Security Standards and Regulations

Security Standards and Regulations

[ From chapter-18 of the book "Information Technology in Banking" written by Abul Kashem Md. Shirin and Nusrat Tamanna Prianka and published by Institute of Bankers, Bangladesh (IBB) ]

1.         Standards and Regulations:

Many governments around the world are preparing or have adopted standards (which the enterprises may follow to improve their IT security) / regulations (which the enterprises must follow to avoid penalties) prescribing how companies should manage and control information security. The aim is simple: compel management and boards of directors to be responsible for information security, and encourage them to display the same “due diligence” they devote to protecting their assets.

Such regulations include Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), USA Patriot Act, Canada PIPEDA and standards include BS7799 (or ISO17799), “Guideline on ICT Security for schedule Banks and Financial Institutions” framed by the Bangladesh Bank (Central Bank of Bangladesh) and many national standards.

A brief comparison of some of the Security Standards / regulations is given below:

Security Regulations / Standards	Who should comply?	What do the security provisions cover?	What are the penalties?	When is it in Effect?
Sarbanes-Oxley Act of 2002	All public companies subject to US security laws	Internal controls and financial disclosures	Criminal and civil penalties	Current law
Gramm-Leach- Bliley Act of 1999	Financial institutions	Security of customer records	Criminal and civil penalties	Current law
Health Insurance Portability and Accountability Act (HIPAA)	Health plans, health care clearinghouses, and health care providers	Personal health information in electronic form	Civil fines and criminal penalties	Current law
BS7799 / ISO 17799	Any enterprise interested in improving IT security	Information Security Management System (ISMS) of any enterprise	Not a law, thus no penalty provision	Current Security Standard
Guideline on ICT Security for schedule Banks and Financial Institutions	Banks and financial institutes in Bangladesh	Security of IT assets and customer data	Not a law, thus no penalty provision	Current Security Standard

An organization that complies with any one of these standards / regulations already possesses a concrete and practical information security management system.

For example, HIPAA tackles the same subjects as the ISO 17799 standard while placing the emphasis on the protection of private information. Compliance with ISO 17799 and BS7799-2 can include the definition of policies and procedures for the security of a company’s sensitive information, as touched on in SOX.

In this chapter we will discuss on the Security Standards, specifically on the “Guideline on ICT Security for schedule Banks and Financial Institutions” published by the Bangladesh Bank and the BS7799 (or ISO 17799).

2.         Benefits of complying a Security Standard

Obviously, complying with a Security Standard and obtaining “certification” on a certain standard does not in itself prove that an organization is 100% secure. The truth is, barring a cessation of all activity, there is no such thing as complete security. Nevertheless, adopting a standard confers certain advantages that any manager should take into consideration, including:

At the organizational level

Commitment: certification serves as a guarantee of the effectiveness of the effort put into rendering the organization secure at all levels, and demonstrates the due diligence of its administrators.

At the legal level

Compliance: certification demonstrates to competent authorities that the organization observes all applicable laws and regulations.

At the operating level

Risk management: leads to a better knowledge of information systems, their weaknesses and how to protect them. Equally, it ensures a more dependable availability of both hardware and data.

At the commercial level

Credibility and confidence: partners, shareholders and customers are reassured when they see the importance afforded by the organization to protecting information. Certification can help set a company apart from its competitors and in the marketplace.

At the financial level

Reduced costs related to security breaches, and possible reduction in insurance premiums.

At the human level

Improves employee awareness of security issues and their responsibilities within the organization.