Compliance and Frameworks – CompTIA Security+ SY0-501 – 3.1

Many organizations require compliance with a standard set of rules and regulations. In this video, you’ll learn about compliance requirements, non-regulatory best practices, and IT frameworks.

<< Previous Video: Secure Protocols Next: Secure Configuration Guides >>

If you’re working in IT security, you’re going to be working a lot with compliance. These are a set of rules, standards, laws, policies, and regulations that you are required to follow. And this might be a very large number of rules. They may be based on the industry that your organization competes in or it may be based around the data or the type of business that your organization is doing. The penalties for noncompliance could be severe. You might lose money because of fines, you could lose your job because of a loss of employment, or you could lose your freedom due to incarceration. The scope of these compliance rules could be something associated with a domestic set of rules and regulations, or these may be international rules that your organization must comply with.

You may be faced with one or more different regulations that you must comply with. One of these is the Sarbanes-Oxley Act, or SOX. This is the Public Company Accounting Reform and Investor Protection Act of 2002, and if you’re a public company, then you’re probably going to be dealing with a lot of Sarbanes-Oxley regulations. Almost everyone is either a health care provider or a health care consumer, and that means that the HIPPA regulations would apply to you. HIPPA is the Health Insurance Portability and Accountability Act. This is a set of rules and regulations for health care organizations that manage the standards for storage, use, and transmission of healthcare information. And a number of financial organizations have to manage the type of privacy information disclosures they provide through the Gramm-Leach-Bliley Act of 1999, or the GLBA.

One of the most minor penalties that HIPAA has is a fine of up to $50,000 US, or up to a year in prison, or both of them. If this is something that was done under false pretenses, then the penalty goes up to a $100,000 fine, and up to five years in prison. If you’re planning to sell, transfer, or use this health information for commercial advantage, personal gain, or malicious harm, the fine goes up to a quarter of a million dollars and 10 years in prison or both of those. And there may also be civil fines associated with this. The maximum is $100 for each violation with the total not to exceed $25,000. As you can see, not complying with these regulations can have severe penalties.

It’s important as an IT security professional that you understand what’s required of you to make sure that you and everyone else in your organization is able to comply with these regulations. There may be some processes and procedures in your organization that are not a compliance concern. They’re not a rule or regulation. In fact, there may be nothing in law requiring you to perform a particular function, but you still might want to follow these particular best practices. There may be a regulation that is being worked on, and so you’re expecting to have these type of rules in the future or perhaps the process and procedures that you’ve created provides value to yourself or to the organization. They may not be written in law, but it may be the right thing to do for your organization.

A good example of this is something you might do commonly as an IT security professional, which is collect a list of malicious URLs. Most organizations are hit all the time from IP addresses that are trying to gain access to their systems. So being able to log that information and share it with others provides more value, not just your organization, but to everyone else who’s sharing that data. Most organizations offer products and services that are not IT related. It might be health care, transportation, or something in retail. So how do you organize an IT organization within those companies to be able to provide the most value to the business? This is process management, and it’s a way to organize your Information Technology services to provide the most value to the rest of the organization.

There are many frameworks available to give you some best practices on how to design your structure for your Information Technology group. At a minimum, this means there will be a lot of training as you roll out this new framework for IT, and everybody can learn exactly what their role will be in the organization. One type of framework you may run into is COBIT. This is the Control Objectives for Information and Related Technologies. This was created by ISACA, which formerly went by the full name Information Systems Audit and Control Association. And from that name, you can tell that this is definitely going to be a framework for Information Technology.

The goal of COBIT is to focus on regulatory compliance, risk management, and aligning IT with the organization’s overall goals. Another framework is one that used to be called the Information Technology Infrastructure Library, but now is simply called ITIL. This breaks down the IT lifecycle, and assigns different categorizations such as service design, service transition, service operation, and others. By using these industry-specific frameworks, an organization can structure their IT departments to best serve the overall need of the organization.