IT Governance, Risk, and Compliance » IT Controls

Revisiting the Safeguarding of Information Assets – Part XVII

Robert Davis — Mon, 20 May 2013 00:56:50 +0000

Data privacy laws dictate adherence to trusts and obligations associated with any information connected to an identified or identifiable data subject. Personal data privacy generally refers to information that can be associated with a specific individual, or that has identifying characteristics that might be combined with other information or data to identify a specific individual. Sensitive personal data may include items classified as individual preferences, habits, racial or ethnic origin as well as financial or medical condition.

Source:

Commission on Guidelines. Information Asset Protection Guideline. Alexandria, VA: ASIS International, 2007. http://www.asisonline.org/guidelines/guidelinesinfoassetsfinal.pdf (accessed April 21, 2008).

Shackelford, Kerry. “eSAC: Privacy Principles.” ITAudit, July 1, 2002. http://www.theiia.org/ITAuditArchive/index.cfm?act=ITAudit.archive&fid=464 (accessed April 22, 2008).

Revisiting the Safeguarding of Information Assets – Part XVI

Robert Davis — Fri, 17 May 2013 01:49:47 +0000

Security laws can decree the required degree of protection for property, usually based on governmental interest. Specifically, information security laws may outline control measures to prevent unauthorized access to devices that process sensitive data. Inclusively, directed data control measures can encompass peripheral equipment considered important for compliant protection. Consequently, IT resources should be integrated with an approach that repels potential compromises in applicable data treatment edicts for the defined subject matter.

Revisiting the Safeguarding of Information Assets – Part XV

Robert Davis — Sun, 12 May 2013 16:48:50 +0000

Information systems may be of a public or private nature, and contain elements protected by various data security, data privacy, or intellectual property laws. Property classification into public and private categories is based on ownership. If the property is owned by the government or a political division thereof, it is typically classed as public property; however if the property is owned by an individual, a group of individuals, a corporation, or some other business association, it is normally classified as private property. Property type impacts due care expectations and legal requirements.

Revisiting the Safeguarding of Information Assets – Part XIV

Robert Davis — Thu, 09 May 2013 21:41:35 +0000

Information systems related due care dictates appropriate data security due diligence activities. Interpretively, an entity’s information systems should represent resources committed to collecting data, processing transactions, and communicating operational results within defined legal limits. An entity’s management, through deployed governance, “must ensure due diligence is exercised by all individuals involved in the management, use, design, development, maintenance or operation of information systems.” Therefore, managerial due care and due diligence enables compliance with IAP legal requirements. Managerial due care redresses activity responsibility, whereby due diligence includes continuously promoting compliance. For instance, IAP legal compliance procedures should be set by top management and continually promoted by example.

Source:

Davis, Robert E. IT Auditing: IT Governance. Mission Viejo, CA: Pleier Corporation, 2006. CD-ROM.

ISACF. Framework. In COBIT: Governance, Control and Audit and Related Technology. 3^rd ed. Rolling Meadows, IL: ISACF, 2000.

Revisiting the Safeguarding of Information Assets – Part XIII

Robert Davis — Sun, 05 May 2013 19:14:09 +0000

Prescriptively; utilizing security, privacy and intellectual property clauses in contractual agreements may aid in clarifying expectations as well as reduce adverse outcomes in post-facto legal disputes. Parties to information asset related contracts should consider documenting terms for:
• signing non-disclosure agreements;
• granting the right-to-audit contractor controls;
• limiting the right-to-access specific information;
• processing the return or destruction of all records at contract termination;
• ensuring implementation of audit trails to closely monitor how information is handled;
• utilizing encryption technology that allows only authorized individuals to view decrypted data;
• addressing approval by applicable government oversight agencies of any subcontracting arraignments; and
• identifying and separating personal and/or confidential information being handled under a contract from other data held by the contractor.

Source:

Hillier, Peter J. “Transborder Data Flow – Intruding on Privacy?” knowledgeleader.com. (August 2006). http://www.knowledgeleader.com/KnowledgeLeader/Content.nsf/Web+Content/TFTransborderDataFlowIntrudingonPrivacy!OpenDocument&NWeekly
(accessed April 21, 2008).

Revisiting the Safeguarding of Information Assets – Part XII

Robert Davis — Thu, 02 May 2013 22:18:25 +0000

Complicating laws and regulations alignment are trans-border communication requirements regarding information protection and confidentiality. The potentially costly task of obtaining data delivery consent from all affected parties may be the only enabling trans-border information flow baseline. Contractually, equivalent protection usually can only be furnished when the sender enters into a written agreement with the trans-border recipient, whereby the recipient affirmatively agrees to abide by the higher information processing mandates of the sender or recipient; such as the E.U.–U.S. (Department of Commerce) Safe Harbor Agreement regarding the E.U. Privacy Directive on Data Protection.

Source:

Gelbstein, Ed and Jovan Kurbalija. Internet Governance: Issues, Actors and Divides. Geneva: DiploFoundation and Global Knowledge Partnership, 2005. http://textus.diplomacy.edu/textusbin/env/scripts/Pool/GetBin.asp?IDPool=641 (accessed April 21, 2008).

