As a Chief Information
Officer in a government agency I am faced with a multitude of tasks dealing
with the needs of our IT department. 
Part of the job of the CIO is to address the security policies along
with primary regulatory requirements while meeting the overall objective of the
organization, which is to ensure that our security policy meets
the requirements.  Information
security policies are essential for companies to demonstrate compliance with
both regulations and legislation.  No two
organizations are the same and therefore, compliance standards should be used
as a guide to writing an effective security policy.  B.L. Williams says “Security policies should
be written based on the uniqueness of each operational environment.”
Introduction 

In any organization
communication and teamwork is essential for success regardless of the endeavor.
It is imperative to work with all facets of the organization from senior
management all the way down to the lowest level employees and make sure
everyone is on the same page when it comes to compliance of the
security-related regulations. When addressing senior management, there are
particular regulatory requirements that should be examined.  Per J. Andreas “Legal requirements
surrounding Sarbanes Oxley (SOX), Gramm-Leach-Blily Act, Payment Card Industry
(PCI), and Health Insurance Accountability and Portability Act (HIPAA) require
companies to have specific protection in place, which start from simple policy
statements surrounding the requirement.”   Pg 64 
FISMA, NIST, Department of Health and Human Services and Intellectual
Property Law will be addressed as well.

            Federal
Information Security Management ACT (FISMA) was enacted by Congress in
2002.  Also known as Title III, this act
is used to help strengthen and streamline information security programs and
provide annual reporting requirements for the U.S. Government.  The ultimate goal or purpose of FISMA is to
reduce he security risk for the Federal agencies.   In order to be FISMA compliant, there are certain
guidelines that need to be followed.  As
far as the Information Security Program agencies need to develop and maintain
an agency wide information security policy document.  This document should establish the roles and
responsibilities along with an operational process.  As CIO the requirements are to make the
agency head aware of the effectiveness of the program via the annual FISMA
report.  In addition, all agency
personnel should have sufficient training with the information security
program.  Risk assessment, Policy and
Procedures, and Categorization each have their own requirements of compliance
as well.  It is important to note that
FISMA works hand in hand with the National Institute of Standards and Technology
(NIST).  NIST sets guidelines and standards
for security controls across all Federal agencies.  The CIO needs to work closely with senior
management emphasizing compliance.  A
poor FISMA audit score could result in an embarrassment or worse yet a security
breach.  Having management support can
result in the single most value indicator in which the security program
succeeds or not.  In order to gain
support it is recommended to set priorities for support, with the goal of
having all different department managers’ part of the model of security.  Once support is gained then the resources
needed can be obtained.  OIG or Offices
of Inspector General conduct compliancy annual audits which is required by
FISMA.  The purpose of the audit is not
only to see if the agency is compliant in security practices but if not where
the agency can improve.  Oversight on
proper levels of control, system Inventory, Information Systems and areas of
emphasis are also part of the annual audit. 
Once the audit is complete and deficiencies are brought to your
attention, the best practice is to take whatever correction actions are needed
immediately.  Last but not least is that
many agencies that are brought up to compliant standards tend to lose focus and
fail to continue to develop and monitor. 
The life-cycle of you information security policy should be constantly
developed and monitored for continual success.

            In
order to avoid accounting scandals and maintain accounting compliancy the Sarbanes-Oxley Act was
enacted in 2002.  Although the CEO and
CFO has the pressure of making sure that the governance and reporting practices
are accurate the CIO does play a role. 
The CIO responsibility is to help determine the agencies greatest areas
of financial risk.  It’s easy for the CIO
not to be included in SOX compliancy due to the CFA ‘s normal approach is to
keep Sarbox efforts between accountants and consultants so a proactive approach
may be the best way to interject themselves thus making sure the compliance teams
who make financial decisions don’t exclude the Information Security department
and their priorities.  A good
relationship with senior management is the best way for the CIO to be included
in these processes.  Suggesting
reoccurring meetings with senior management will not only keep the CIO and it’s
IT department in the forefront but may help with the IT budget.  IT funding has been on the decline in most
agencies since 2000, so a constant reminder of the allocation of funds within
the budget for IT is imperative to keep a strong department.

We will write a custom essay sample on
As in 2002. Also known as Title III,
Specifically for you for only $16.38 $13.9/page


order now

            The Gramm-Leach-Bliley Act which is
also known as the Financial Services Modernization Act of 1999 was enacted by
Congress in 1999-2001.  Its intention is
to require financial institutions such as investment advisors, banks loans, or
insurance companies to safeguard consumers sensitive data and explain
information-sharing practices.  The CIO’s
role of responsibility is to ensure the privacy of data stored within their IT
system and to ensure that the individuals that access or utilize this data
understand their responsibility.  Key
compliance requirements includes identifying the risks associated with the
customer information and computer information systems. All credit card
transactions, customer financial information or any other financial data need
to be have compliant safeguarded practices. 
Continual compliance ensures taking the necessary steps to fix any
identified vulnerabilities.

            PCI DSS Payment Card Industry / Data
Security Standard was created jointly in 2004, which implemented a set of
policies and procedures to enhance the security of cardholders against misuse
of their personal information.  Being
compliant with PCI DSS standards helps to ensure that the data of the
cardholders are secured and helps to alleviate vulnerabilities.  The CIO has the responsibility of securing
the network in which these financial transactions take place and the data is
recorded.  Incorporating robust firewalls
and network segmentation that still allow the users access to their information
will help secure the network.  Employing
digital encryption is important for all forms of e-commerce transactions on the
Internet.   To protect the data against
malicious hackers, all applications should be virus free by incorporating the
latest tools like anti-virus software, anti-malware and anti-spyware
programs.  Constant monitoring of these
networks is imperative along with a sound and well defined security policy.   All the above can be measured and maintained
by conducting regular audits with the threat of a fine for non-compliance.  This will ensure the best practice of
constantly improving the process to maintain industry PCI DSS compliance.

            HIPAA (Health Insurance Portability and Accountability
Act of 1996) was enacted by United States legislation to safeguard medical
information while providing insurance portability and fraud enforcement.  The organization responsible for establishing
these standards is The Department of Health and Human Services. In order to be HIPAA
compliant, control policies are needed in government organizations and to make
sure only the right people can access electronic PHI. Both integrity and audit
controls are need to put in place as well.  Ultimately the responsibility of the compliance rests with the CEO and
board, but the CIO is best to deal with HIPAA Security Rule due to factor that
compliance focuses on the protection of electronic personal health information
(ePHI).  The CIO should know the HIPAA
laws, the ability to get data safe and make it easy for non-technical people to
use.

The CIO reports directly to
the CEO and is a more internally oriented position focused on technology needed
for running the company (and in IT fields, for maintaining foundational
software platforms for any new applications).

 

Conclusion

 

A successful CIO requires a core set of skills which
allows them to succeed in a diverse and constantly shifting CIO role while
providing technical strategy and maintaining a computing and communications
infrastructure.  The CIOs importance of
IT governance structure should do all the things that governance should do and
ensure proper controls while providing communications up and down the
management chain.  Per Stenzel the CIO
should “Create effective controls, and balances that allow you to add value and
to enable your business to meet its goals” PG 319

 

x

Hi!
I'm Dora!

Would you like to get a custom essay? How about receiving a customized one?

Click here