Your SlideShare is downloading. ×
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Security Awareness
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Security Awareness


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Information Security Awareness: It’s the Law SJSU
  • 2.
    • Employers are required to provide Awareness Trainings on information security. - Employees must understand the legal requirements of information security.
  • 3. This is a short recap of applicable Laws and Regulations. It is intended to show that information security is a serious legal matter .
  • 4. 4 Main Laws: what they are about.
  • 5. 1. SOA (Sarbanes-Oxley Act )
    • Purpose of SOA: To prevent fraud.
    • CEO and CFO must personally certify the periodic financial disclosures and information integrity (security).
    • Information technology professionals have effective accountability in internal controls around the financial reporting.
  • 6. (cont’d)
    • Passed in response to a number of major corporate and accounting scandals involving prominent companies in the United States.
    • Requires corporations to choose a recognized framework on which to base their internal controls.
  • 7. 2. GLB (Gramm-Leach-Bliley Act)
    • Organization must develop and implement an appropriate information security program based upon size, nature and sensitivity of organization.
    • To insure the security & confidentiality of customer data.
    • To protect against any reasonably anticipated threats or hazards to the security or integrity of such data.
    • To protect against unauthorized access to or use of such data that would result in substantial harm or inconvenience to any customer.
  • 8. 3. CSA (Computer Security Act)
    • Purpose of CSA: To improve security and privacy of sensitive information in Federal computer systems.
    • Must provide mandatory periodic training in computer security awareness.
  • 9. 4. FISMA Federal Information Security Management (not to be confused with the FISMA audit)
    • Purpose of FISMA: To protect the government’s information , operations and assets, based on a comprehensive framework.
    • Requires agency officials (e.g. CFO) to conduct annual reviews of the agency’s information security program then report findings to OMB.
  • 10. 4 Main Standards
  • 11. 1. ISO/IEC 17799:2000 (International Standards Organization) (International Electrotechnical Organization)
    • Purpose of ISO/IEC 17799: To address topics in terms of policies and general good practices.
    • To establish a code of practices via guidelines and how-to’s for areas currently considered important when implementing or maintaining information security management .
  • 12. (cont’d)
    • To provide a management standard that deals with an audit of the non-technical issues relating to installed IT systems.
    • ISO/IEC standards are used for IT compliance to Sarbanes-Oxley.
    • ISO/IEC 17799 is not designed to support an in-depth organizational information security review.
  • 13. 2. COSO (Committee of Sponsoring Organization)
    • Implication of COSO: Full assessment of information security risk must be done.
    • SEC recommended COSO’s internal control framework as a basis for interpretation and enforcement of Sarbanes-Oxley.
    • Specifically requires formal risk assessment be performed to evaluate the internal and external factors that impact an organization’s performance.
    • COSO standards are used for IT compliance to Sarbanes-Oxley.
  • 14. 3. COBIT (Control Objectives for Information Technology )
    • Purpose of COBIT: To emphasize the IT perspective of COSO’s framework.
    • A comprehensive approach for managing risk and control of information technology.
    • COBIT standards are used for IT compliance to Sarbanes-Oxley.
  • 15. 4. NIST (National Institute of Standards and Technology)
    • Purpose of NIST: To develop and apply technology, measurement and standards.
    • Computer Research Center at NIST focuses on 4 major areas:
      • Cryptographic Standards and Applications
      • Security Testing
      • Security Research / Emerging Technologies
      • Security Management and Guidance
    • NIST standards are used for IT compliance to Sarbanes-Oxley.
  • 16. Other applicable standards regulating Info Security :
  • 17. 1. OMB Circular No. A-130
    • Purpose of OMB Circular No. A-130: To establish policies and guidelines for the management of information resources.
    • To provide a minimum set of controls to be included in automated information security programs.
    • The rules should be in writing and will form the basis for security awareness training.
  • 18. 2. HIPAA (Health Insurance Portability And Accountability )
    • Purpose of HIPAA:
      • To protect the confidentiality, integrity and availability of individual’s information by controlling and monitoring information access.
      • To develop security standards to prevent unauthorized use, inadvertent or intentional.
  • 19. Information security is about protecting individual privacy and preventing identity theft. It is a job requirement – and it is the Law.
  • 20. Recap: List of Laws & Regulations:
    • SOA (Sarbanes-Oxley Act)
    • GLB (Gramm-Leach-Bliley Act)
    • CSA (Computer Security Act)
    • FISMA (Federal Information Security Management)
    • ISO/IEC 17799:2000
    • COSO (Committee of Sponsoring Organization)
    • COBIT (Control Objectives for Information Technology)
    • NIST (National Institute of Standards and Technology)
    • OMB Circular No. A-130
    • HIPAA (Health Insurance Portability and Accountability)
  • 21. End