The Importance of Compliance in order to Achieve A Secure Information System.
In order to avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements compliance is mandatory. Compliance means ensuring an organization is complying to the minimum of the security-related requirements. Unfortunately, compliance is usually not the primary concern or prerogative of a security team, despite being a critical business requirement.
Information security is main ingredient that all modern companies need. On top of that, creating a robust system technically and legally requires an alliance of both security and compliance. Based on prior risk assessment process a security team will put in place a systemic controls to protect information assets. In accordance with that, a compliance team need to validate that the security frameworks in line with legal frameworks so that they both can validate that the whole system are functioning as planned.
All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. Managers should identify all legislation applicable to their organization in order to meet the requirements for their type of business. If the organization conducts business in other countries, managers should consider compliance in all relevant countries.
Despite many information security standards put compliance as last concern but the compliance process must start from the very beginning of system development by doing identification of applicable legislation and contractual requirements.
As company assets nowadays become more and more intangible, a thorough scrutiny and protection on intellectual property right must be take place. On the other hand, organization need to recognize legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products of their own and from other parties as well. The following guidelines should be considered to protect any material that may be considered intellectual property:
a) publishing an intellectual property rights compliance policy which defines the legal use of software and information products;
b) acquiring software only through known and reputable sources, to ensure that copyright is not violated;
c) maintaining appropriate asset registers and identifying all assets with requirements to protect intellectual property rights;
d) carrying out reviews that only authorized software and licensed products are installed;
e) not duplicating, converting to another format or extracting from commercial recordings (text, picture, film, audio) other than permitted by copyright law.
Proprietary software products are usually supplied under a licence agreement that specifies licence terms and conditions, for example, limiting the use of the products to specified machines or limiting copying to the creation of backup copies only. The importance and awareness of intellectual property rights should be communicated to staff for software developed by the organization. Legislative, regulatory and contractual requirements may place restrictions on the copying of proprietary material. In particular, they may require that only material that is developed by the organization or that is licensed or provided by the developer to the organization, can be used. Copyright infringement can lead to legal action, which may involve fines and criminal proceedings.
Record is another subject to consider when we are talking about information compliance. Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legal, regulatory, contractual and business requirements. Some records may need to be securely retained to meet statutory, regulatory or contractual requirements, as well as to support essential business activities. Examples include records that may be required as evidence that an organization operates within statutory or regulatory rules, to ensure defence against potential civil or criminal action or to confirm the financial status of an organization to shareholders, external parties and auditors. National law or regulation may set the time period and data content for information retention.
An organization’s data policy for privacy and protection of personally identifiable information should be developed and implemented. This policy should be communicated to all persons involved in the processing of personally identifiable information. Compliance with this policy and all relevant legislation and regulations concerning the protection of the privacy of people and the protection of personally identifiable information requires appropriate management structure and control. Often this is best achieved by the appointment of a person responsible, such as a privacy officer, who should provide guidance to managers, users and service providers on their individual responsibilities and the specific procedures that should be followed. A number of countries have introduced legislation placing controls on the collection, processing and transmission of personally identifiable information including Indonesia.
Cryptography is another area that security and compliance team need to put some consideration. Cryptographic controls should be used in compliance with all relevant agreements, legislation and regulations. There should be restriction on importing or exporting of computer hardware and software to perform cryptographic function. Legal advice should be sought to ensure compliance with relevant legislation and regulations. Before encrypted information or cryptographic controls are moved across jurisdictional borders, legal advice should also be taken.
The need for independent review of information security
In order too ensure that information security is implemented and operated in accordance with the organizational policies and procedures information security review must be take place. The organization’s approach to managing information security and its implementation (i.e. control objectives, controls, policies, processes and procedures for information security) should be reviewed independently at planned intervals or when significant changes occur. Such a review should be carried out by individuals independent of the area under review, e.g. the internal audit function, an independent manager or an external party organization specializing in such reviews. Individuals carrying out these reviews should have the appropriate skills and experience. If the independent review identifies that the organization’s approach and implementation to managing information security is inadequate, e.g. documented objectives and requirements are not met or not compliant with the direction for information security stated in the information security policies (see 5.1.1), management should consider corrective actions.
Meanwhile, to maintain compliance with security policies and standards managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. Managers should identify how to review that information security requirements defined in policies, standards and other applicable regulations are met. Automatic measurement and reporting tools should be considered for efficient regular review.
Technical compliance should be reviewed preferably with the assistance of automated tools, which generate technical reports for subsequent interpretation by a technical specialist. Alternatively, manual reviews (supported by appropriate software tools, if necessary) by an experienced system engineer could be performed. If penetration tests or vulnerability assessments are used, caution should be exercised as such activities could lead to a compromise of the security of the system. Such tests should be planned, documented and repeatable. Any technical compliance review should only be carried out by competent, authorized persons or under the supervision of such persons.
References:
ISO 15489–1 “Information and documentation-Records management-Part 1”
ISO/IEC 27001:2013 “Information technology — Security techniques — Information security management systems — Requirements”
ISO/IEC 27002:2014 “Information technology — Security techniques — Code of practice for information security controls”
ISO/IEC 27007 “Guidelines for information security management systems auditing”
ISO/IEC TR 27008 “Guidelines for auditors on information security controls”
ISO/IEC 29100 “Information technology — Security techniques — Privacy framework”
