Posted by: Robert Davis
Information Assets Protection, Information Security, Information Security Governance, Information Security Management, IT Controls, Security Frameworks
As long as multiple regulatory agencies have government supported agendas, variances can exist that induce comprehensive legal compliance reviews. Primary to multiple decrees control is a thorough analysis of what is required and ensuring quality documentation supporting legal compliance efforts. For example, prerequisite evidentiary requirements may insist on a recorded compliance methodology to justify reducing expected judicial sentencing.
Managements response to applicable laws and regulations vary based on legal, operational and technological alignment interpretations. However, an entity’s ISG legal compliance system should include:
- Risk assessments
- Appropriate authority
- Adequate resource allocations
- Policies to prevent or detect illegal acts
- Standards to prevent or detect illegal acts
- Procedures to prevent or detect illegal acts
- Personnel screening correlated to program goals
- Program training at all employee levels
- Non-retaliatory internal reporting systems
- Incentives to motivate employee compliance
- Discipline to promote employee compliance
- Responsibilities assignments at all employee levels
- Program effectiveness audits, monitoring, evaluations and reporting
- Incidence prevention procedures deployment for similar repeat violations
- Incidence response procedures deployment for equivalent repeat violations
Apgar, Chris. “Complying with multiple regulations and contending with conflicts.” Search400.com, September 6, 2005. http://search400.techtarget.com/tip/0,289483,sid3_gci1122854,00.html (accessed April 21, 2008).
U.S. Sentencing Commission. “Chapter 8 – Part B – Remedying Harm from Criminal Conduct, and Effective Compliance and Ethics Program §8b2.1.” In Federal Sentencing Guidelines for Organizations. Washington, DC: Government Printing Office, 2007. http://www.ussc.gov/2007guid/8b2_1.html (accessed May 7, 2008).