Small Business Susan

Compliance resources – ITPro2012

During the session on compliance I talked about some resources that I was going to blog about and here there are —


http://events.qualys.com/PCI-DSS-Webcasts


·         Compliance
a.    In general, compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that corporations or public agencies aspire to in their efforts to ensure that personnel are aware of and take steps to comply with relevant laws and regulations
·         What
a.    rule?
b.    law?
c.    regulatory body?
d.    agency?
e.    jurisdiction?
f.     enforcement?
·         Alphabet soup of compliance – Cloud
a.    SOC 1/SSAE16/ISAE 3402 (takes the place of SAS 70 Type II)
                                  i.    (Hint if your cloud provider says they are SAS 70 compliant, that’s the old rules – they are not up to date)
b.    FISMA (Federal Information Security Management Act
c.    FISMA Moderate
d.    PCI DSS Level 1
                                  i.    Credit cards
                                 ii.    And this makes you secure right?
e.    ISO 27001
                                  i.    Widely adopted global security standard
f.     International Traffic in Arms Compliance
g.    FIPS 140-2
h.    Specified cryptographic modules
i.      HIPAA
j.      Cloud Security Alliance consensus assessments
k.    FERPA (Federal Educational Rights and Privacy Act)
l.      Criminal Justice Information Security policies
m.   EU safe Harbor
n.    EU Model Clauses
o.    Transfer of Data   
p.    Data Processing Agreements
q.    Service Level Agreements
 
·         Premise compliance
a.    PCI-DSS
                                  i.    What level?
                                 ii.    in SMB?
                                iii.    Real world guidance
                               iv.    http://social.technet.microsoft.com/wiki/contents/articles/853.adjustments-for-pci-dss-scan.aspx
                                v.    Most detailed of all the compliance regs
                               vi.    Recommend:  Moving Credit cards away from SBS 2003
b.    GLBA
                                  i.    The Safeguards Rule requires financial institutions to develop a written information security plan that describes how the company is prepared for, and plans to continue to protect clients’ nonpublic personal information.
c.    SOX
                                  i.    Section 302 of Sarbanes-Oxley requires that a publicly traded company’s CEO and chief financial officer must vouch for the accuracy of the company’s financial reports, including certifying that its internal controls–such as who has access to financial records, systems and reports–are effective.
d.    PIPEDA
e.    Canadian – Personal Information Protection and Electronic Documents Act
f.     HIPAA/HITECH (Health Information Technology for Economic and Clinical Health Act)
g.    Accelerate Electronic Health Care records
·         Regulations are intentionally vague
·         Privacy compliance
a.    EU rules typically more strict
b.    Cookie laws
·         Local regulation compliance
·         Data breach notification
a.    First – California SB1386
b.    Forty-six states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.
c.    http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx  
https://www.pcisecuritystandards.org/