1 / 18

Chapter 14: Information Security Regulatory Compliance for Critical Infrastruuture

Chapter 14: Information Security Regulatory Compliance for Critical Infrastruuture. Objectives. Articulate the need for information security at a national level. Understand the intent and objectives of the Federal Information Security Management Act (FISMA).

terri
Télécharger la présentation

Chapter 14: Information Security Regulatory Compliance for Critical Infrastruuture

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 14: Information Security Regulatory Compliance for Critical Infrastruuture

  2. Objectives • Articulate the need for information security at a national level. • Understand the intent and objectives of the Federal Information Security Management Act (FISMA). • Relate the privacy requirements of the Family Educational Rights and Privacy Act (FERPA) to information security elements.

  3. Objectives cont. • Relate the integrity requirements of the Sarbanes-Oxley Act (SOX) to information security elements. • Develop an information security program that encompasses multiple regulations and requirements.

  4. Introduction Information security regulations have been developed to address the potential for abuses of the confidentiality, integrity, and availability of systems that our economy and our citizens depend upon. This chapter looks at three of these regulations: • Federal Information Security Management Act (FISMA) • Federal Educational Rights and Privacy Act (FERPA) • Sarbanes-Oxley (SOX)

  5. E-Government Is Becoming a Reality Benefits of e-government are: • Efficiency • Cost savings • Increased responsiveness Responsibility of e-government is to ensure: • Confidentiality • Integrity • Availability of the information and information systems used to provide government services

  6. Security at a National Level • Title III of the E-Government Act is FISMA (Federal Information Security Management Act) • Requires every federal agency to develop, document, and implement an information security program

  7. Elements Required for Compliance • Confidentiality of information • Integrity of information • Availability of information • Assurance that security measures are working • Accountability for compliance, headed by the Chief Information Officer of each federal agency

  8. NIST to the Rescue National Institute of Standards and Technology provides guidance: • Standards to be used to categorize information • Guidelines for the types of information to be included in each category • Information security requirements for each category • All guidelines can be downloaded from the NIST site at http://csrc.nist.gov/publications

  9. The FISMA Implementation Project • Development of security standards and guidelines • Development of a program for accrediting organizations to conduct security certification services for federal agencies • Development of a program to validate commercial and government off-the-shelf security tools • The project can be found online at http://csrc.nist.gov/see-cert/ca-proj-phases.html

  10. Protecting the Privacy of Student Records The Family Educational Rights and Privacy Act protects the privacy of student education records. • Applies to all schools that receive funding from the Department of Education • Intent is to protect confidentiality

  11. What Is the Objective of FERPA? FERPA gives students the following rights: • Educational records can be accesses • Records can be disclosed only with student consent • Records can be amended • Complaints can be filed against the school for disclosing records in violation of FERPA

  12. What Is an Educational Record? • A record is anything that contains personally identifiable information • Directory information such as name, address, phone, dates of attendance may be disclosed • Nondirectory information such as ID numbers, race/ethnicity/nationality/gender information, transcripts/grade reports may not be disclosed

  13. It All Started with a Corporate Scandal • Sarbanes-Oxley Act (SOX) was a response to the corporate financial scandals of the 1990s (Enron, WorldCom) • Regulates business processes and corporate accounting • Emphasizes protecting the integrity and availability of financial data

  14. What Does SOX Have to Do with Information Security? • Companies must establish procedures to protect and preserve records and data from: • Destruction • Loss • Unauthorized alteration • Other misuse

  15. Adopting a Control Framework • A control framework is a model or collection of controls that covers all internal controls expected in an organization • Two are generally accepted: • COSO • CobiT®

  16. Relevancy of ISO 17799:2000 • All government regulations covered so far have common elements that are addressed by ISO 17799 • ISO 17799 plus an internal control framework such as COSO or CobiT ® will have incorporated most requirements

  17. Summary • Every organization, public and private, that processes, stores, or transmits information electronically is obligated to secure the information and information systems. • The federal government has recognized that this important task is often overlooked. • Federal agencies, as well as all organizations that access federal information, are subject to FISMA.

  18. Summary (Cont.) • To support compliance activities, the National Institute of Standards and Technology (NIST) has and continues to publish guidance on a variety of topics. • Educational institutions that receive funding from the Department of Education are subject to FERPA. • Publicly traded SEC registered companies must comply with section 404 of SOX.

More Related