What is a 合规 和 Regulatory Framework?
合规 和 regulatory frameworks are sets of guidelines 和 best practices. Organizations follow these guidelines to meet regulatory requirements, 改善流程, 加强安全, 和 achieve other business objectives (such as becoming a public company, or selling cloud solutions to government agencies).
这些框架为我们提供了一种从服务器室到会议室都可以使用的通用语言. 利用这些标准的有:
- 内部审核员和其他内部利益相关者评估其组织内部的控制措施.
- 外部审计员评估和证明组织内的控制措施.
- Third parties (potential customers, investors, etc.) to evaluate the potential risks of partnering with an organization.
Achieving compliance within a regulatory framework is an ongoing process. 你的环境总是在变化,控制的运行效率可能会崩溃. Regular monitoring 和 reporting is a must, 并且在每个框架中还概述了关于“定期监测”的具体内容的指导.
If you work with or are part of an information security (IS) team, here are some of the regulatory frameworks you might come across:
萨班斯-奥克斯利法案(SOX)
- 它为什么存在?? 的 萨班斯-奥克斯利法案 of 2002 was passed to counteract fraud after accounting sc和als at Enron, 世通, 泰科影响了投资者的信任. 的se controls are m和atory for public companies.
- If you’re on an IS team, how will this impact you? 处理财务数据的应用程序和系统有各种安全需求. 访问管理方面的需求, 一般资讯科技管制(itgc), 和 entity-level controls may need to be managed by the IS team.
- What types of organizations leverage this framework? Public companies, or companies eyeing a potential initial public offering (IPO).
PCI DSS
- 它为什么存在?? 的 Payment Card Industry Data Security St和ard (PCI DSS) exists to protect the security of cardholder data. 的se controls are m和atory for organizations that process credit card data. 的 st和ards are made up of multiple levels, 您的组织与信用卡数据交互的程度将决定您的组织需要达到何种级别的PCI遵从性. 例如, 银行, 商人, 考虑到业务性质,服务提供商将被要求达到更高的标准.
- If you’re on an IS team, how will this impact you? Aside from enforcing certain procedures 和 controls based on your PCI DSS level, you may have to complete self-assessment questionnaires, 季度网络扫描, 现场独立安全审计.
- What types of organizations leverage this framework? Merchants, payment card-issuing 银行, processors, developers, 和 other vendors.
NIST
- 它为什么存在?? Unlike SOX, NIST not a singular set of controls. NIST,或NIST National Institute of St和ards 和 Technology, is a federal agency within the Department of Commerce that spans manufacturing, 质量控制, 和安全, 等. 的 agency collaborated with security industry experts, 其他政府机构, 学者建立一套控制和平衡,以帮助关键基础设施的运营商管理网络安全风险. 今天, 许多组织利用NIST指南来管理和减少可能影响其环境和客户的风险. 不像其他框架, NIST是自愿的, 然而,客户在与您合作之前可能会要求某些控制措施到位.
- If you’re on an IS team, how will this impact you? If you’re on the IS team of an organization that leverages NIST, 你将在识别中扮演重要角色, 定义, 和 enforcing the controls that are governed by the st和ard. 例如, when determining how your organization will h和le vulnerability scanning, you may follow the guidance outlined in NIST 800-53 Risk Assessment RA 5, which spells out best practices for the frequency of scans, 应该进行的扫描类型, what to do with the results of these scans 和 more.
- What type of organizations leverage this framework? 这通常是大型商业企业和政府机构的杠杆作用, 但对于任何对评估和减少网络风险感兴趣的组织来说,它都是一个有用的框架.
ssae
- 它为什么存在?? 状态ment on St和ards for Attestation Engagements No. 16 (ssae)监视和实施对影响财务报告的应用程序和应用程序基础设施的控制. It covers business process controls 和 IT general controls. 服务组织控制 (SOC) 1报告,以前称为SAS 70报告,利用ssae框架.
- If you’re on an IS team, how will this impact you? 的 ssae framework outlines many general best practices, but it is also a m和atory part of the SOX compliance process. In organizations that fall under SOX (as noted above, this includes public companies or companies about to IPO), 特定的利益相关者将需要审查SOC 1报告,以查看任何被视为符合SOX的应用程序(通常这些是处理财务数据的应用程序)。. 在审阅了报告之后, 这些涉众将需要决定组织是否可以接受报告的任何相关风险.
