Compliance and Guidance Links

Is compliance the same as security? No. You cannot achieve “security.” You can achieve “compliance.” Compliance dangles. The term “compliance” begs for a phrase to follow it. Find that framework and criteria you need, such as ISO 27001. Achieve compliance with that, you should feel secure. Settle for lower standards, settle for the bare minimum, such as PCI DSS or HIPAA, and you should feel insecure.

Being compliant with a standard should not be sufficient, either. You should also appear to be compliant. Consider the disposal of training materials. Information which appears on the training materials should be fictitious. You should not need to shred training materials with fictitious information since no proprietary information is involved. You should choose to shred training materials rather than explain why, when training materials are found in a dumpster, that these official-looking forms are not a concern. You should shred training materials rather than allow them to be re-purposed in a fraudulent or “social engineering” manner.

Comply with the audit requirements for PCI DSS or HIPAA, because these are contractual or legislated requirements intended to establish a minimal set of expectations.

The purpose of MITRE’s Benchmark Development effort is to foster best practices and encourage the security guidance community to create guidance that is standards-based, structured, and automatable. This web site is intended to serve as a community gathering place for that effort by providing a variety of resources for the benchmark development community including access to Standards and Tools for benchmark development, an email list Discussion Forum for community participation, a Free Online Course designed to teach attendees how to create good benchmarks more efficiently, and Other Helpful Resources.

Health Care

• HIPAA & HITECH
• NIST 800-53 & FIPS
• ISO 27001 & 27002
• PCI DSS
• FTC regulations
• CMS (Centers for Medicare & Medicaid Services)
• COBOT
• HITRUST Common Security Framework (CSF)