Revisiting the Safeguarding of Information Assets – Part XI

Robert Davis — Sun, 28 Apr 2013 12:08:45 +0000

As long as multiple regulatory agencies have government supported agendas, variances can exist that induce comprehensive legal compliance reviews. Primary to multiple decrees control is a thorough analysis of what is required and ensuring quality documentation supporting legal compliance efforts. For example, prerequisite evidentiary requirements may insist on a recorded compliance methodology to justify reducing expected judicial sentencing.

Managements response to applicable laws and regulations vary based on legal, operational and technological alignment interpretations. However, an entity’s ISG legal compliance system should include:

Risk assessments
Appropriate authority
Adequate resource allocations
Policies to prevent or detect illegal acts
Standards to prevent or detect illegal acts
Procedures to prevent or detect illegal acts
Personnel screening correlated to program goals
Program training at all employee levels
Non-retaliatory internal reporting systems
Incentives to motivate employee compliance
Discipline to promote employee compliance
Responsibilities assignments at all employee levels
Program effectiveness audits, monitoring, evaluations and reporting
Incidence prevention procedures deployment for similar repeat violations
Incidence response procedures deployment for equivalent repeat violations

Source:

Apgar, Chris. “Complying with multiple regulations and contending with conflicts.” Search400.com, September 6, 2005. http://search400.techtarget.com/tip/0,289483,sid3_gci1122854,00.html (accessed April 21, 2008).

U.S. Sentencing Commission. “Chapter 8 – Part B – Remedying Harm from Criminal Conduct, and Effective Compliance and Ethics Program §8b2.1.” In Federal Sentencing Guidelines for Organizations. Washington, DC: Government Printing Office, 2007. http://www.ussc.gov/2007guid/8b2_1.html (accessed May 7, 2008).

Revisiting the Safeguarding of Information Assets – Part X

Robert Davis — Thu, 25 Apr 2013 20:08:44 +0000

Even when compliance requirements extend internationally, managerial responsibility to prevent and detect illegal acts continues without regard to organizational formation origin. Given this fiduciary obligation, an entity’s management typically utilizes policies, directives, procedures, standards, rules, validation and monitoring as control conduits to obtain reasonable assurance that security related illegal acts are prevented or detected on a timely basis.

Institutionalized ISG defines the information assets safeguarding perimeter inside which an entity should operate. Whereas, legal compliance management ensures structural boundary segments are sturdy and the entity consistently fulfills its mission within externally imposed demarcation lines. Aligning ISG with legal compliance management allows an entity to enhance cultural ethics while concurrently reducing judicial risks. Predicatively, laws will continue to be enacted and the regulatory environment will become more complex due to unacceptable conduct remediation. Consequently, entities will continue to be compelled to demonstrate compliance with legal mandates — especially laws governing data retention and privacy — that can differ by hemisphere, country, province, county, city, as well as industry. In this increasingly complex regulatory environment, most entities should balance their focus on compliance imperatives without diminishing anticipated response quality to governmental edicts.

Source:

Booz, Allen, and Hamilton. Convergence of Enterprise Security Organizations. N.p.: The Alliance for Enterprise Security Risk Management, 2005. http://www.issa.org/Downloads/ConvergenceStudyNov05.pdf (accessed April 21, 2008).

Revisiting the Safeguarding of Information Assets – Part IX

Robert Davis — Sun, 21 Apr 2013 02:16:47 +0000

When links between national and international arenas are considered, international developments have decisively impacted national laws. Specifically; regional coalitions have enacted IAP related edicts that subsequently were codified in national laws and regulations. Procedurally, most regional coalition IAP decrees are presented as directives to member nations for federal ratification. For this reason, with the assistance of legal counsel, it is strongly recommended that information security managers evaluate all relevant statutory and regulatory mandates; in whatever judicial divisions the entity operates. Beneficially, multiple legal compliance requirements assessments enable entity-centric standard practices for satisfying other expected behavior. Exercises in legal due care can also equip an entity to build a compliance culture where standardization is the norm, and conditionally produce an environment conducive to training employees in IAP.

Source

Revisiting the Safeguarding of Information Assets – Part VIII

Robert Davis — Fri, 19 Apr 2013 02:35:48 +0000

There are numerous global, regional as well as national laws and regulations focusing on IAP that require professional consideration. In particular, at the global level, the World Intellectual Property Organisation (WIPO) and World Trade Organization (WTO) have constructed legally binding derivative IAP agreements. While regionally, trans-border coalitions adopting or enacting IAP related laws include the Asia-Pacific Economic Co-operation (APEC), Council of Europe (COE), E.U., Organization of American States (OAS), and Organization for Economic Cooperation and Development (OECD). Lastly, the U.K. Computer Misuse Act of 1990, the U.S. Digital Millennium Copyright Act (DMCA) of 1998, the Trinidad and Tobago Act No. 86 of 2000, the U.S. Federal Information Security Management Act (FISMA) of 2002, as well as the Japanese Financial Instruments and Exchange Law (J-SOX) of 2006 are clear examples of IAP national legislation that can affect an entity’s control framework.