Article Preview
Top1. Introduction
Compliance is one of the major issues in information security management is ”to be sure been evaluated correctly”. Compliance (regulation) is defined as, “the act of adhering to, and demonstrating adherence to, a standard or regulation” (Wikipedia.org, 2008) or “Conformity in fulfilling official requirement” (MerriamWebster.com, 2009). Many industries measure the compliance with best practices as compliance with ISO 17799 or NIST special publication 800. A normal procedure to measure compliance is to create a checklist and label two elements finding and compliance, such as in BS 7799.2:2002 Audit Checklist (Thiagarajan, 2003) or ISO 177999 checklist (Thomas, 2003). The checklist evaluator would give either a value of 1 (for YES) to element compliance and 0 (for NO) for noncompliance and the final result measured mathematically would be: “
Superior: >95 “yes” answers
Fair: 82–95 “yes” answers
Marginal: 68–81 “yes” answers
Poor: 54–67 “yes” answers
At Risk: <54 “yes” answers”
Such a model can be mathematically summarized as the sum for all elements and is an element in the security list.
Another issuer is to look at compliance through regulation. As Adler (2006) pointed out, “Self-regulation through the implementation of good security practices was thought to be the way to protect electronic personal information. In the latter part of the 20th century, “a sectoral approach to information security regulation started to gain favor with the passage of laws protecting health and financial information” (Adler, 2006). Most regulation compliance is with:
- •
Health Insurance Portability and Accountability Act (HIPAA) compliance,
- •
Family Educational Rights and Privacy Act (FERPA)
- •
Gramm-Leach-Bliley Act (GLBA)
- •
Payment Card Industry Data Security Standard (PCIDSS)
- •
Federal Information Security Management Act of 2002 (FISMA)
- •
OMB M-06-16 addresses the protection of agency information that is either “accessed remotely or physically transported outside of the agency’s secured, physical perimeter” (Adler, 2006).
Some have permitted information security compliance to be handled by more than one department. For example, in education campuses (Adler, 2006), the university hospital or the health center may be tasked with Health Insurance Portability and Accountability Act (HIPAA) compliance, the financial aid office or departments using credit cards may focus on compliance with the Gramm-Leach-Bliley Act (GLBA) or the Payment Card Industry Data Security Standard (PCIDSS), while the registrar may be held responsible for the privacy of student educational records under the Family Educational Rights and Privacy Act (FERPA).