As a Chief InformationOfficer in a government agency I am faced with a multitude of tasks dealingwith the needs of our IT department. Part of the job of the CIO is to address the security policies alongwith primary regulatory requirements while meeting the overall objective of theorganization, which is to ensure that our security policy meetsthe requirements. Informationsecurity policies are essential for companies to demonstrate compliance withboth regulations and legislation. No twoorganizations are the same and therefore, compliance standards should be usedas a guide to writing an effective security policy.
B.L. Williams says “Security policies shouldbe written based on the uniqueness of each operational environment.”Introduction In any organizationcommunication and teamwork is essential for success regardless of the endeavor.It is imperative to work with all facets of the organization from seniormanagement all the way down to the lowest level employees and make sureeveryone is on the same page when it comes to compliance of thesecurity-related regulations. When addressing senior management, there areparticular regulatory requirements that should be examined.
Per J. Andreas “Legal requirementssurrounding Sarbanes Oxley (SOX), Gramm-Leach-Blily Act, Payment Card Industry(PCI), and Health Insurance Accountability and Portability Act (HIPAA) requirecompanies to have specific protection in place, which start from simple policystatements surrounding the requirement.” Pg 64 FISMA, NIST, Department of Health and Human Services and IntellectualProperty Law will be addressed as well. FederalInformation Security Management ACT (FISMA) was enacted by Congress in2002.
Also known as Title III, this actis used to help strengthen and streamline information security programs andprovide annual reporting requirements for the U.S. Government. The ultimate goal or purpose of FISMA is toreduce he security risk for the Federal agencies. In order to be FISMA compliant, there are certainguidelines that need to be followed. Asfar as the Information Security Program agencies need to develop and maintainan agency wide information security policy document. This document should establish the roles andresponsibilities along with an operational process. As CIO the requirements are to make theagency head aware of the effectiveness of the program via the annual FISMAreport.
Best services for writing your paper according to Trustpilot
In addition, all agencypersonnel should have sufficient training with the information securityprogram. Risk assessment, Policy andProcedures, and Categorization each have their own requirements of complianceas well. It is important to note thatFISMA works hand in hand with the National Institute of Standards and Technology(NIST).
NIST sets guidelines and standardsfor security controls across all Federal agencies. The CIO needs to work closely with seniormanagement emphasizing compliance. Apoor FISMA audit score could result in an embarrassment or worse yet a securitybreach. Having management support canresult in the single most value indicator in which the security programsucceeds or not.
In order to gainsupport it is recommended to set priorities for support, with the goal ofhaving all different department managers’ part of the model of security. Once support is gained then the resourcesneeded can be obtained. OIG or Officesof Inspector General conduct compliancy annual audits which is required byFISMA. The purpose of the audit is notonly to see if the agency is compliant in security practices but if not wherethe agency can improve. Oversight onproper levels of control, system Inventory, Information Systems and areas ofemphasis are also part of the annual audit.
Once the audit is complete and deficiencies are brought to yourattention, the best practice is to take whatever correction actions are neededimmediately. Last but not least is thatmany agencies that are brought up to compliant standards tend to lose focus andfail to continue to develop and monitor. The life-cycle of you information security policy should be constantlydeveloped and monitored for continual success. Inorder to avoid accounting scandals and maintain accounting compliancy the Sarbanes-Oxley Act wasenacted in 2002. Although the CEO andCFO has the pressure of making sure that the governance and reporting practicesare accurate the CIO does play a role. The CIO responsibility is to help determine the agencies greatest areasof financial risk.
It’s easy for the CIOnot to be included in SOX compliancy due to the CFA ‘s normal approach is tokeep Sarbox efforts between accountants and consultants so a proactive approachmay be the best way to interject themselves thus making sure the compliance teamswho make financial decisions don’t exclude the Information Security departmentand their priorities. A goodrelationship with senior management is the best way for the CIO to be includedin these processes. Suggestingreoccurring meetings with senior management will not only keep the CIO and it’sIT department in the forefront but may help with the IT budget. IT funding has been on the decline in mostagencies since 2000, so a constant reminder of the allocation of funds withinthe budget for IT is imperative to keep a strong department. The Gramm-Leach-Bliley Act which isalso known as the Financial Services Modernization Act of 1999 was enacted byCongress in 1999-2001. Its intention isto require financial institutions such as investment advisors, banks loans, orinsurance companies to safeguard consumers sensitive data and explaininformation-sharing practices. The CIO’srole of responsibility is to ensure the privacy of data stored within their ITsystem and to ensure that the individuals that access or utilize this dataunderstand their responsibility.
Keycompliance requirements includes identifying the risks associated with thecustomer information and computer information systems. All credit cardtransactions, customer financial information or any other financial data needto be have compliant safeguarded practices. Continual compliance ensures taking the necessary steps to fix anyidentified vulnerabilities.
PCI DSS Payment Card Industry / DataSecurity Standard was created jointly in 2004, which implemented a set ofpolicies and procedures to enhance the security of cardholders against misuseof their personal information. Beingcompliant with PCI DSS standards helps to ensure that the data of thecardholders are secured and helps to alleviate vulnerabilities. The CIO has the responsibility of securingthe network in which these financial transactions take place and the data isrecorded. Incorporating robust firewallsand network segmentation that still allow the users access to their informationwill help secure the network. Employingdigital encryption is important for all forms of e-commerce transactions on theInternet. To protect the data againstmalicious hackers, all applications should be virus free by incorporating thelatest tools like anti-virus software, anti-malware and anti-spywareprograms.
Constant monitoring of thesenetworks is imperative along with a sound and well defined security policy. All the above can be measured and maintainedby conducting regular audits with the threat of a fine for non-compliance. This will ensure the best practice ofconstantly improving the process to maintain industry PCI DSS compliance. HIPAA (Health Insurance Portability and AccountabilityAct of 1996) was enacted by United States legislation to safeguard medicalinformation while providing insurance portability and fraud enforcement. The organization responsible for establishingthese standards is The Department of Health and Human Services. In order to be HIPAAcompliant, control policies are needed in government organizations and to makesure only the right people can access electronic PHI.
Both integrity and auditcontrols are need to put in place as well. Ultimately the responsibility of the compliance rests with the CEO andboard, but the CIO is best to deal with HIPAA Security Rule due to factor thatcompliance focuses on the protection of electronic personal health information(ePHI). The CIO should know the HIPAAlaws, the ability to get data safe and make it easy for non-technical people touse.
The CIO reports directly tothe CEO and is a more internally oriented position focused on technology neededfor running the company (and in IT fields, for maintaining foundationalsoftware platforms for any new applications). Conclusion A successful CIO requires a core set of skills whichallows them to succeed in a diverse and constantly shifting CIO role whileproviding technical strategy and maintaining a computing and communicationsinfrastructure. The CIOs importance ofIT governance structure should do all the things that governance should do andensure proper controls while providing communications up and down themanagement chain. Per Stenzel the CIOshould “Create effective controls, and balances that allow you to add value andto enable your business to meet its goals” PG 319
