April 2009

Sun Mon Tue Wed Thu Fri Sat
      1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30    

Categories

Archives

Recent Posts

Recent Comments

Subscribe blog

Add to Google

Subscribe in Bloglines

Subscribe in NewsGator Online

Add Uniplus Blog to Newsburst from CNET News.com

Add to My AOL

Subscribe to Uniplus Blog

« What is the Sarbanes-Oxley Act? | Main | How to make sense of your hardware-assisted cryptographic needs. »

November 10, 2006

How to translate regulatory compliance into plain old IT security practices

At the heart of most regulations (SOX, GLBA, HIPAA, PCI, etc) is the intention of protecting the confidentiality, integrity, and availability of information that impacts a corporation's stakeholders. These laws can be distilled down to their essential goals:

  • Establish and implement controls
  • Maintain, protect, and assess compliance issues
  • Identify and remediate vulnerabilities and deviations
  • Provide reporting that can prove your organization's compliance

Let's explore the available best practices that can help IT professionals who have been charged by the CEO, CFO and Audit Committee with making the comany compliant. These best practices can be divided into one of two orientations: process or technology.

  • CobiT, Process Control and Managment, a process standard for PCAOB
  • COSO, Process Enterprise Risk Managent, Used by PCAOB as guide for SOX
  • ITIL, IT Service Process, Detailed process-oriented approach to IT services managment
  • ISO 17799, Technology, Provides guidance on creating an IT security Program
  • NIST SP 800 Series, Detailed IT security implementations adoped by FISMA and FIPS

If your enterprise is embroiled in SOX compliance issues, the best approach would be to use a combination of CobiT and ISO 17799. If your organization is a financial services enterprise trying to meet the requirements of BSA/AML, USA PATRIOT Act, and GLBA, a best approach would be to use ISO 17799 since the FFIEC audit criteria align most closely with it. If your company is working to comply with HIPAA, a blended approach would be the best, with elements of ISO 17799 and the direct requirements of the HIPAA Final Rule from the U.S. Office of Health and Human Services.

If you're not an expert yourself, it isn't easy to figure out which best practice is right for you. That's where IT Security and Compliance specialists can help, by providing you with the least costly method for compliance. The cost reductions come from a deep understanding of all components of all best practices and how they match the requirements of the law or regulation you must comply with.

Posted at 03:24 AM in Security Management |

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8342088b153ef00d8356d3fd669e2

Listed below are links to weblogs that reference How to translate regulatory compliance into plain old IT security practices:

Comments

Regulatory compliance

I will read time to time that....

Posted by: Regulatory compliance | December 17, 2009 at 11:59 PM

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been posted. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment