COMPLIANCE

12.1 Compliance with

Legal Requirements

All relevant requirements for each IT system should be identified and documented. 12.1.1 Y __ Identification of Applicable Legislation

Implement standards to ensure that all relevant statutory, regulatory, and contractual requirements are specifically defined and documented for each information system. N __ Applications and Systems 12.1.2 Y __ Intellectual Property Rights

Implement standards to ensure there is compliance with legal restrictions on the use of copyright material, ensuring that only software developed by the organization, or licensed or provided by the developer to the organization, is used. N __ IS Organization 12.1.3 Y __ Safeguarding of Organizational Records

Implement policies and standards to ensure that important organizational records are securely maintained to meet statutory requirements, as well as to support essential business activities. N __ Records Management 12.1.4 Y __

Data Protection and Privacy of Personal Information

Implement standards to ensure that applications that process personal data on individuals comply with applicable data protection legislation. N __ Applications and IS Organization 12.1.5 Y __ Prevention of Misuse of Information Processing Facilities

Implement policies to ensure that IT facilities are used only for business

purposes. N __

Operations

Cryptographic

Controls ensure that legal advice is sought on the organization’s compliance with national and

international laws on cryptographic controls. N __ Organization 12.1.7 Y __ Collection of Evidence

Implement standards and procedures to ensure that when conducting an investigation, the rules for evidence are followed for admissibility, quality, and completeness. N __ Physical Security and ERT 12.2 Reviews of Security

Policy and Technical Compliance

To ensure compliance of IT systems with organizational security policies and standards, compliance reviews should be conducted regularly.

12.2.1 Y __

Compliance with Security Policy

Implement standards to ensure that all areas within the organization are considered for regular review to ensure compliance with security policies and standards. N __ IS Steering Committee and Mission Statements 12.2.2 Y __ Technical Compliance Checking

Implement standards to ensure that IT facilities are regularly checked for compliance with security implementation standards. N __ Mission Statements and IS Organization 12.3 System Audit Considerations

There should be controls over operational systems and audit tools during system audits to minimize interference to and from the system audit process, and to protect the integrity and prevent the misuse of audit tools.

12.3.1 Y __

System Audit Controls

Implement standards to ensure audits and activities involving checks on operational systems are carefully planned and arranged. N __ Mission Statements 12.3.2 Y __ Protection of System Audit Tools

Implement standards and procedures to restrict access to system audit tools.

N __

Operations

This compliance plan will include the movement to the standard operating systems. However, there may be areas (marketing, for one) that may present to management a business case why they need to remain outside the organization’s operating requirements. If this is approved, then it will be necessary to meet with the non-standard business unit or group and perform a gap analysis on their environment and the organization’s requirements.

Just because a unit or group is not using standard equipment or current-level operating systems does not absolve them of the responsibility to be compliant with the information security standards. If there are standards that they cannot meet based on their hardware or software, then they must present alternative controls and standards. All activities must be documented so that all business units can be audited or reviewed for compliance to agreed-upon standards.

Your inf ormation security standards document is intended to be a living, dynamic instrument. It is to be managed by the Information Security staff, and all requests for changes, amendments, and additions must be made in writing to the IS Manager.

It will be necessary to implement version control and, where sufficient changes have been received, a full reissue should occur. All requests for changes must be circulated to the specific SME for review and comment. Once approval has been received from the SME, the standard should be updated and sent to the user community. To help with version control, an online document available on the enterprise intranet is highly recommended. It will be necessary to notify the user community when changes are made; however, this may become a daily occurrence. It is recommended that regularly scheduled update procedures be established to send notification of the changes to the users. This is typically done quarterly, but in some instances it can be done immediately if conditions warrant.

7SUMMARY

Standards are used to support the Tier 1 and Tier 2 policies. They must have support from management to be effective and they must be practical. Use the existing national and international standards and business or agency regulations to form the basis for standards. It is much easier to get standards accepted if you can track them to a specific regulation.

When writing the standard, it often becomes difficult because the language is at times severe. “Managers must…” or “failure to comply will result in disciplinary action.” We live in an era of political correctness and we often want to soften the language so as not to offend anyone. The only entity that will be offended is the organization if the standards are not properly implemented and supported by management. Make certain that the readers know exactly what is expected and what the consequences will be if they or the business units are found to be noncompliant.

Remember that standards are mandatory, and will impact the organization and the way it conducts its affairs. Use them to support the policies—not to punish the user community. Check standards to make certain they are still effective.

All standards will “cost” the organization something. It could be budget dollars to implement or it could be turn-around time or system response time. All standards will cost the organization, so select only the level of controls necessary to allow the organization to meet its objectives in a safe operating environment. Many times, we discuss the concept of “least privilege,” meaning that a user is granted only the minimum level of access necessary to perform his or her job function. A variation on this concept is the implementation of a “least intrusive” standard: implement only that level of standard necessary to secure the information or transaction.

The most secure computer system is one that is turned off, unplugged, locked away, and encased in cement. While a system like this is secure, it will probably impact department productivity in some manner. The security professional must understand that for information to be of any value, it must be available and shared with those having a business need. Standards must support the objectives of sharing information as securely as possible.