IT Governance, Risk, and Compliance » GLBA

Legal Compliance Alignment – Part IV

Robert Davis — Mon, 23 Feb 2009 21:26:02 +0000

When exploring links between national and international arenas, the information security manager will discover international developments decisively impact national laws. Specifically, regional coalitions have enacted IAP related edicts that subsequently were codified in national laws and regulations. Procedurally, most regional coalition IAP decrees are presented as directives to member nations for federal ratification. For this reason, with the assistance of legal counsel, it is strongly recommended that information security managers evaluate all relevant statutory and regulatory mandates; in whatever judicial divisions the entity operates. Beneficially, multiple legal compliance requirements assessments enable entity-centric standard practices for satisfying other expected behavior. Exercises in legal due care can also equip an entity to build a compliance culture where standardization is the norm, and conditionally produce an environment conducive to training employees in IAP.

Predicatively, laws will continue to be enacted and the regulatory environment will become more complex due to unacceptable conduct remediation. Consequently, entities will continue to be compelled to demonstrate compliance with legal mandates – especially laws governing data retention and privacy – that can differ by hemisphere, country, province, county, city, as well as industry. In this increasingly complex regulatory environment, most entities should balance their focus on compliance imperatives without diminishing anticipated response quality to governmental edicts.

Legal Compliance Alignment – Part III

Robert Davis — Thu, 19 Feb 2009 20:47:57 +0000

There are numerous global, regional as well as national laws and regulations focusing on information assets protection (IAP) requiring professional consideration. In particular, at the global level, the World Intellectual Property Organization (WIPO) and World Trade Organization (WTO) have constructed legally binding derivative IAP agreements. While regionally, trans-border coalitions adopting or enacting IAP related laws include the Asia-Pacific Economic Co-operation (APEC), the Council of Europe (COE), the European Union (EU), the Organization of American States (OAS), and the Organization for Economic Cooperation and Development (OECD). Lastly, the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA), the U.K. Data Protection Act, the U.S. Digital Millennium Copyright Act (DMCA), and the U.S. Federal Information Security Management Act (FISMA) are clear examples of IAP national legislation that may affect an entity’s control framework.

Legal Compliance Alignment – Part II

Robert Davis — Mon, 16 Feb 2009 20:00:15 +0000

Simultaneous compliance with multiple laws and regulations can create unique challenges for most entities. Selectively, potential compliance hurdles include distinct internal management groups pursuing equivalent goals; diverse audit perspectives, priorities, and requirements; as well as confusion resulting from redundant controls. For instance, cross-compliance with the Foreign Corrupt Practices Act (FCPA), Sarbanes Oxley Act (SOX), Health Insurance Portability and Accountability Act (HIPAA), and Gramm-Leach-Bliley Act (GLBA) may generate muddled responses regarding the importance of certain security controls for a U.S. based ‘publicly held’ corporation. To decrease potential negative effects of cross-compliance, management should seek assurance that relevant statutory, regulatory, and contractual requirements are adequately defined and documented for each information system.

Legal Compliance Alignment – Part I

Robert Davis — Thu, 12 Feb 2009 22:22:20 +0000

Institutionalized information security governance defines the information assets safeguarding perimeter inside which an entity should operate. Whereas, legal compliance management ensures structural boundary segments are sturdy and the entity consistently fulfills its mission within externally imposed demarcation lines. Generally, determining an entity’s legal mandates exceeds the security function’s ambit. Nonetheless, overseeing the design, implementation and monitoring of applicable legal requirements is a security function imperative. Aligning information security governance with legal compliance management allows an entity to enhance cultural ethics while concurrently reducing judicial risks.