legal and regulatory requirements

Security Governance(IS 536)Second semester(Oct 5)

Name:Alanoud Saad AlqoufiID:435920068

Outline

• CH3-Legal and Regulatory Requirements

• PCI and BASEL • Regulations• Regulations Elements• Regulatory Compliance Level

• CH4-Roles and Responsibilities• Why Roles and Responsibilities• Management Levels• The board of directors• Executive Management• Security Steering Committee• The CISO

CH3

Legal and Regulatory Requirements

Payment Card Data Issues

PCI

• Stands for Payment Card Industry• Established PCI DSS• Maintained by PCI SSC• To insure Security of cardholder data

PCI DSS

BASEL II

• Refer to the Banking Supervision Accords• Issued by the BCBS• To maintain enough cash to cover risk

Regulations

• NFPA

• OSHA

• HIPPA

• COSO

• CoCo

• Patriot Act

• FCPA

• FISMA

• BASEL II

• SOX

• Cadbury

• King

• FFIFC

• …….

Regulations Elements

Transparency OversightDisclosure Record

Retention

TrainingOperational RiskAttestationPrivacy

Regulatory Compliance Level

• Less than 50% of US Organizations are in compliance

CH4

Roles and Responsibilities

Why Roles and Responsibilities?

• Adequate Protection against the possibility of fraud• Creating clear culture of Accountability• Identify Risks

Management Levels

Board of directors

Senior executives

Chief information security officer

Steering Committee

The Board Of Directors

• Setting strategic directions• Identify security leaders• Assign information security to key committee• Ensure risks , resources and performance are managed

appropriately

Why Directors are important?

• “The rising tide of cybercrime and threats to critical information assets

mandate that boards of directors and senior executives are fully engaged at

the governance level to ensure the security and integrity of those resources.”

By Shirley M. Hufstedler, a former director of Hewlett-Packard

• “Tone at the top” identified as a major contribution to Org failures

Executive Management

• Support for security mangers

• Enforce and monitore regulatory compliance

• Oversight of all management process plans

Security Steering Committee

• Identify and prioritise risks

• Assure security initiatives meet business objectives

• Review security strategy efforts

CISO

• Develop security strategy and plan

• Perform security risk assessments

• Implement security polices and procedures

Information Security Responsibilities

Reporting

• IT is about Performance, IS is about Safety

• 35% of CISO reported to CIO ?!

• Greater IT performance with less cost and security

IT IS CIO CISOVSVS

Thank you for your attention