ShopAssessing the risk of third-party vendors has been a growing problem for compliance management. Because of the growing number of data breaches related to third-parties, regulators have been focusing on the inherent risks of outsourcing. Within the financial services industry, this has long been accomplished via a SAS70 (now SSAE16) type audit. Within the U.S. …
Category Archive: Regulatory Compliance
Feb
20
EU Updates Data Protection Guidelines
The European Union recently released a set of draft recommendations for a major update to the current privacy framework that underpins Directive 95/46/EC. The changes would introduce a single set of rules on data protection, valid across the EU. The proposed changed give individuals more control over their personal information and would have a significant …
Mar
25
A Security Policy Standard of Due Care
Divergent Directions: Looking back over the last 30+ years of my work in information security, I see two diverging trends when it comes to defining the information security-related standard of due care. By the “standard of due care,” in this column I mean the actions that management needs to take (for instance the controls that …
Jan
27
Aren’t information security policies only for large organizations?
Regardless of an organization’s size, industry, geographical location, or the extent to which it uses computers; information security is an important matter that should be addressed by explicit policies. Some experts say that the lack of a well-defined corporate information security policy is the single biggest problem with most security efforts. Major data protection laws …
Jan
11
Five Reasons Why Security Policies Don’t Get Implemented
This article will explore five serious problems preventing information security policies from being implemented, even though these policies may have been written with the best of intentions. Cutting across all five of these causative factors is a theme involving a lack of understanding about the nature of policies. All too often policies are written in …
Nov
23
Using Security Policies As Catalysts For Internal Change
Security Quality Control: There is much to recommend about the ISO 9000 quality control approach as it is applies to the discipline of information security. In fact the ISO 27001 standard, entitled Information Security Management System (ISMS), in large measure reflects that same methodology. In other words, ISO 27001 suggests a continuous improvement approach to …
May
26
Regulatory Requirements for Establishing Information Security Roles and Responsibilities
There are many security and privacy regulations that are very specific about the proper assignment of security responsibilities. Yet in many organizations, the information security effort is not managed with the same precision as other disciplines. There are a variety of reasons for this, not the least of which is that information security is a …
Oct
20
Information Security Policies and ISO 27001 certification
The paper discusses the importance of information security policies within an information security management system (ISMS), including the benefits of using Information Shield publications in obtaining certification against the new ISO 27001 standard. Information Security Policies and ISO 27001 certification
Jan
26
PCI Policy Compliance Using Information Security Policies
Many organizations are building or updating written information security policies in response to the newly updated Payment Card Industry Data Security Standard (PCI-DSS). In this paper we describe how Information Shield security policy products can be used to save time and money building security policies that address the PCI-DSS requirements. PCI-DSS Policy Compliance Using Information …
Aug
21
Information Security Policies and BITS Assessment
The events of 2007 and 2008 have led to an increased focus on governance, security and privacy within the financial services market. One increasingly common scenario is when a third-party service provider must have their security program validated by the financial institution that it serves. Historically, these audits were based on the BITS framework and …