Maintaining Compliance

Objectives

• US laws about compliance

• Regulations
• Organizational policies about compliance
• Standards and guidelines

http://fpt.edu.vn 1/6/2018 2
 Compliance

• Companies affected by the laws are expected to comply

with the laws
– commonly referred to as compliance
• To ensure the companies remain in compliance with
relevant laws and regulations
– internal audits
– external audits

http://fpt.edu.vn 1/6/2018 3
 US-based Laws
• Federal Information Security Management Act (FISMA, 2002):
– mandates that the Federal government and its contractors follow a common set of
information security standards. The standards are set by the National Institute of
Standards and Technology (NIST).
• Health Insurance Portability and Accountability Act (HIPAA, 1996):
– establishes a large, complicated rule set for storing health information in a common
format, making it sharable, and making it a crime to share it with people who should not
have it.
• Gramm-Leach-Bliley Act (GLBA, 1999):
– also called the Financial Services Modernization Act; deregulated banks and financial
services, allowing each institution to offer banking, investments, and insurance services
– included three rules that affect privacy. The Financial Privacy Rule allows people to opt
out of having their data shared with partner companies, but it is usually implemented so
that it is easier to allow the sharing. The Safeguards Rule requires that companies have
data security plans. The Pretexting Rule tells institutions to implement procedures to
keep from releasing information to people who are trying to gain information under false
pretenses (pretexting).

http://fpt.edu.vn 1/6/2018 4
 US-based Laws (cont.)

• Sarbanes-Oxley Act (SOX, 2002):

– A reaction to corporate fraud and corruption; provides penalties up to
$5,000,000 and 20 years in prison for officers who file false corporate
reports
• Family Educational Rights and Privacy Act (FERPA, 1974):
– Requires that schools, such as colleges and universities, protect the privacy
of their student records, and provide students access to their own records
• Children's Internet Protection Act (CIPA, 2000):
– A law that means to protect children from obscenity, pornography, and
harmful material. This law requires libraries to use filtering software on
computers used by minors, and also allows librarians to provide access
without the filter to adults who request such access.

http://fpt.edu.vn 1/6/2018 5
 Regulations Related to Compliance

• The difference between a law and a regulation:

– In the United States, most laws are created by legislative branches
of government, either at federal level or by the legislature of a state,
its senate and house of representatives.
– Regulations are created by agencies in the executive branch of
government, and often they are rules about the enforcement of a
law. Regulations must be followed as laws must be followed, so it is
important to know about the ones that affect your business and
your life.

http://fpt.edu.vn 1/6/2018 6
 Regulations Related to Compliance (cont.)

• The IT industry is subject to regulations created and

enforced by several entities:
– Securities and Exchange Commission (SEC)
– Federal Deposit Insurance Corporation (FDIC)
– Department of Homeland Security (DHS)
– Federal Trade Commission (FTC)
– State Attorney General (AG)
– U.S. Attorney General (U.S. AG)

http://fpt.edu.vn 1/6/2018 7
 Organizational Policies for Compliance
• Fiduciary responsibility (important):
– An attorney and a client
– A CEO and a board of directors
– Shareholders and a board of directors
– Two steps can be taken: due care and due diligence
• Mandatory vacations
• Job rotation
• Separation of duties
• Acceptable use

http://fpt.edu.vn 1/6/2018 8
 Standards and Guidelines for Compliance
• (Security) policy provides constraints of behavior for an organization’s
personnel as well as its information systems and other machinery:
– i.e. it specifies the activities that are required, limited, or forbidden in an organization.
• Policy effectiveness requires a top-down approach. An effective
security policy must be:
– approved by senior management
– communicated to employees
– periodically reviewed
– assessed for effectiveness
• The term Requirements usually refers to characteristics of an
information system or business process.
• Standards are mandatory requirements that support individual policies.
• Procedures are mandatory, step-by-step, detailed actions required to
successfully complete a task.
• Guidelines are recommendations for the regular and consistent
implementation of accepted practices.
http://fpt.edu.vn 1/7/2018 9
 Standards and Guidelines for Compliance (cont.)

• Payment Card Industry Data Security Standard (PCI DSS):

– A global standard for processing payments by bank, credit, and debit cards.
– Created in 2006, it requires that an organization taking payments of this
type have and use security policies.
– It also requires that the card processor have a secure network, protect
cardholder data, manage vulnerabilities, and have strong controls.
• National Institute of Standards and Technology (NIST):
– It is a division of the U.S. Department of Commerce holding a the
Information Technology Laboratory (ITL), cf. SP 800-30.
• Generally Accepted Information Security Principles (GAISP):
– evolved from Generally Accepted System Security Principles (GASSP, 1992)

http://fpt.edu.vn 1/7/2018 10
 Standards and Guidelines for Compliance (cont.)

• Control Objectives for Information and related Technology

(COBIT):
– a set of good practices for IT management, written by the IT Governance
Institute (ITGI) with ISACA (Information Systems Audit and Control Association).
• International Organization for Standardization (ISO):
– develops and publishes standards, jointly with the International Electro-technical
Commission (IEC) – ISO/IEC standards.
– Members from 159 countries.
• International Electrotechnical Commission (IEC):
– prepares and publishes standards for electrical, electronic, and related
technologies.

http://fpt.edu.vn 1/7/2018 11
 Basic COBIT Principle

http://fpt.edu.vn 1/6/2018 12
 Standards and Guidelines for Compliance (cont.)

• Information Technology Infrastructure Library (ITIL):

– A group of books developed by the United Kingdom’s Office of
Government Commerce (OGC)
– Two frameworks recommend by ITIL: COBIT and CMMI
• Capability Maturity Model Integration (CMMI):
– A process improvement approach to management.
• Department of Defense (DoD) Information Assurance
Certification and Accreditation Process (DIACAP):
– a risk management process, used for IT systems in the U.S. DoD.

http://fpt.edu.vn 1/7/2018 13
 ITIL Life Cycle

http://fpt.edu.vn 1/6/2018 14