Compliances

Organizations face unique compliance challenges depending on the field of expertise, location of its region or country itself. 



The term “Law” is versatile. Just like culturally accepted actions vary from one culture to another, law varies from one country to another. In all these cases of culturally acceptation to complying laws of the country to even our personal relationships, what we try to do is to avoid trouble.  

How to avoid trouble?


Most people have always been aware of general security but then they had to learn the importance of cyber security. Now, they have to learn to comply with its regulations. Most organizations are not aware of compliance. Part of human nature, we take precautions only after a bad experience. We call it “Learning from mistakes”. 

Again, what can you do to avoid mistakes?


You have to address your loop holes to comply. You can do this by pre-configured compliance automation modules. These modules will address many of the most common regulations.

I have to share, I had one of those brain freeze moments not too long ago when buying groceries. The farmer selling goods behind his truck negotiated with a buyer so hard that at the end he was content with outcome. He called it the “win-win situation” in English. This was a farmer in Turkey. 

Well, now imagine someone running an organization and haven’t heard of standards and related regulations, unlikely.



CRYPTTECH constantly renews itself and work with lawyers in close contact for instant updates. 

CRYPTTECH’s solutions help to automate the steps required by each standard to ensure compliance. You just have to go ahead and choose the standard you’re looking for and get in touch.

Here are some of them you might need:

HIPAA

The Health Insurance Portability and Accountability (HIPAA) regulation impacts health care organizations that store and more importantly exchange patient information. HIPAA regulations were established to protect the integrity of patient’s personal information and compliance is intended to secure health information against unauthorized use, theft or disclosure of the information.

As part of the requirements, HIPAA states that a security management process must take place in order to protect against “attempts of unauthorized access, use, disclosure, modification, or interference with system operations”. An organization must be able to monitor, report and alert on attempted or successful access to systems and applications that contain sensitive patient information.

According Gartner reports, almost two-thirds of organizations regulated by HIPAA do not have complete or accurate risk assessment capabilities.

ISO 27001
ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.

According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."

This specification defines a six-part planning process:
  1. Define a security policy.
  2. Define the scope of the ISMS.
  3. Conduct a risk assessment.
  4. Manage identified risks.
  5. Select control objectives and controls to be implemented.
  6. Prepare a statement of applicability.
The standard covers all types of organizations (e.g. commercial enterprises, government agencies, non-profits), all sizes (from micro-businesses to huge multinationals), and all industries or markets (e.g. retail, banking, defense, healthcare, education and government). 

The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.

The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.


ISO 27002 contains 12 main sections:
  1. Risk assessment
  2. Security policy
  3. Organization of information security
  4. Asset management 
  5. Human resources security
  6. Physical and environmental security
  7. Communications and operations management
  8. Access control 
  9. Information systems acquisition, development and maintenance
  10. Information security incident management
  11. Business continuity management
  12. Compliance
Other standards being developed in the 27000 family are:

27003 – implementation guidance.
27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
27005 – an information security risk management standard. (Published in 2008)
27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)
27007 – ISMS auditing guideline.

Payment Card Industry – Data Security Standard (PCI DSS)


The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to optimize the security of credit, debit and cash card transactions and protect cardholders against misuse of their personal information. The PCI DSS was created jointly in 2004 by four major credit-card companies: Visa, MasterCard, Discover and American Express.

GLBA

The Gramm-Leach-Bliley Act (GLB Act or GLBA), also known as the Financial Modernization Act of 1999, is a federal law enacted in the United States to control the ways that financial institutions deal with the private information of individuals. The Act consists of three sections: The Financial Privacy Rule, which regulates the collection and disclosure of private financial information; the Safeguards Rule, which stipulates that financial institutions must implement security programs to protect such information; and the Pretexting provisions, which prohibit the practice of pretexting (accessing private information using false pretences). The Act also requires financial institutions to give customers written privacy notices that explain their information-sharing practices.

FISMA


The Federal Information Security Management Act (FISMA) is United States legislation that defines a comprehensive framework to protect government information, operations and assets against natural or man-made threats. FISMA was signed into law part of the Electronic Government Act of 2002.

SOX

The Sarbanes-Oxley Act of 2002 (often shortened to SOX) is legislation passed by the U.S. Congress to protect shareholders and the general public from accounting errors and fraudulent practices in the enterprise as well as improve the accuracy of corporate disclosures. The U.S. Securities and Exchange Commission (SEC) administers the act, which sets deadlines for compliance and publishes rules on requirements.


Peace out!

Jade Y. Simsek
Int. Relations Director

CRYPTTECH - Cyber Security Intelligence 

Yorumlar

Bu blogdaki popüler yayınlar

1. Geleneksel Stajyer CTF Soru ve Cevapları

2. Geleneksel Stajyer CTF Soru ve Cevapları - 2017

ARP Poisoning ile Browser Exploitation - MITMf + BeEF + Metasploit