Seven Steps to Information Security Compliance

Oct. 27, 2008

Cyber communications technology is continually advancing. E-mail is already the most used form of communication, and the use of radio frequencies and satellite relays will soon facilitate wireless communication from anywhere on the planet. The affordability of computers coupled with the world's level of information dependency creates a critical problem for the security and privacy of data. Many organizations need to comply with a myriad of standards and rules such as FISMA, HIPAA, SOX, ISO 17799, and GLBA, to name a few.

Information security policies and standards can provide an organization with an accurate security baseline and the tools to strengthen its security posture. To achieve compliance, any organization must master the “Big Four”—perimeter defenses, system certifications, auditing, and user involvement. Without the implementation of these four safeguards, costs associated with non-compliance will eventually usurp security efforts. Surveys have already revealed that businesses prefer speed and capacity over the security and privacy of data. The security “sell” will continue to be an uphill battle.

There are seven steps chief information security officers can take to launch their organizations in the direction of InfoSec compliance, regardless of their available resources.

Identify current or potential vulnerabilities. The acknowledgement of auditing agency findings and the CISO's own observations and records may be good resources.

Apply objective values to issues requiring attention. Usually objective measurements coincide with cost.

Establish a priority list. The philosophy that “ Rome was not built in a day” may apply here. The cost of security hardware and software is ever-increasing, and the demands on most budgets are great—so choose carefully.

Start complying. Any progress is progress! Without taking that first step, success can never be realized. Just get in the game.

Create a comprehensive security, education and awareness program. This is the first line of defense for information assurance in business, government and military enterprises. Users are often eager to assist and comply when they know the rationale behind such efforts. Make them well aware of the threat. While CISOs may desire to keep successful or attempted attacks confidential, it may be important to share such information with users. Theoretical security incidents or scenarios do not have the same impact as real facts. That said, users must not be allowed to independently or unilaterally decide whether to adopt necessary safeguards. Without mandated compliance to InfoSec policies, the system is no stronger its weakest user.

Market success. Sell your security and compliance program to upper management by illustrating real dollar savings. Everyone loves a winner! Success will be rewarded with dollars to further enhance compliance.

Always seek to increase budgets. Never miss an opportunity to ask for a budget increase to better safeguard information and enhance the company's bottom line.

Lou Magnotti is the Chief Information Security Officer for the U.S. House of Representatives. Mr. Magnotti is a recognized security professional with more than 26 years of government and industry experience. He provides information assurance counsel to multiple federal agencies, is a member of the (ISC)? Government Advisory Board for Cyber Security and a member of the Security Executive Council, founded by CSO magazine. For information about the Security Executive Council, visit www.csoexecutivecouncil.com/?sourceCode=std .

---------------------------------------------

Get a Handle on Information Security Rules and Standards

FISMA: The Federal Information Security Management Act of 2002 is meant to bolster computer and network security within the federal government and affiliated parties, such as government contractors , by mandating yearly audits .

HIPAA: The Health Insurance Portability and Accountability Act requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Provisions also address the security and privacy of electronic health data.

SOX: The Sarbanes-Oxley Act was designed to restore investor confidence following the outbreak of corporate scandals and bankruptcies around 2000. Although the purpose of SOX was to ensure corporate financial accountability and eliminate the risk of any future Enron-type debacle, it has had a major impact on IT departments. SOX requires companies to store and protect all relevant financial records for seven years.

GLBA: The Gramm Leach Bliley Ac t is designed to protect the private financial information of consumers. The law instructs financial institutions to secure and protect private information from unauthorized use or access.

ISO 17799: According to Praxiom Research Group Ltd., "The ISO/IEC 17799 standard consists of recommended best practices for information security . The standard is all-encompassing. It takes a very broad approach to information security . In the context of this standard, the term information includes all forms of data, documents, communications, conversations, messages, recordings and photographs."