Week 2 Discussion Posting
CHAPTER 3
Understanding and Maintaining Compliance
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Learning Objective(s) and Key Concepts
Identify compliance laws, standards, best practices, and policies of risk management.
Compliance laws that affect information technology (IT) systems
Regulations related to compliance
Organizational policies for compliance
Standards and guidelines for compliance
Learning Objective(s)
Key Concepts
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
U.S. Compliance Laws
Federal Information Security Modernization Act (FISMA)
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley Act (GLBA)
Sarbanes-Oxley Act (SOX)
Family Educational Rights and Privacy Act (FERPA)
Children’s Internet Protection Act (CIPA)
Children’s Online Privacy Protection Act (COPPA)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
U.S. Compliance Laws and Their Applicability
| Law | Applicability |
| FISMA | Federal agencies |
| HIPPA | Any organization handling medical data |
| GLBA | Banks, brokerage companies, and insurance companies |
| SOX | All publicly traded companies |
| FERPA | Educational institutions |
| CIPA | Schools and libraries using E-Rate discounts |
| COPPA | Websites or online services directed at children under 13 and you collect personal information from them |
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Health Insurance Portability and Accountability Act
Covers any organization that handles health data
Medical facilities
Insurance companies
Any company with a health plan if employees handle health data
HIPPA Compliance
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Assessment
Risk analysis
Plan creation
Plan implementation
Continuous monitoring
Gramm-Leach-Bliley Act (GLBA)
Also known as the Financial Services Modernization Act
Most of GLBA relates to how banking and insurance institutions can merge
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Financial Privacy Rule
Requires companies to notify customers about privacy practice
Explains how the bank or company collects and shares data
Safeguards Rule
Requires companies to have a security plan to protect customer information
Ensures data isn’t released without authorization; ensures data integrity
Companies must use a risk management plan, provide security training
Sarbanes-Oxley (SOX) Act
Applies to publicly traded companies
Designed to hold company executives and board members personally responsible for financial data
Chief executive officers (CEOs) and chief financial officers (CFOs) must be able to:
Verify accuracy of financial statements
Prove the statements are accurate
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Family Educational Rights and Privacy Act (FERPA)
Protects the privacy of student records, which includes education and health data
Applies to all schools that receive funding from the U.S. Department of Education:
State or local educational agencies
Institutions of higher education
Community colleges
Schools or agencies that offer a preschool program
All other education institutions
For students under 18, parent can inspect records and request corrections
Protects student personally identifiable information (PII)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Children’s Internet Protection Act (CIPA)
Designed to limit access to offensive content from school and library computers
Covers schools and libraries that receive funding from the E-Rate program
Requires schools and libraries to block or filter Internet access to pictures that are obscene or harmful to minors
Requires schools and libraries to:
Adopt and enforce a policy to monitor online activity of minors
Implement an Internet safety policy that addresses:
Access by minors to inappropriate content
Safety and security of minors when using email and chat rooms
Unauthorized access
Unlawful activities by minors online
Unauthorized use of minors’ personal information
Measures restricting minors’ access to harmful materials
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Children’s Online Privacy Protection Act (COPPA)
Designed to protect the privacy of children under 13
Sites must require parental consent to collect or use personal information of young website users
Sites must post:
Contents of privacy policy
When and how to seek verifiable consent from a parent or guardian
Responsibility of a website operator regarding children’s privacy and safety online, including restrictions on the types and methods of marketing that targets those under 13
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Regulations Related to Compliance
Securities and Exchange Commission (SEC)
Federal Trade Commission (FTC)
Protects consumers
Prevents anticompetitive practices
Evaluates economic impact of actions
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Federal Trade Commission (FTC)
Bureau of Consumer Protection
Bureau of Competition
Bureau of Economics
U.S. Compliance Regulatory Agencies
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Federal Deposit Insurance Corporation (FDIC)
Department of Homeland Security (DHS)
State Attorney General (AG)
U.S. Attorney General (U.S. AG)
Organizational Policies for Compliance
Fiduciary
Refers to a relationship of trust
Could be a person who is trusted to hold someone else’s assets
Trusted person has the responsibility to act in the other person’s best interests and avoid conflicts of interest
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Organizational Policies for Compliance (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Examples of trust relationships:
An attorney and a client
A CEO and a board of directors
Shareholders and a board of directors
Fiduciary is expected to take extra steps:
Due diligence
Due care
Organizational policy could include:
Mandatory vacations
Job rotation
Separation of duties
Acceptable use
Standards and Guidelines for Compliance
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Payment Card Industry Data Security Standard (PCI DSS)
National Institute of Standards and Technology (NIST)
Generally Accepted Information Security Principles (GAISP)
Control Objectives for Information and Related Technology (COBIT)
International Organization for Standardization (ISO)
Standards and Guidelines for Compliance (Cont.)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
International Electrotechnical Commission (IEC)
Information Technology Infrastructure Library (ITIL)
Capability Maturity Model Integration (CMMI)
General Data Protection Regulation (GDPR)
Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)
Payment Card Industry Data Security Standard
Created by Payment Card Industry Security Standards Council
American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.
