Continuing my blogs on Gary Miliefsky's article "The 7 best practices for network security in 2007", I'd like to take the next logical step (which happens to also be Gary's next step) after Frequent Security Assessments, which is to apply the security you have in place to compliance standards and perform Compliance Self-Assessments.
First, not every company is subject to compliance standards. Here are a few:
- Sarbanes-Oxley - Applies to publically traded companies
- Health Insurance Portability and Accountability Act (HIPAA) - applies to the health industry
- Gramm-Leach-Bliley Act (GLBA) - applies to the financial and insurance industries All security sections of compliance standards do is define
- Payment Card Industry Data Security Standard (PCI DSS) - applies to any organization handling creditcard information.
There are a ton more; I just picked some of the most broad-reaching standards.
Organizations can take the Frequent Security Assessments and simply apply the results towards proving compliance. Every standard, while seemingly specific to a partular industry secretly is so generic, they could almost be interchanged with one-another with only the protected data terms being switched out. Just like the old 70's skit Letterman, you can rip out "Patient Health Information" in HIPAA with "cardholder information" in PCI and you'd have nearly the same standards.
The key issue here is knowing what steps need to be taken to assess your security according to the appropriate standard and working to test those standards out before you are audited.
0 comments:
Post a Comment