Security Standards and
Regulations
[ From chapter-18 of the book "Information Technology in Banking" written by Abul Kashem Md. Shirin and Nusrat Tamanna Prianka and published by Institute of Bankers, Bangladesh (IBB) ]
1. Standards and Regulations:
Many governments around the world are preparing or
have adopted standards (which the
enterprises may follow to improve their IT security) / regulations (which the enterprises must follow to avoid
penalties) prescribing how companies should manage and control information
security. The aim is simple: compel management and boards of directors to be
responsible for information security, and encourage them to display the same
“due diligence” they devote to protecting their assets.
Such regulations include Sarbanes-Oxley Act of 2002
(SOX), the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), USA Patriot Act,
Canada PIPEDA and standards include BS7799 (or ISO17799), “Guideline on ICT Security for schedule
Banks and Financial Institutions” framed by the Bangladesh Bank (Central
Bank of Bangladesh) and many national standards.
A
brief comparison of some of the Security Standards / regulations is given
below:
Security Regulations
/ Standards
|
Who should
comply?
|
What do the
security provisions cover?
|
What are the
penalties?
|
When is it in
Effect?
|
Sarbanes-Oxley Act of 2002
|
All public companies subject to US security laws
|
Internal controls and financial disclosures
|
Criminal and civil penalties
|
Current law
|
Gramm-Leach- Bliley Act of 1999
|
Financial institutions
|
Security of customer records
|
Criminal and civil penalties
|
Current law
|
Health Insurance Portability and Accountability Act (HIPAA)
|
Health plans, health care clearinghouses, and health care providers
|
Personal health information in electronic form
|
Civil fines and criminal penalties
|
Current law
|
BS7799 /
ISO 17799
|
Any enterprise interested in improving IT security
|
Information Security Management System (ISMS) of any
enterprise
|
Not a law, thus no penalty provision
|
Current Security Standard
|
Guideline on ICT Security for schedule Banks and
Financial Institutions
|
Banks and financial institutes in Bangladesh
|
Security of IT assets and customer data
|
Not a law, thus no penalty provision
|
Current Security Standard
|
An organization that complies with any one of these standards
/ regulations already possesses a concrete and practical information security
management system.
For example, HIPAA tackles the same subjects as the
ISO 17799 standard while placing the emphasis on the protection of private
information. Compliance with ISO 17799 and BS7799-2 can include the definition
of policies and procedures for the security of a company’s sensitive
information, as touched on in SOX.
In
this chapter we will discuss on the Security Standards, specifically on the
“Guideline
on ICT Security for schedule Banks and Financial Institutions” published by the
Bangladesh Bank and the BS7799 (or ISO 17799).
2. Benefits of complying a Security
Standard
Obviously,
complying with a Security Standard and obtaining “certification” on a certain
standard does not in itself prove that an organization is 100% secure. The
truth is, barring a cessation of all activity, there is no such thing as
complete security. Nevertheless, adopting a standard confers certain advantages
that any manager should take into consideration, including:
At the organizational level
Commitment: certification serves as a guarantee of the
effectiveness of the effort put into rendering the organization secure at all
levels, and demonstrates the due diligence of its administrators.
At the legal level
Compliance: certification demonstrates to competent
authorities that the organization observes all applicable laws and regulations.
At the operating level
Risk management: leads to a better knowledge of information
systems, their weaknesses and how to protect them. Equally, it ensures a more
dependable availability of both hardware and data.
At the commercial level
Credibility and
confidence: partners, shareholders
and customers are reassured when they see the importance afforded by the
organization to protecting information. Certification can help set a company
apart from its competitors and in the marketplace.
At the financial level
Reduced
costs related to security breaches, and possible reduction in insurance
premiums.
At the human level
Improves
employee awareness of security issues and their responsibilities within the
organization.
Great post!!Thanks for sharing it with us....really needed.Ordering Checks from Printing Service Companies.There are plenty of personal printers and check printing suppliers online these days which can supply quick and secure customized checks. Personal or business checks don’t need to be created by your bank.Ordering Checks Online
উত্তরমুছুন