Term Paper: Security Regulation Compliance
CIS 438 - Information Security Legal Issues
In this paper I shall provide an overview that will be delivered to senior management of regulatory requirements the agency needs to be aware of, including: i. FISMA; ii. Sarbanes-Oxley Act; iii. Gramm-Leach-Bliley Act; iv. PCI DSS; v. HIPAA; vi. Intellectual Property Law. Describe the security methods and controls that need to be implemented in order to ensure compliance with these standards and regulatory requirements. Describe the guidance provided by the Department of Health and Human Services, the National Institute of Standards and Technology ...view middle of the document...
Federal Information Security Management Act (FISMA)
According to Weiss, The Federal Information Security Management Act of 2002 (FISMA) is contained within the E-Government Act of 2002, Public Law 107-347, as Title II and this act grants the importance of sound information security practices. Therefore the purpose of FISMA is to do the following: (1) Provide a framework for effective information security resources that support federal operations, data, and infrastructure; (2) Accept the interconnectedness of IT. Ensure effective risk management is in place; (3) Ensure coordination of information security efforts between civilian, national security, and law enforcement communities; (4) Facilitate the development and ongoing monitoring of required minimum controls to protect federal information systems and data; (5) Provide for increased oversight of federal agency information security programs; (6) Recognize that information technology solutions may be acquired from commercial organizations. Leave the acquisition decisions to the individual agencies (Weiss, 2011, pg 23).
FISMA requires regulatory bodies within the federal government to: Plan for security; Ensure that the appropriate and responsible officials are assigned the responsibility of security; Review security controls measure in a regular interval basis; Manage and authorize the system processing before the operations, and periodically after deploying.
FISMA is divided into three main sections: (1) Annual security reporting requirement (Annual Program Review – CIO); (2) Independent Evaluation – (IG) and; (3) Corrective action plan for recovery and remediation of security weaknesses. FISMA asks agencies to submit reports to OMB regarding the status of their information security program, quarterly.
According the FISMA 2004 Report to Congress, Office of Personnel Management
Total Number of systems were 53.
Metrics Reported by Agency CIO:
Effective Security and Privacy Controls (C&A): 98%
Security Costs Included in the System Lifecycle Costs: 34%
Tested Security Controls: 94%
Tested Contingency Plans: 28%
Percentage of Employees Trained in IT Security: 100%
Cost per employee trained: $9.98
Configuration management policies for specific applications are being developed and implemented.
Incident management policies are being implemented.
Ten years later, "a large volume (11 out of 47 systems) of OPM's IT systems operating without a valid Authorization, but several of these systems are among the most critical and sensitive applications owned by the agency" (Michael Esser, OPM's assistant inspector general for audits).
What happen in that span of years to cause an estimated 14 million federal employees crucial information to be hijacked?
Sarbanes-Oxley Act (SOX)
SOX (Sarbanes Oxley) legislation – “requires all Public companies and Public accounting firms to show the auditors the accuracy of their financial reporting. The Act requires...