SOUTHFIELD – HIPAA, SOX, GLBA, CFR Part 11, Basel II? alphabet soup ? What?s a good Chief Security Officer to do?
Complying with the regulatory requirements does not have to be scary, nor does it have to be a reactive fire drill. The primary intent of regulatory compliance is to establish a level of control and accountability, consistent with the goals of the business.
Using your internal security staff and technology, you now have an opportunity to do the right thing and follow a best practices model, such as ISO 17799, an internationally recognized detailed information security standard. As a result, we can take realistic measurable steps and meet all of the regulatory concerns with one practice.
The core of the numerous regulations requires similar action. By establishing a sound security program you will be provided with all of the elements of compliance. A well-developed security program based on an industry best practice like ISO 17799
will encompass the spirit and intent of the many regulations.
The ISO 17799 model consists of 10 key areas ? not a checklist, but rather guidelines and examples. Complying with any good security program requires a strong risk analysis and mitigation practice. You need to know who has what access to what information.
Modeled directly from the ISO 17799 standard, here are some practical steps that you can take to get started.
Many of you may be struggling with developing effective security policies. Start with considering the relationship to the business. Write policies that are clear and concise. Most importantly, gain management support and communicate the policies to the staff and business partners.
Ask yourself what processes should be in place to handle audits, security responsibilities, and authorizations. Who should define and enforce these processes? Develop an executive security forum with representatives from IT and your business units and be sure to consider third party partners and requirements for outsourcers in your decisions.
If you are not aware of your critical assets and do not have a plan in place to protect them, how can you consider your organization secure? Take an inventory of your critical assets and classify, label, and assign an owner. Periodically review the inventory for changes and make modifications as needed to meet the requirements of the business.
As much as 80 percent of the threats to your organization can come from inside your company. Ensure that these risks are mitigated by completing background checks on all potential hires. Be sure to keep key information confidential and require non-disclosure agreements. Establish procedures for reporting security incidents and threats. Remember, people can be both your strongest and your weakest link.
Keep the bad guys out. Secure your office borders by taking steps such as card access, guard gatekeeper, and other entry controls. Third party guests should only be allowed access to secure sites, such as conference rooms without company LAN access. Further ensure safety by cabling securely, locking critical server areas, regularly maintaining equipment, and locking desktops when not in use.
Having appropriate operational procedures in place can help prevent security failures. These procedures can be numerous and varied. Start with a few. Such as developing an incident response team, segregating duties to minimize opportunity for system misuse, and ensuring that licensing contract requirements are followed.
Access control is a key component of any good security practice. In developing and documenting the procedure for access control, be sure to include allocation of privileges, users? responsibility for their password and desktop, access to the network, and options for secure remote connectivity.
Inaccurate or exposed data will violate any number of the mandatory requirements within the regulations. Ensure that your company and client information has been entered correctly and is not corrupt. Validate that all applications are tested and reviewed. Protect the privacy of confidential information by using encryption methods when transmitting and storing sensitive data.
Last, but not least, develop and gain executive management buy-in for a strong disaster recovery plan to deal with immediate threats, followed up by a solid business continuity plan to get the organization back on track and functioning. Ensure that roles are assigned and test the plan periodically. Because execution is key, don?t wait until an emergency to exercise your plan.
The ISO 17799 best practices models is an excellent guideline to enable your security organization and meet your compliance needs. Audit continually to ensure you continue to comply with legal requirements.
In summary, start with a high level review of your critical assets to assess the overall organization risk tolerance, next define the policies needed to address strategic executive direction. (TIP: Each policy should rarely be more than one page. The policy and practice should be agreed to and understood by the business units and executive committee. The goal is impact, not quantity. All standards, guidelines, and procedures will tie directly into each policy). Continue progress by following the guidelines outlined in the ISO 17799 model. Develop and execute an enterprise education and awareness program. Lastly, remember the key to overcoming many of your compliance challenges is to always document your actions and decisions.
While regulatory compliance may seem daunting, there is light at the end of the tunnel and ultimately the benefits of compliance will ensure that your enterprise is able to mitigate risk and ensure a secure and manageable future.
Rachel Kahn, CISSP, PMP, ISSMP, is Directory of Security with Computer Associates International
