Regulations & IT Governance Frameworks 101

With so many regulations and IT governance frameworks out there, it can be confusing to keep them all straight. I recently saw a whitepaper put out by Qualys that had (I thought) a really go brief description of the major ones. Here it is:

Regulations

SOX – The Sarbanes-Oxley Act of 2002 requires strict internal controls and independent auditing of financial information as a proactive defense against fraud.

HIPAA – The Health Information Portability and Accountability Act of 1996 requires tight controls over handling of and access to medical information to protect patient privacy.

GLBA – The Gramm-Leach-Bliley Act of 1999 requires financial institutions to create, document and continuously audit security procedures to protect the nonpublic personal information of their clients, including precautions to prevent unauthorized electronic access.

FISMA – The Federal Information Security Management Act of 2002 is meant to bolster computer and network security within the federal government and affiliated parties (such as government contractors) by mandating yearly audits.

Basel II – The Capital Requirements Directive/Basel II Accord established an international standard that banking regulators can use when creating regulations about how much capital banks need to put aside to guard against the types of financial and operational risks banks face.

UK Data Protection Act of 1998 – The eight principles of the Data Protection Act state that all data must be processed fairly and lawfully; obtained and used only for specified and lawful purposes; adequate, relevant and not excessive; accurate, and where necessary, kept up to date; kept for no longer than necessary; processed in accordance with individuals rights as defined in the Act; kept secure; and transferred only to countries that offer adequate data protection.

IT Governance Frameworks

COBIT® 4.0 – Published by the IT Governance Institute (ITGI) COBIT 4.0 emphasizes regulatory compliance. It helps organizations to increase the value attained from IT and enables alignment with business goals and objectives. COBIT offers the advantage of being very detail oriented, which makes it readily adoptable across all levels of the organization. It also makes use of the Capability Maturity Model Integration (CMMI) as a way of assessing the status of security processes.

ISO 17799:2005 (ISO 27001) – This is an international standard for the management of IT security that organizes controls into ten major sections, each covering a different topic or area. These are: business continuity planning, system development and maintenance, physical and environmental security, compliance, personnel security, security organization, computer operations and management, asset control, and security policy.

NIST 800-53 – This publication from the National Institute of Standards and Technology is a collection of “Recommended Security Controls for Federal Information Systems.” It describes security controls for use by organizations in protecting their information systems, and recommends that they be employed in conjunction with and as part of a well-defined information security program.