Professional Documents
Culture Documents
Module 11
This module presents a summary on how to design, plan, implement, deploy and audit an IT infrastructure to ensure that it
conforms to regulatory compliance and partners requirements – via analyzing business problem and developing business
solutions to the problems. There are tremendous variety of open-source products and services that can be used to help
companies with regulatory compliance, business partner requirements, and industry standards and practices. These
compliance solutions can help you minimize risk, thereby enable you to focus on your core business goals, and confidently
pursue new business opportunities.
Business Problem
In the current global market and security scenarios, if your business collects or shares customer personal information, you
don’t have much choice. You have to spend time and resources to comply with government regulations and partner
requirements. In this kind of scenario:
• How do you manage multiple audits and requirements across your company?
• How do you create a process for compliance in a continuous ever evolving regulation?
Business Solution
When it comes to information access and security, the best approach is to take an integrated approach to compliance that
addresses the demands on your business while keeping an eye on the bottom line.
Action Required
To help meet the regulations and compliance requirements, companies will need to identify common requirements and
address the range of solutions required. Companies can utilize internal expertise, or they may resort expert third resources
to help in uncovering business opportunities and process improvements that could help their bottom line
Regulatory Compliance The regulations that govern your business, such as Sarbanes-
Oxley and HIPAA.
Business Partner Requirements Mandates and audits required by your business partners such as
PCI Compliance and RFID Mandates.
Standards and Best Practices Methods and processes to improve security and business
operations such ISO 17799, ITIL, and COBIT
Public Sector Regulations Security and authentication directives, standards and
requirements for government agencies and contractors.
1
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0
Business Solutions
Section 404 of the Sarbanes-Oxley Act of 2002 (SOX) requires publicly-traded companies to establish and maintain
internal controls of financial reporting processes. Security controls are one part of the General Computing Controls (GCC)
assessed by auditors during annual 404 audits.
Mapping to Standards
Most organizations map SOX standards and requirements to the Committee of Sponsoring Organizations of the Treadway
Commission (COSO) framework for internal controls. However, COSO does not address information technology controls.
Companies, therefore, apply standards based on the IT Governance Institute’s (ITGI) document, “IT Controls for Sarbanes-
Oxley,” because it is used by many auditors to conduct their reviews.
SOX Requirements
There are various product services, both open-source and proprietary, to help you address IT controls based on COBIT
controls from ITGI standards.
Best Practices
These solutions address industry best practices that can augment the above required controls.
Encryption and non-repudiation Sensitive or regulated financial Enterprise Key Mgt via:
data and the systems used for • Managed PKI for SSL
storage, processing or • Managed PKI Services
transmitting.
2
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0
HIPAA Compliance
The Healthcare Insurance Portability and Accountability Act (HIPAA) was passed in 1996 in response to concerns about
the privacy and security of medical records. Portions of HIPAA require healthcare organizations to conduct a thorough
information technology (IT) risk assessment as well as develop and implement a plan for improving and maintaining
security.
Requirements
The following solutions can help address certain HIPAA requirements.
Best Practices
These solutions address industry best practices that can augment the above required controls.
3
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0
Requirements
These solutions help you address PCI standards.
Best Practices
These solutions address industry best practices that can augment the above required controls.
Learn More
Visa Cardholder Information Security Links to Visa Web site for more about PCI compliance
Program requirements as well as the Payment Applications Best Practices
program
MasterCard Site Data Protection Links to MasterCard Web site for more about PCI scanning
Program requirements
Enterprise Compliance Solutions for Checkout review of PCI data security standards by VeriSign, using
4
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0
the Payment Card Industry VeriSign PCI compliance solutions for merchants, Levels 1-4
5
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0
6
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0
7
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org
Module 11 Summary of IT Security Compliance Solutions & Best Practices v1.0
Best Practices
In addition to the required controls above, the following technologies can be applied as best practices to support RFID
implementations.
8
© April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
www.globalopenversity.org