Key pieces of data:
Name
Credit card number
Expiration date
Security code
Merchants using credit cards are required to comply
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Payment Card Industry Data Security Standard (Cont.)
| Goals | Process Steps |
| Build and maintain a secure network that is PCI compliant | Install and maintain a firewall Do not use defaults, such as default passwords |
| Protect cardholder data | Protect stored data Encrypt transmissions |
| Maintain a vulnerability management program | Use and update antivirus software Develop and maintain secure systems |
| Implement strong access control measures | Restrict access to data Use unique logins for each user Don’t share usernames and passwords Restrict physical access |
| Regularly monitor and test networks | Track and monitor all access to systems and data Regularly test security |
| Maintain an information security policy | Maintain a security policy |
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Payment Card Industry Data Security Standard (Cont.)
Build and maintain a secure network that is PCI compliant
Protect cardholder data
Maintain a vulnerability management program
Implement strong access control measures
Regularly monitor and test networks
Maintain an information security policy
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Assess
Report
Remediate
National Institute of Standards and Technology (NIST)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Promotes U.S. innovation and competitiveness
Hosts the Information Technology Laboratory (ITL)
Special publications, SP 800-30: Guide for Conducting Risk Assessments
Generally Accepted Information Security Principles (GAISP)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Includes two major sections:
Pervasive principles
Broad functional principles
Control Objectives for Information and Related Technology (COBIT)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Meet stakeholder needs
Cover the enterprise end to end
Apply a single integrated framework
Enable a holistic approach
Separate governance from management
Control Objectives for Information and Related Technology (Cont.)
Adapted from COBIT 5 for Risk ©2013 ISACA. All rights reserved. Used with permission.
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
International Organization for Standardization (ISO)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
ISO 27002
Security Techniques
ISO 31000
Principles and Guidelines on Implementation
ISO 73
Risk Management—Vocabulary
International Electrotechnical Commission (IEC)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Meet the requirements of the global market
Ensure maximum use of its standards
Assess and improve products and services covered by its standards
Aid in interoperability of systems
Increase the efficiency of processes
Aid in improvement of human health and safety
Aid in protection of the environment
Information Technology Infrastructure Library (ITIL)
ITIL life cycle:
Service Strategy
Service Design
Service Transition
Service Operation
Continual Service Improvement
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Capability Maturity Model Integration (CMMI)
Primary areas of interest:
Product and service development
Service establishment, management, and delivery
Product and service acquisition
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Level 5
Optimized
Level 4
Defined
Level 2
Managed
Level 1
Initial
Level 0
Nonexistent
Quantitatively Managed
Level 3
General Data Protection Regulation (GDPR)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Regulates how companies protect the personal data of EU citizens and those in the European Economic Area (EEA)
Applies to all businesses that deal with the personal data of individuals living in the EU or EEA
Key changes to GDPR in 2018:
Increased territorial scope (extraterritorial applicability)
Penalties
Consent
Data subject rights
Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
Phase 1
Initiate and Plan
Phase 2
Make Certification and Accreditation Decisions
Phase 4
Maintain ATO/Review
Phase 5
Decommission
Implement and Validate
Phase 3
Summary
Compliance laws that affect information technology (IT) systems
Regulations related to compliance
Organizational policies for compliance
Standards and guidelines for compliance
Copyright © 2022 by Jones & Bartlett Learning, LLC an Ascend Learning Company. www.jblearning.com
10/8/2020
30