CHAPTER 3 Understanding and Maintaining Compliance
by Darril Gibson,
Andy Igonor
Managing Risk in Information Systems, 3rd Edition
- Cover
- Title Page
- Copyright Page
- Brief Contents
- Contents
- Dedication
- Preface
- Acknowledgments
- About the Authors
- CHAPTER 1 Risk Management Fundamentals
- CHAPTER 2 Managing Risk: Threats, Vulnerabilities, and Exploits
- CHAPTER 3 Understanding and Maintaining Compliance
- U.S. Compliance Laws
- Regulations Related to Compliance
- Organizational Policies for Compliance
- Standards and Guidelines for Compliance
- Payment Card Industry Data Security Standard
- National Institute of Standards and Technology
- Generally Accepted Information Security Principles
- Control Objectives for Information and Related Technology
- International Organization for Standardization
- International Electrotechnical Commission
- Information Technology Infrastructure Library
- Capability Maturity Model Integration
- General Data Protection Regulation
- Department of Defense Information Assurance Certification and Accreditation Process
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 3 ASSESSMENT
- CHAPTER 4 Developing a Risk Management Plan
- Objectives of a Risk Management Plan
- Scope of a Risk Management Plan
- Assigning Responsibilities
- Describing Procedures and Schedules for Accomplishment
- Reporting Requirements
- Plan of Action and Milestones
- Charting the Progress of a Risk Management Plan
- Steps of the NIST Risk Management Framework
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 4 ASSESSMENT
- CHAPTER 5 Defining Risk Assessment Approaches
- CHAPTER 6 Performing a Risk Assessment
- Selecting a Risk Assessment Methodology
- Identifying the Management Structure
- Identifying Assets and Activities Within Risk Assessment Boundaries
- Identifying and Evaluating Relevant Threats
- Identifying and Evaluating Relevant Vulnerabilities
- Identifying and Evaluating Controls
- Selecting a Methodology Based on Assessment Needs
- Developing Mitigating Recommendations
- Presenting Risk Assessment Results
- Best Practices for Performing Risk Assessments
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 6 ASSESSMENT
- CHAPTER 7 Identifying Assets and Activities to Be Protected
- System Access and Availability
- System Functions: Manual and Automated
- Hardware Assets
- Software Assets
- Personnel Assets
- Data and Information Assets
- Asset and Inventory Management Within the Seven Domains of a Typical IT Infrastructure
- Identifying Facilities and Supplies Needed to Maintain Business Operations
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 7 ASSESSMENT
- CHAPTER 8 Identifying and Analyzing Threats, Vulnerabilities, and Exploits
- Threat Assessments
- Vulnerability Assessments
- Review of Documentation
- Review of System Logs, Audit Trails, and Intrusion Detection and Prevention System Outputs
- Vulnerability Scans and Other Assessment Tools
- Audits and Personnel Interviews
- Process Analysis and Output Analysis
- System Testing
- Best Practices for Performing Vulnerability Assessments Within the Seven Domains of a Typical IT Infrastructure
- Exploit Assessments
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 8 ASSESSMENT
- CHAPTER 9 Identifying and Analyzing Risk Mitigation Security Controls
- CHAPTER 10 Planning Risk Mitigation Throughout an Organization
- Where Should an Organization Start with Risk Mitigation?
- What Is the Scope of Risk Management for an Organization?
