什么是法规遵从及规管架构?
遵从性和监管框架是指导方针和最佳实践的集合. 组织遵循这些指导方针来满足法规要求, improve processes, strengthen security, 并实现其他商业目标(如成为一家上市公司), 或者向政府机构出售云解决方案).
These frameworks give us a common language that can be used from the server room to the boardroom. These standards are leveraged by:
- Internal auditors and other internal stakeholders to evaluate the controls in place within their own organization.
- External auditors to evaluate and attest to the controls in place within an organization.
- 第三方(潜在客户、投资者等.)评估与组织合作的潜在风险.
在监管框架内实现合规性是一个持续的过程. Your environment is always changing, and the operating effectiveness of a control may break down. 定期监测和报告是必须的, and guidance on exactly what “regular monitoring” entails is also outlined within each framework.
如果您与信息安全(IS)团队一起工作或属于该团队, 以下是你可能会遇到的一些监管框架:
Sarbanes-Oxley (SOX)
- Why does it exist? The Sarbanes-Oxley Act 2002年通过的法案旨在打击安然会计丑闻后的欺诈行为, WorldCom, and Tyco impacted investor trust. 这些控制措施对上市公司是强制性的.
- 如果你在一个IS团队,这会对你有什么影响? There are various security requirements for applications and systems that process financial data. Requirements around access management, general IT controls (ITGCs), 实体级控制可能需要由信息系统团队管理.
- 什么样的组织会利用这个框架呢? 上市公司,或有意进行首次公开募股(IPO)的公司.
PCI DSS
- Why does it exist? 支付卡行业数据安全标准(PCI DSS),以保障持卡人资料的安全. 这些控制对于处理信用卡数据的组织是强制性的. 这些标准由多个层次组成, and the extent to which your organization interacts with credit card data will determine what level of PCI compliance your organization needs to achieve. For example, banks, merchants, and service providers will be held to higher standards given the nature of the business.
- 如果你在一个IS团队,这会对你有什么影响? 除了根据您的PCI DSS级别强制执行某些程序和控制之外, 你可能需要完成自我评估问卷, quarterly network scans, and on-site independent security audits.
- 什么样的组织会利用这个框架呢? 商家、支付卡发卡银行、处理器、开发人员和其他供应商.
NIST
- Why does it exist? 与SOX不同,NIST不是一组单一的控件. NIST, or the 国家标准与技术研究所, 是商务部下属的一个涵盖制造业的联邦机构吗, quality control, and security, among others. 该机构与安全行业专家合作, other government agencies, and academics to establish a set of controls and balances to help operators of critical infrastructure manage cybersecurity risk. Today, many organizations leverage NIST guidelines to manage and reduce risks that could impact their environment and their customers. Unlike some other frameworks, NIST is voluntary, however customers may require that some of the controls be in place before they will partner with you.
- 如果你在一个IS团队,这会对你有什么影响? 如果你在一个利用NIST的组织的信息系统团队, you’ll play a large role in identifying, defining, 并执行由标准控制的控制. For example, 确定您的组织将如何处理漏洞扫描时, 您可以遵循NIST 800-53风险评估RA 5中概述的指导, 哪一个说明了扫描频率的最佳实践, the type of scanning that should be done, 如何处理这些扫描的结果和更多.
- 什么样的组织会利用这个框架呢? This is generally leveraged by large business enterprises and government agencies, but it can be a helpful framework for any organization interested in evaluating and reducing cyber risk.
SSAE-16
- Why does it exist? 关于鉴证业务准则的声明. 16 (SSAE-16) monitors and enforces controls around the applications and application infrastructure that impact financial reporting. 它涵盖了业务流程控制和It一般控制. Service organization controls (SOC) 1 reports, formerly known as SAS 70 reports, leverage the SSAE-16 framework.
- 如果你在一个IS团队,这会对你有什么影响? SSAE-16框架概述了许多通用最佳实践, 但它也是SOX合规流程的强制性部分. 在属于SOX的组织中(如上所述), 这包括上市公司或即将上市的公司), specific stakeholders will need to review SOC 1 reports for any applications that are deemed in scope for SOX compliance (generally these are applications that processes financial data). After reviewing the reports, these stakeholders will need to decide if the organization can accept any associated risks that were reported.
