Security Awareness


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Security Awareness

  1. 1. Information Security Awareness: It’s the Law SJSU
  2. 2. <ul><li>Employers are required to provide Awareness Trainings on information security. - Employees must understand the legal requirements of information security. </li></ul>
  3. 3. This is a short recap of applicable Laws and Regulations. It is intended to show that information security is a serious legal matter .
  4. 4. 4 Main Laws: what they are about.
  5. 5. 1. SOA (Sarbanes-Oxley Act ) <ul><li>Purpose of SOA: To prevent fraud. </li></ul><ul><li>CEO and CFO must personally certify the periodic financial disclosures and information integrity (security). </li></ul><ul><li>Information technology professionals have effective accountability in internal controls around the financial reporting. </li></ul>
  6. 6. (cont’d) <ul><li>Passed in response to a number of major corporate and accounting scandals involving prominent companies in the United States. </li></ul><ul><li>Requires corporations to choose a recognized framework on which to base their internal controls. </li></ul>
  7. 7. 2. GLB (Gramm-Leach-Bliley Act) <ul><li>Organization must develop and implement an appropriate information security program based upon size, nature and sensitivity of organization. </li></ul><ul><li>To insure the security & confidentiality of customer data. </li></ul><ul><li>To protect against any reasonably anticipated threats or hazards to the security or integrity of such data. </li></ul><ul><li>To protect against unauthorized access to or use of such data that would result in substantial harm or inconvenience to any customer. </li></ul>
  8. 8. 3. CSA (Computer Security Act) <ul><li>Purpose of CSA: To improve security and privacy of sensitive information in Federal computer systems. </li></ul><ul><li>Must provide mandatory periodic training in computer security awareness. </li></ul>
  9. 9. 4. FISMA Federal Information Security Management (not to be confused with the FISMA audit) <ul><li>Purpose of FISMA: To protect the government’s information , operations and assets, based on a comprehensive framework. </li></ul><ul><li>Requires agency officials (e.g. CFO) to conduct annual reviews of the agency’s information security program then report findings to OMB. </li></ul>
  10. 10. 4 Main Standards
  11. 11. 1. ISO/IEC 17799:2000 (International Standards Organization) (International Electrotechnical Organization) <ul><li>Purpose of ISO/IEC 17799: To address topics in terms of policies and general good practices. </li></ul><ul><li>To establish a code of practices via guidelines and how-to’s for areas currently considered important when implementing or maintaining information security management . </li></ul>
  12. 12. (cont’d) <ul><li>To provide a management standard that deals with an audit of the non-technical issues relating to installed IT systems. </li></ul><ul><li>ISO/IEC standards are used for IT compliance to Sarbanes-Oxley. </li></ul><ul><li>ISO/IEC 17799 is not designed to support an in-depth organizational information security review. </li></ul>
  13. 13. 2. COSO (Committee of Sponsoring Organization) <ul><li>Implication of COSO: Full assessment of information security risk must be done. </li></ul><ul><li>SEC recommended COSO’s internal control framework as a basis for interpretation and enforcement of Sarbanes-Oxley. </li></ul><ul><li>Specifically requires formal risk assessment be performed to evaluate the internal and external factors that impact an organization’s performance. </li></ul><ul><li>COSO standards are used for IT compliance to Sarbanes-Oxley. </li></ul>
  14. 14. 3. COBIT (Control Objectives for Information Technology ) <ul><li>Purpose of COBIT: To emphasize the IT perspective of COSO’s framework. </li></ul><ul><li>A comprehensive approach for managing risk and control of information technology. </li></ul><ul><li>COBIT standards are used for IT compliance to Sarbanes-Oxley. </li></ul>
  15. 15. 4. NIST (National Institute of Standards and Technology) <ul><li>Purpose of NIST: To develop and apply technology, measurement and standards. </li></ul><ul><li>Computer Research Center at NIST focuses on 4 major areas: </li></ul><ul><ul><li>Cryptographic Standards and Applications </li></ul></ul><ul><ul><li>Security Testing </li></ul></ul><ul><ul><li>Security Research / Emerging Technologies </li></ul></ul><ul><ul><li>Security Management and Guidance </li></ul></ul><ul><li>NIST standards are used for IT compliance to Sarbanes-Oxley. </li></ul>
  16. 16. Other applicable standards regulating Info Security :
  17. 17. 1. OMB Circular No. A-130 <ul><li>Purpose of OMB Circular No. A-130: To establish policies and guidelines for the management of information resources. </li></ul><ul><li>To provide a minimum set of controls to be included in automated information security programs. </li></ul><ul><li>The rules should be in writing and will form the basis for security awareness training. </li></ul>
  18. 18. 2. HIPAA (Health Insurance Portability And Accountability ) <ul><li>Purpose of HIPAA: </li></ul><ul><ul><li>To protect the confidentiality, integrity and availability of individual’s information by controlling and monitoring information access. </li></ul></ul><ul><ul><li>To develop security standards to prevent unauthorized use, inadvertent or intentional. </li></ul></ul>
  19. 19. Information security is about protecting individual privacy and preventing identity theft. It is a job requirement – and it is the Law.
  20. 20. Recap: List of Laws & Regulations: <ul><li>SOA (Sarbanes-Oxley Act) </li></ul><ul><li>GLB (Gramm-Leach-Bliley Act) </li></ul><ul><li>CSA (Computer Security Act) </li></ul><ul><li>FISMA (Federal Information Security Management) </li></ul><ul><li>ISO/IEC 17799:2000 </li></ul><ul><li>COSO (Committee of Sponsoring Organization) </li></ul><ul><li>COBIT (Control Objectives for Information Technology) </li></ul><ul><li>NIST (National Institute of Standards and Technology) </li></ul><ul><li>OMB Circular No. A-130 </li></ul><ul><li>HIPAA (Health Insurance Portability and Accountability) </li></ul>
  21. 21. End