There are three primary goals for an information security metrics program: compliance with legal requirements; reduce risk by adding new or improving existing capabilities; improve efficiency or reduce cost. In order to achieve any of these goals it is extremely important to gather the appropriate data and formulate useful metrics. The need for useful security metrics cannot be overstated, but there can be confusion about what a metric is, and difficulty determining what a useful metric is. As a business USAA has a duty to protect and improve shareholder investments, and of course must comply with all applicable laws and regulations. There are a variety of laws and regulations that dictate security requirements for financial institutions. …show more content…
These federal and state laws impact financial organizations in a few different ways but generally revolve around three functions: confidentiality; integrity; and compliance through audits. FACTA includes requirements for protection of consumer data including social security numbers, and credit card information. It also contains provisions for data integrity with consumer reports and disputes. SOX requires publicly traded organizations to conduct annual assessments of their audit controls to the government. Additionally they must be audited by an external third party. SOX is designed to protect investors from fraudulent financial reporting from the organization. GLB requires financial institutions to protect the privacy and integrity of their customers ' information. Additionally, the companies must implement fraud protection programs to prevent unauthorized disclosure of customer information. Regulation E has rules and restrictions for electronic funds transfers, and creates requirements for information disclosures, and records retention. FRCP outlines requirements for the collection, retention, and production of data that could be required for discovery for a civil lawsuit.
A common thread for all of these federal laws is the need for information confidentiality and integrity, and the ability to effectively audit the systems for compliance of these
Regulations ensure fair disclosure of information to all the entities involved in a financial transaction (Pilbeam, 1998). Without regulations, one entity can have more information and it can take illicit advantage from that information. To ensure fair dealing and to prevent other entities from exposure to risk, regulations are imposed which ensure that all necessary information is disclosed prior to the transaction taking place.
Another step involves security checks upon implementation and describes agency-level threat to the business scenario or the mission. It similarly entails sanctioning the information system for processing and lastly constant monitoring of the security controls. FISMA and NIST's standards are aimed at offering the ways for agencies to achieve their identified missions with safety commensurate with the threat (United States Department of Agriculture, 2015). Together with guidelines from the Office of Management and Budget (OMB), FISMA and NIST create a framework for advancing and growing an information security scheme (SecureIT, 2008). Such framework includes control descriptions and evaluation, program development, and system certification and accreditation. The final objective involves conducting daily functioning of the agency and achieving the agency's articulated objectives with sufficient security commensurate with risk.
The accounting provisions require companies to "keep books and records, and accounts, which, in reasonable detail, accurately and fairly reflect the transactions and dispositions of assets". The purpose of this accounting provision is to make it difficult for organizations to "cook the books" or use slush funds to hide any corrupt payments. Representative means for transfer of corrupt payments which included overpayments, missing records ("No receipt"), unrecorded transactions, misclassification of costs and, retranscription of records. The accounting provisions include a requirement that companies design and maintain adequate systems of internal accounting controls. This will provide reasonable assurance that transactions are executed in accordance with management’s authorization, transactions are recorded as necessary and access to assets is permitted only in accordance with management's authorization. Any internal document that misrepresents the actual nature of a financial transaction could be used as the basis for a charge that the "books and records" section of the FCPA has been violated.
Assess the adequacy and effectiveness of the organization’s IS security policy. In addition, assess whether the control requirements specified in the organization’s IS security standards adequately protect the information assets of the organization. At a minimum, the standards should specify the following controls and require them to be applicable to all information systems:
UnitedLex recognizes that to be a successful company they need to be able to promise a secure environment for their employees and their customers. This safety applies to all technical systems and the information stored, processed, or transmitted within these assets. This document covers many different Information Systems Security Policies to provide guidance on what is authorized and prohibited use on several systems. Each ISSP will explain their purpose, intended audience and who is responsible for managing the systems.
The Questionnaires and information gathering documents are very important because they provide accurate information about the security of the system and where improvements can be made to prevent further intrusions and remediate certain vulnerabilities within a system. The inputs for this step include reports from prior
The following is a brief overview of compliance with each law related and in use by our organization.
As the Internet becomes ubiquitous due to wireless technologies including 3G and pervasive Wi-Fi Hotspots, there is the need to continually improve security technologies. One of the most effective approaches to doing this is to define a series of metrics for measuring security levels attained (Idika, Bhargava, 2012). The following is a listing of security metrics and their definitions:
Every organization has risks and it is extremely critical for them to identify what these risks are and to mitigate and avoid further damages in case of disastrous events. These disastrous events can be prevented by designing and implementing a robust security monitoring system and utilizing industry proven practices and activities. Information Security refers to safety of information in terms of confidentiality, integrity, availability, and non-repudiation (Byrnes & Proctor, 2002). This document will provide a clear definition about the security monitoring activities that should be designed and conducted in an organization that has both internal and
It’s also known as a Financial Modernization act of 1999. This act allowed banks to engage in a wide array of financial services like merging with stock brokerage and insurance companies, which also gave them way to possess a large amount of public and private client information. The information is usually considered private and risk of misuse is high, therefore Title 5 of the GLBA specially addresses protecting both the privacy and security of information.
Information confidentiality, privacy, threats and increased use of information system have prompted organizations to start protecting their systems to ensure electronic, physical and network information security.
According to Ousley, In some business sectors, protection of information is not just desirable, it’s mandatory. For example, healthcare organizations are heavily regulated and must comply with the
ISO/IEC 17799 and subsequent certification against the British standard for information security BS7799 is the most comprehensive approach of all frameworks for best practices (Saint-Germain, 2005). The framework contains 10 security domains, 36 control objectives, and 127 controls that identify specific means for meeting the control objectives. The domains consist of organizational security, asset classification and control, personnel security, physical and environmental security, communications and operations management, access control, systems development and maintenance, business continuity management, and compliance. The control objectives consist of general statements of security goals in each of the domains.
Public sector always play a major role in the development and growth of the economic mostly in the developing nations,
Information Security deals with the Confidentiality, Integrity and Availability of organizational data to facilitate business decisions. Information Security breaches inflict significant monetary and reputational damage to organizations. Thus, ensuring business information security becomes a matter of great importance at the board level. Therefore organizations must view Information security from a governance perspective.