- 什么样的组织会利用这个框架呢? 通常会得到SOC 1报告的公司类型, or companies that provide applications used to process financial information and that will ultimately affect financial statements.
AT-101
- Why does it exist? SOC 2 reports are based on the AT-101 auditing standard. SOC 2报告测试安全的设计或操作有效性, availability, processing integrity, confidentiality, and/or privacy controls. 所有SOC 2报告都需要涵盖安全控制. Availability, processing integrity, confidentiality, and/or privacy controls are optional principles that a company may opt to include if those controls are integral to providing a service. AT-101 SOC 2报告基于信托服务原则, 哪些与上面列出的安全控制相关联.
- 如果你在一个IS团队,这会对你有什么影响? Reviewing SOC 2 reports from other organizations can reveal how partnering with them could introduce risk into your environment.
- 什么样的组织会利用这个框架呢? Software as a Service (SaaS) providers, cloud computing companies, and other technology-related services will often get SOC 2 reports for their solutions.
FedRAMP
- Why does it exist? FedRAMP is a standardized way for government agencies to evaluate the risks of cloud-based solutions. It follows a “do it once, use it many times” approach, allowing existing security assessments and packages to be reused across multiple agencies. Since continuous monitoring of cloud products and services is at the core of the framework, 它可以提高组织的实时安全可见性.
- 如果你在一个IS团队,这会对你有什么影响? If you work at a government agency, you will use FedRAMP packages to decide whether it makes sense to leverage specific cloud-based solutions.
- 什么样的组织会利用这个框架呢? Cloud solution providers interested in selling to federal government agencies will go through the FedRAMP certification process.
国际标准化组织
- Why does it exist? ISO是一套国际标准. ISO中有不同的子框架, and the sub-framework that is most relevant to your organization/industry depends on your goals. For example, a manufacturing organization would be likely to leverage the sub-framework ISO 9000, 因为这个框架中的控制集中在质量管理上. An organization looking to improve processes around information security management systems would derive more helpful guidance from the controls outlined in ISO 27000. For more on the ISO standards and which ones are most relevant to your organization, visit ISO.org.
- 如果你在一个IS团队,这会对你有什么影响? Your team may use this framework to improve and report on quality management and security.
- 什么样的组织会利用这个框架呢? Any organization, whether public or private, could use this framework to improve and report on quality management and security.
隐私盾(取代美欧安全港)
- Why does it exist? US-EU Safe Harbor was created to ensure US companies complied with European Union data protection standards when transferring European data to the States. 2015年,欧洲法院宣布该禁令无效, 与爱德华·斯诺登和美国国家安全局泄密事件有关. The Privacy Shield Framework was put in place to replace it. It exists to safeguard or mitigate the risk of data being tampered with while it’s transferred between these two geographic regions. It enables US companies to more easily receive personal data from the EU under EU privacy laws meant to protect European citizens; this allows for a more free exchange of data, which is good for commerce.
- 什么样的组织会利用这个框架呢? Organizations collecting, storing or processing personal data between the EU and US. US companies can self-certify that they will comply with EU data protection standards in order to allow for transfer of European data to the US.
- 如果你在一个IS团队,这会对你有什么影响? 您的团队可能会参与加入隐私保护框架的过程, and enforcing related controls.
HIPAA/HITECH
- Why does it exist? HIPAA/HITECH 加强安全性以保护个人健康信息(PHI).
- 什么样的组织会利用这个框架呢? Anyone who is collecting, 存储或处理个人健康信息(PHI), including hospitals, medical providers, and insurance companies.
- 如果你在一个IS团队,这会对你有什么影响? If you’re collecting this information, 你需要有适当的控制措施来确保它的安全.
These are only some of the compliance and regulatory frameworks your organization may need to adhere to. 实现合规将是一个持续的过程, but regular monitoring and reporting can help make adhering to these frameworks (and maintaining a secure environment) a standard part of business operations.
Read More About Regulations & Compliance
Compliance: Latest News from the Blog