- What type of organizations leverage this framework? Types of companies that usually get SOC 1 reports, 或者提供用于处理财务信息的应用程序并最终影响财务报表的公司.
AT-101
- 它为什么存在?? SOC 2报告是基于 AT-101 审计标准. SOC 2 reports test the design or operating effectiveness of security, 可用性, 处理完整性, 保密, 和/或隐私控制. All SOC 2 reports need to cover security controls. 可用性, 处理完整性, 保密, 隐私控制是可选的原则,如果这些控制是提供服务不可或缺的一部分,公司可能会选择包括这些原则. AT-101 SOC 2报告是基于 信任 Service Principles, which are tied to the security controls listed above.
- If you’re on an IS team, how will this impact you? 查看来自其他组织的SOC 2报告可以揭示与他们合作如何将风险引入您的环境.
- What type of organizations leverage this framework? 软件即服务(SaaS)提供商, 云计算公司, 和其他技术相关服务的解决方案通常会获得SOC 2报告.
FedRAMP
- 它为什么存在?? FedRAMP 政府机构是否有一种标准化的方法来评估基于云的解决方案的风险. 它遵循“只做一次”的原则, 多次使用”的方法, 允许在多个机构之间重用现有的安全评估和包. 因为持续监控云产品和服务是框架的核心, it can improve real-time security visibility for organizations.
- If you’re on an IS team, how will this impact you? 如果你在政府机构工作, 您将使用FedRAMP包来决定利用特定的基于云的解决方案是否有意义.
- What type of organizations leverage this framework? 有兴趣向联邦政府机构销售云解决方案的供应商将通过FedRAMP认证过程.
ISO (International Organization for St和ardization)
- 它为什么存在?? ISO exists to be an international suite of st和ards. 的re are different sub-frameworks within ISO, 与您的组织/行业最相关的子框架取决于您的目标. 例如, 制造组织可能会利用子框架ISO 9000, because the controls in this framework are focused on quality management. 希望改进信息安全管理体系流程的组织可以从ISO 27000概述的控制中获得更有用的指导. 有关ISO标准的更多信息以及哪些标准与您的组织最相关,请访问 ISO.org.
- If you’re on an IS team, how will this impact you? 您的团队可以使用这个框架来改进和报告质量管理和安全性.
- What types of organizations leverage this framework? 任何组织, 无论是公共还是私人, 是否可以使用这个框架来改进和报告质量管理和安全.
Privacy Shield (replaced US-EU Safe Harbor)
- 它为什么存在?? 美欧安全港的建立是为了确保美国公司在向美国传输欧洲数据时遵守欧盟数据保护标准. It was invalidated by a European court in 2015, in relation to controversy over Edward Snowden 和 the NSA leaks. 的 私隐保护架构 是用来取代它的吗. 它的存在是为了保护或减轻数据在这两个地理区域之间传输时被篡改的风险. It enables US companies to more easily receive personal data from the EU under EU privacy laws meant to protect European citizens; this allows for a more free exchange of data, 哪个对商业有利.
- What type of organizations leverage this framework? 在欧盟和美国之间收集、存储或处理个人数据的组织. 美国公司可以自我证明,它们将遵守欧盟的数据保护标准,以便允许将欧洲的数据传输到美国.
- If you’re on an IS team, how will this impact you? Your team may be involved in the process of joining the 私隐保护架构, 并实施相关控制.
HIPAA /高科技
- 它为什么存在?? HIPAA /高科技 enforces security to protect Personal Health Information (PHI).
- What type of organizations leverage this framework? 有谁在收集, storing or processing personal health information (PHI), 包括医院, 医疗服务提供者, 保险公司.
- If you’re on an IS team, how will this impact you? 如果你在收集这些信息, you’ll need to have controls in place to make sure it’s secure.
这些只是您的组织可能需要遵守的一些遵从性和法规框架. Achieving compliance will be an ongoing process, 但是,定期的监视和报告有助于使遵守这些框架(并维护安全的环境)成为业务操作的标准部分.
阅读更多有关法规 & 合规
遵从性:来自博客的最新消息