislation passed in 1996 that addresses various elements of healthcare in the United States, including health insurance reforms and several other areas not related to privacy or security.
However, this law also includes a mandate for the US Department of Health and Human Services ("DHHS") to issue regulations that specify privacy and security protection for healthcare information about individuals.
HIPAA compliance requires training of almost all individuals who work for a healthcare organization – even those who may only be incidentally exposed to such information.
Examples of people who should be trained in the HIPAA regulations include:
physicians, chiropractors, nurses, technicians
administrators, clerks, order processing staff
staff employees such as custodians, transportation, security
volunteers, independent contractors, consultants and vendors
And the rules also require that these training programs are fully documented.
The HIPAA Privacy Rule
The HIPAA Privacy Rule was finalized during the summer of 2002. Under this rule, healthcare organizations across the country must train all employees in the basics of patient privacy and confidentiality including concepts such as "Protected Health Information" (PHI) and the "Minimum Necessary" principle.
The HIPAA Security Rule
The final version of the HIPAA Security Rule was issued by the DHHS in February, 2003. This rule specifies a wide range of provisions to improve the way that patient information is secured against disclosure, modification or loss including security awareness training for all staff (including management) with access to patient information. These (addressable) measures include user training on:
malicious software (viruses & worms)
creating and managing passwords
monitoring for and responding to login failure
as well as the provision of periodic security reminders.
However, this law also includes a mandate for the US Department of Health and Human Services ("DHHS") to issue regulations that specify privacy and security protection for healthcare information about individuals.
HIPAA compliance requires training of almost all individuals who work for a healthcare organization – even those who may only be incidentally exposed to such information.
Examples of people who should be trained in the HIPAA regulations include:
physicians, chiropractors, nurses, technicians
administrators, clerks, order processing staff
staff employees such as custodians, transportation, security
volunteers, independent contractors, consultants and vendors
And the rules also require that these training programs are fully documented.
The HIPAA Privacy Rule
The HIPAA Privacy Rule was finalized during the summer of 2002. Under this rule, healthcare organizations across the country must train all employees in the basics of patient privacy and confidentiality including concepts such as "Protected Health Information" (PHI) and the "Minimum Necessary" principle.
The HIPAA Security Rule
The final version of the HIPAA Security Rule was issued by the DHHS in February, 2003. This rule specifies a wide range of provisions to improve the way that patient information is secured against disclosure, modification or loss including security awareness training for all staff (including management) with access to patient information. These (addressable) measures include user training on:
malicious software (viruses & worms)
creating and managing passwords
monitoring for and responding to login failure
as well as the provision of periodic security reminders.
Wednesday, June 1, 2011
PCI Data Security Standard and Security Awareness Training
The Payment Card Industry (PCI) Data Security Standard is a set of comprehensive security requirements that applies to merchants and service providers who process and/or store payment card information. The standard was developed by Visa and MasterCard, and has now been adopted by the other major credit card issuing companies.
The part of the standard that relates to security awareness and training is section 12.6 which requires merchants and service providers to:
Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.
The part of the standard that relates to security awareness and training is section 12.6 which requires merchants and service providers to:
Implement a formal security awareness program to make all employees aware of the importance of cardholder data security.
- Educate employees upon hire and at least annually.
- Require employees to acknowledge in writing that they have read and understood the company’s security policy and procedures.
- Merchants and service providers are also required to provide appropriate training to staff with security breach response responsibilities.
Subscribe to:
Comments (Atom)