Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks
Generally, determining an entity’s legal mandates exceeds the security function’s ambit. Nonetheless, overseeing applicable legally required control composition, implementation and evaluation are occupational security imperatives. To reduce potential negative effects of cross-compliance as well as multiple-compliance, management should seek assurance that relevant statutory, regulatory, and contractual requirements are adequately defined and documented for each information system. As suggested in Enterprise Security: The Struggle to Manage Security Compliance for Multiple Regulations; although SOX, HIPAA, GLBA, and PIPEDA are prominent managerial legal topics, these are not the only mandates compelling entities to demonstrate compliance.
Commission on Guidelines. Information Asset Protection Guideline. Alexandria, VA: ASIS International, 2007. http://www.asisonline.org/guidelines/guidelinesinfoassetsfinal.pdf (accessed April 21, 2008).
Hurley, Jim. Enterprise Security: The Struggle to Manage Security Compliance for Multiple Regulations. Cupertino, CA: Symantec Corporation, 2004.