- Understanding and Assessing the Impact of Legal and Compliance Issues on an Organization
- Translating Legal and Compliance Implications for an Organization
- Assessing the Impact of Legal and Compliance Implications on the Seven Domains of a Typical IT Infrastructure
- Assessing How Security Countermeasures, Controls, and Safeguards Can Assist With Risk Mitigation
- Understanding the Operational Implications of Legal and Compliance Requirements
- Identifying Risk Mitigation and Risk Reduction Elements for the Entire Organization
- Performing a Cost-Benefit Analysis
- Best Practices for Planning Risk Mitigation Throughout an Organization
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 10 ASSESSMENT
- CHAPTER 11 Turning a Risk Assessment into a Risk Mitigation Plan
- Reviewing the Risk Assessment for the IT Infrastructure
- Translating a Risk Assessment into a Risk Mitigation Plan
- Prioritizing Risk Elements That Require Risk Mitigation
- Verifying Risk Elements and How They Can Be Mitigated
- Performing a Cost-Benefit Analysis on the Identified Risk Elements
- Implementing a Risk Mitigation Plan
- Following Up on the Risk Mitigation Plan
- Best Practices for Enabling a Risk Mitigation Plan from the Risk Assessment
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 11 ASSESSMENT
- CHAPTER 12 Mitigating Risk with a Business Impact Analysis
- What Is a Business Impact Analysis?
- Defining the Scope of the Business Impact Analysis
- Objectives of a Business Impact Analysis
- Steps of a Business Impact Analysis Process
- Identifying Mission-Critical Business Functions and Processes
- Mapping Business Functions and Processes to IT Systems
- Best Practices for Performing a BIA for an Organization
- CHAPTER SUMMARY
- KEY CONCEPTS AND TERMS
- CHAPTER 12 ASSESSMENT
- CHAPTER 13 Mitigating Risk with a Business Continuity Plan
- CHAPTER 14 Mitigating Risk with a Disaster Recovery Plan
- CHAPTER 15 Mitigating Risk with a Computer Incident Response Team Plan
- APPENDIX A Answer Key
- APPENDIX B Standard Acronyms
- Glossary of Key Terms
- References
- Index
© Sai Chan/Shutterstock
Understanding and Maintaining Compliance |
CHAPTER |
MANY LAWS AND REGULATIONS ARE IN PLACE regarding the protection of information technology (IT) systems, and this legal protection is particularly important today when companies are moving their data to the cloud. Although the move to the cloud makes it possible for companies to do business in different countries, it also creates challenges around meeting different compliance requirements. Understanding and maintaining security, privacy, and compliance is therefore critical. Companies have a requirement to comply with the laws that apply to them. The first step in complying with laws is to understand them. No one is expected to be a lawyer, but everyone should understand the basics of relevant laws.
After gaining an idea of which laws and regulations apply, IT security personnel can then dig deeper to ensure their organization is in compliance. The cost of not complying can be expensive. Fines can be in the hundreds of thousands of dollars, and some offenses can result in jail time. For companies, the public shame of not complying can lead to a bad reputation, which can cost them their business.
Chapter 3 Topics
This chapter covers the following topics and concepts:
- What U.S. compliance laws exist
- What some relevant regulations related to compliance are
- What organizational policies for compliance should be considered
- What standards and guidelines for compliance exist
Chapter 3 Goals
When you complete this chapter, you will be able to:
- Define compliance
- Describe the purpose of the Federal Information Security Management Act (FISMA)
- Identify the purpose and scope of the Health Insurance Portability and Accountability Act (HIPAA)
- Describe the Gramm-Leach-Bliley Act (GLBA) and the Sarbanes-Oxley Act of 2002 (SOX) and their impact on IT
- Describe the purpose of the Family Educational Rights and Privacy Act (FERPA)
- Identify the purpose and scope of the Children’s Internet Protection Act (CIPA)
- List federal entities that control regulations related to IT
- Describe the purpose of the Payment Card Industry Data Security Standard (PCI DSS)
- Describe the contents of SP 800-30, Guide for Conducting Risk Assessments
- Describe the purpose of the Control Objectives for Information and Related Technologies (COBIT)
- Describe the purpose of the International Organization for Standardization (ISO) and identify relevant security standards
- Identify the purpose of the Information Technology Infrastructure Library (ITIL)
- Identify the purpose of Capability Maturity Model Integration (CMMI)
- Describe the purpose of the General Data Protection Regulation (GDPR)
-
No Comment
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.