Information Technology Reference
In-Depth Information
framework, follows a set of information assurance architecture
principles; Table 2.2
provides a list of fundamental IA
2
principles.
2.8
iA Compliance requirements
Compliance requirements include legislative, regulatory, and other mandates on
the organization. These mandates may be externally imposed (e.g., legislation) or
internally imposed (e.g., selection of an industry standard to guide organizational
practices, like ISO 9001 for quality management). Both the externally imposed
legislation and the internally imposed standard become part of a compliance man-
agement process. A Compliance Management Framework consists of the follow-
ing categories:
n
−
−
n
−
−
External
Explicit
Implicit
Internal
Explicit
Implicit
External explicit compliance requirements include those directly applicable to
the organization. For a health care organization, this may include the Health Insur-
ance Portability and Accountability Act (HIPAA). For a publicly traded company
in the United States, this may include Sarbanes-Oxley (SOX). An example of an
external implicit requirement is chapter 8 of the Federal Sentencing Guidelines,
“Sentencing of Organizations.” Following the specifications in this guideline can
reduce organizational culpability in the event of litigation. Reducing culpability
means reducing potential fines and potential jail time for officers. Understanding
and including the details from the Federal Sentencing Guidelines in the compli-
ance management program is good business practice to reduce the potential effects
of litigation.
Internal compliance requirements are those requirements the organization gener-
ates itself or imposes upon itself. These may be internal SLAs, contractual obligations,
or a self-imposed security standard (e.g., ISO 27001 or ISO 27002). A compre-
hensive compliance management program identifies, enumerates, and articulates all
relevant compliance requirements whether externally or internally imposed.
IA compliance requirements include legal and regulatory requirements, local
policies, and project-specific documents related to the creation of an information
assurance solution. IA
2
compliance requirements consist of documents that include
requests for proposal (RFPs); laws, regulations, and guidelines (e.g., FISMA, NIST,
ISO 27002 is the new reference for the standard formerly known as ISO 17799.
