- Basic Security Principles
- Data Management: Determine and Maintain Ownership
- Data Standards
- Data Security, Protection, Sharing, and Dissemination
- Classifying Information and Supporting Assets
- Asset Management and Governance
- Determine Data Security Controls
- Laws, Standards, Mandates and Resources
- Exam Prep Questions
- Answers to Exam Prep Questions
- Need to Know More?
Laws, Standards, Mandates and Resources
The following laws, standards, and mandates have an impact on information security and can affect the risk profile of an organization. Regardless of the laws and mandates, organizations should be proactive when it comes to corporate governance. Several laws and mandates are described here:
Health Insurance Portability and Accountability Act (HIPAA)—HIPAA was signed into law in 1996. It has two areas. Title I of the HIPAA of 1996 protects health insurance coverage for workers and their families when they change or lose their jobs. Title II requires the U.S. Department of Health and Human Services (DHHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers.
Under HIPAA, the U.S. DHHS was required to publish a set of rules regarding privacy. The Privacy Rule dictates controls that organizations must put in place to protect personal information. The privacy rule defines three major purposes:
“To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information.”
“To improve the quality of health care in the United States by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care.”
“To improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.”
Gramm-Leach-Bliley Act (GLBA)—GLBA was signed into law in 1999 and resulted in the most sweeping overhaul of financial services regulation in the United States.
Title V of GLBA addresses financial institution privacy with two subtitles. Subtitle A requires financial institutions to make certain disclosures about their privacy policies and to give individuals an opt-out capability. Subtitle B criminalizes the practice known as pretexting, which can be described as the practice of obtaining personal information under false pretenses.
Under GLBA, financial institutions are required to protect the confidentiality of individual privacy information. As specified in GLBA, financial institutions are required to develop, implement, and maintain a comprehensive information security program with appropriate administrative, technical, and physical safeguards. Administrative controls include items such as background checks and separation of duties. Technical controls can be hardware or software, such as encryption or an IDS. Physical controls include gates, guards, and fences. The controls specified in the information security program must include:
The assignment of a designated program manager for the organization’s information security program
A periodic risk and vulnerability assessment and audit
A program of regular testing and monitoring
The development of policies and procedures for control of sensitive information and PII
Federal Information Security Management Act (FISMA)—FISMA was signed into law in 2002. One of the big changes that FISMA brought about was a set of clear guidelines for information security designed for the protection of federal government IT infrastructure and data assets. FISMA requirements specify the following responsibilities:
Develop and maintain an information assurance (IA) program with an entire IT security architecture and framework.
Ensure that information security training is conducted to keep IAT and IAM personnel properly trained and certified in accordance with DoD. 8570.
Implement accountability for personnel with significant responsibilities for information security.
FISMA also requires periodic risk assessments, risk assessment policies and procedures, periodic (at least annual) testing and evaluation, and proper training and awareness to senior management so that proper security awareness programs can be deployed.
Sarbanes-Oxley Act (SOX)—SOX was signed into law in 2002. This act mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures, and combat corporate and accounting fraud. Sections 302 and 404 are the two sections that address IT infrastructures and information security. Section 302 requires the CEO and CFO to personally certify that the organization has the proper internal controls. It also mandates that the CEO and CFO report on effectiveness of internal controls around financial reporting.
Section 404 sets requirements on management’s structure, control objectives, and control procedures. Staying compliant with Section 404 requires companies to establish an infrastructure that is designed to archive records and data and protect them from destruction, loss, unauthorized alteration, or other misuse. It requires that a set of comprehensive controls be put in place and holds CEOs and CFOs accountable.
United States Resources
NIST started as the National Bureau of Standards and changed its name in 1989 to the National Institute of Standards and Technology. Some of the NIST documents a CISSP should have knowledge of are:
NIST 800-37—Guide for applying risk management.
NIST 800-53—Government publication that provides guidelines for selecting and specifying security controls for information systems supporting the executive agencies of the federal government. Many organizations in private industry use NIST SP 800-53 as a guide for their own security management.
NIST 800-60—Guide for Mapping Types of Information and Information.
Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States federal government for use in computer systems by non-military government agencies and government contractors.
FIPS 199—Establishes security categories of information systems used by the federal government.
FIPS 200—Mandatory security standards for government systems.
Our first item is the information technology infrastructure library (ITIL). ITIL provides a framework for identifying, planning, delivering, and supporting IT services for business.
The IT Governance Institute has developed a process that begins with setting objectives for the enterprise’s IT, providing the initial direction and then evolving into a continuous loop.
ITIL presents a service lifecycle that includes
Continual service improvement
Next up are some of the standards from the International Organization for Standardization that a CISSP should be familiar with:
ISO 27001—This standard describes requirements on how to establish, implement, operate, monitor, review, and maintain an information security management system (ISMS); it is based on British Standard 7799.
ISO 27002—This standard is considered a code of practice that describes ways to develop a security program within the organization.
ISO 27003—This standard focuses on implementation.
ISO 27004—This standard is a standard for information security measurements.
ISO 27005—This standard describes how to implement solutions based on risk management.
ISO 27799—This standard describes how to protect personal health information.
ISO 9001 is a quality management standard that has widespread support and attention. ISO 9001 describes how production processes are to be managed and reviewed. It is not a standard of quality; it is about how well a system or process is documented. Companies that wish to obtain 9001 certification will need to perform a gap analysis to determine areas that need improvement. ISO 9001 is actually six documents that specify:
Control of Documents
Control of Records
Control of Non-conforming Product
Being ISO-certified means that the organization has the capability to provide products that meet specific requirements, and includes a process for continual improvement. It may also have a direct bearing on an audit as it places strong controls on documented procedures. Another ISO standard that the auditor should be aware of is ISO 17799. 17799 provides the best practice guidance on information security management. It is divided into 12 main sections:
Risk assessment and treatment
Organization of information security
Human Resources security
Physical and environmental security
Communications and operations management
Information systems acquisition, development, and maintenance
Information security incident management
Business continuity management
Finally, let’s review a couple of European documents:
10 Steps to Cyber Security—Detailed cyber-security information and advice across 10 critical technical and procedural areas. Created by CESG, the information security arm of GCHQ, and the National Technical Authority for Information Assurance within the United Kingdom.
Cybersecurity Strategy of the European Union—This document was developed by the European Union; it describes their approach to preventing and responding to cyber-security attacks.