Information Technology Reference
In-Depth Information
8.4.2
IA
2
Perspective
Compliance requirements are part of what defines business drivers. The IA
2
per-
spective considers compliance management an integral part of managing business
risk. Specifics under compliance management include identifying and articulating
management responsibilities and liabilities, performing compliance assessments,
and generating appropriate policies. Identifying legal obligations and establishing
policy through tracking mechanisms to ensure organizational compliance with
these legal obligations goes a long way in minimizing organizational culpability,
officer culpability, and the potential for fines and jail time.
8.5
iA Assessment and Audit
he assessment
process starts with examining the existence and adequacy of X,
where X is policy, procedures, operations, technical infrastructure, controls, secu-
rity infrastructure, etc. This is an assessment of X, including what X is, what it does,
how many there are, where they are, plus the security controls or security informa-
tion relevant to X; this is the as-is state of X. Determining or defining the compli-
ance requirements for X provides the to-be state of X. A gap analysis highlights the
differences between as-is and to-be. A remediation plan provides direction on how
to close the gap between as-is and to-be. Following execution of the remediation
plan, an audit of X should verify the controls work as intended; this is a form of
compliance verification.
The relevant compliance requirements and security standards drive the details
of audits and assessments. A general security assessment may use ISO 27002 to
define the to-be state; a specific security assessment may address a particular com-
pliance requirement. Variations of standards like ISO 27002, NIST, IEEE, and
others attempt to provide compliance guidelines to specific legislation; in many
cases, an aggregation of pieces of multiple standards is the solution. With respect to
standards, a one-size-fits-all typically, doesn't. There are many compliance require-
ments that are subject to audit:
n
n
n
n
Sarbanes-Oxley Act of 2002
Health Insurance Portability and Accountability Act (HIPAA) of 1996
The Gramm-Leach-Bliley Act of 1999
Federal Information Security Management Act (FISMA) requirement for
civilian federal government use of NIST standards that imply the need for
certification and accreditation (C&A)
Formerly called ISO 17799.