Compliance and Guidance links

• American Recovery and Reinvestment Act (ARRA) of 2009 Expands HIPAA to protect patient health information.
• BreachPrep.org Not if, but when. An incident response plan and notification requirements.
• California Security Breach Information Act (CA-1386) Agencies, persons and businesses and their privacy obligations, with similar regulations in 44 states and the District of Columbia
• Center for Internet Security (CIS) Benchmarks The Security Configuration Benchmarks are distributed free of charge to propagate their worldwide use and adoption as user-originated, de factostandards.The CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.The Benchmarks are:
  • Recommended technical control rules/values for hardening operating systems, middleware and software applications, and network devices;
  • Unique, because the recommendations are defined via consensus among hundreds of security professionals worldwide;
  • Downloaded several hundred thousand times per year;
  • Distributed free of charge by CIS in .PDF format (many benchmarks are also available to CIS Members in XCCDF, a machine-readable XML format for use with benchmark audit tools and Members’ custom scripts);
  • Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.
• Children’s Online Privacy Protection Act of 1998 Privacy, deceptive practices
• Clinger-Cohen Act of 1996 [pdf] The Information Technology Management Reform Act (ITMRA) (Division E) and the Federal Acquisition Reform Act (FARA) (Division D) were signed into law as part of the National Defense Authorization Act for Fiscal Year 1996. The ITMRA and FARA were subsequently designated the Clinger Cohen Act of 1996 (CCA), encompassing both. This is the first time in law that Chief Information Officers are established in government agencies, along with listing their roles and responsibilities. In addition, the ITMRA directs Federal agencies to focus more on the results achieved through IT investments while streamlining the Federal IT procurement process. Specifically, the ITMRA emphasizes rigor and structure in how agencies approach the selection and management of IT projects. FARA increases the discretion of contracting officers in an effort to promote efficient competition. FARA also permits the use of Simplified Acquisition Procedures in the acquisition of commercial items up to $5 million.
• Control Objectives for Information and related Technology (COBIT) guidance materials for IT governance. Introduction to COBIT at CobiTCampus.
• Customer Propriety Network Information (CPNI) Federal Communication Commission rule (47 C.F.R. § 64.2011) [pdf].
• Electronic Signatures in Global and National Commerce Act 15 USC Chapter 96 Enforcability of electronic signatures, retention of records
• European Network and Information Security Agency (ENISA) Publications, including the CERT Exercises Handbook and Toolkit
• Federal IT Security Institute study resources
• GovCert.NL the Computer Emergency Response Team for the Dutch Government, home of awareness products such as movies, our annual reviews, trend reports, Cyber Crime manual and “Cert in a box”.
• Gramm-Leach-Bliley Act (GLBA) AKA Financial Modernization Act of 1999; customer privacy protection, notification of privacy protection, management liability; employee training
• Guide to Selected Privacy and Confidentiality Regulations Summarized list of regulations related to privacy, maintained by University of California, Berkeley
• Health Insurance Portability and Accountability Act of 1996 (HIPAA) Kennedy-Kassebaum; privacy compliance, not just a health care issue
• Information Technology Information Sharing and Analysis Center (IT-ISAC) Public section with best practices, news, references and a suspicious file submission vehicle. Private section for organizations
• Internet Security Forum and its Security Healthcheck and Standard of Good Practice
• ISO 27001 Online Security Management Standard
• ISO 27001 Security Promotes and explains the ISO/IEC 27000-family of information security standards and provides resources.
• ISO 27001 Information Security Management System
• ISO 27001 blog
• ISO 27001 video tutorials
• ISO 27036 standards on Information Security for supplier relationships to meet vendor compliance for better third party audits. This is especially important for companies involved with outsourcing.
• IT Infrastructure Threat Modeling Guide provides an easy-to-understand method for developing threat models that can help prioritize investments in IT infrastructure security. This guide describes and considers the extensive methodology that exists for Microsoft Security Development Lifecycle (SDL).
• North American Electric Reliability Corporation (NERC) Reliability Standards including Critical Infrastructure Protection (CIP)
• NIST 800-53 Recommended Security Controls for Federal Information Systems and Organizations
• Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for implementation of a security-focused configuration management (SecCM) process as well as supporting information for NIST SP 800-53. The fundamental concepts associated with SecCM and the process of applying SecCM practices to information systems are described.
• NIST Computer Security Resource Center Guidance
• NIST CSRC FISMA Implementation Project National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) Federal Information Security Management Act (FISMA)
• NIST: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Introductory? A detailed risk management guide, using HIPAA to give the abstract subject some substance.
• Security Technical Implementation Guides (STIGs)
• Payment Card Industry (PCI) Data Security Standard (DSS)
• PCI DSS 2.0 and PA-DSS 2.0 Summary of Changes [pdf]
• Payment Card Industry (PCI) Data Security Standard (DSS) See “Roadmap to PCI Compliance” for an implementation plan
• RCW 19.255 Revised Code of Washington (SB6043 2005), Personal information — notice of security breaches (businesses)
• RCW 42.56.590 Revised Code of Washington (SB6043 2005), Personal information — notice of security breaches (agencies)
• Role-Based Access Control (RBAC) and Sarbanes-Oxley Compliance
• Sarbanes-Oxley Act of 2002 (SOX) Fraud and accountability. Section 404: Audit internal controls.
• Under section 508 (29 U.S.C. ‘ 794d), Federal agencies must give disabled employees and members of the public access to information that is comparable to the access available to others.
• SecurityAuditor.net provides resources for security analysis, BS7799, security policies and security audits
• Security Content Automation Protocol (SCAP) SCAP is a specification established by NIST for expressing and manipulating security data in standardized ways.
• Society of Payment Security Professionals – Complaince Demystified Secure Payments, PCI DSS, Regulatory Compliance Blog
• Statement on Auditing Standards (SAS) 70 Compliance Resource Guide Internal Controls, compliance audit for assessing the internal control framework on service organizations that provide critical outsourcing activities for other entities.
• Truth To Power Compliance and guidance research and advisory community
• Unbeaten Path IT Security Assurance with links to IT security compliance standards
• U.S.-EU Safe Harbor Framework privacy requirements when U.S. organizations do business in the EU
• Washington State HB 1149 – 2009-10 Financial Information–Security Breaches–Credit and Debit Cards [pdf] Effective date 7/1/2010