INFORMATION SECURITY LAW

1
INFORMATION SECURITY LAW
2
Elements - law/regulation on info security

• Management involvement
• Strategic policies and procedures
• Risk-based, process approach
• Documented
• Appropriate to size and complexity of
  organization
• Administrative, technical and physical controls
  to mitigate risk
• Monitoring, updating, independent auditing

3
Essential administrative, technical and physical
controls to mitigate risk

• Access Controls (administrative and technical)
• Information processing, storage, transmission and
  disposal procedures
• Physical Environmental Security Controls
• Third Party Oversight Measures
• Incident Response Plan

4
Emerging Standard

• Asset Assessment
• Risk Assessment
• Develop Security Program to Manage and Control
  Risk
• Responsibility for Security Program

5
Emerging Standard

• Awareness, Training and Education
• Monitoring and Testing
• Review and Adjustment
• Oversee Third Party Service Provider Arrangements

6
Industry Standard Business Software Alliance

• Need for an effective security organizational
  structure
• Need for risk assessment mgmt must understand
  risks to info assets and security measures must
  be commensurate with the risks

7
Industry Standard Business Software Alliance

• Need to create, implement and continuously
  monitor security measures, and communicate and
  enforce security policies
• Need for organizational commitment, awareness and
  training of personnel

8
Present Environment of Info Security Programs

• Ernst Young Global Info Survey 2003
• Over 1400 organizations in 66 countries were
  surveyed on information security
• Most respondents were chief information officers
  (CIOs) or chief information security officers

9
Global Info Survey 2003

• Information security is considered a high
  priority in achieving overall business objectives
  (90)
• But only half indicate that info security
  spending is aligned well with key business
  objectives

10
Global Info Survey 2003

• Board involvement in info security over 50
  indicate that they report on info security to the
  board on an annual basis or less often
• Meetings between CIOs and business unit leaders
  are also infrequent - over 55 do not meet on a
  regular basis

11
Global Info Survey 2003

• Few organizations take a strategic approach to
  information security most take a
  technology-based, reactive approach
• Info security plans are not reviewed and updated
  on a ongoing basis

12
Global Info Survey 2003

• Major obstacle to effective info security was
  inadequate funding more sophisticated threats
  had been cited in prior years
• Return on investment measures were not generally
  used to make decisions on info security measures

13
Global Info Survey 2003

• Major driver for info security spending is risk
  reduction
• Regulatory compliance and legal/contract
  requirements ranked high
• Maintaining business reputation and trust was
  another important factor

14
Global Info Survey 2003

• Spending is primarily directed to technology
• Employee training and awareness captured a
  relatively small share of info security spending

15
Global Info Survey 2003

• Viruses and worms continue to be the major
  concern of info security managers
• Increasingly, internal threats from employees and
  others are being recognized as significant