46 States Have Mandated Notification Compliance Requirements
State security breach notification law compliance is a major issue with many disparate requirements. . .
The landscape for CIOs and protection of personal information continues to become more complex as more states add breach notification laws. Currently forty-six states, the District of Columbia, Guam, Puerto Rico and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information.
Each of these requirements need to be reviewed as the laws typically apply to not only enterprises that have "operations" in those states but also if the state's "residents" or "enterprises" are affected.
Janco's Compliance Management White Paper presents a full list of the states and direct links to the specific law that apply. In addition Janco has update its Security Manual Template and Audit Programs to conform to these requirements.
Compliance Management is CIO Concern
What roles and responsibilities do people have in meeting compliance requirements? What is the impact of BYOD? What are the questions that have not been asked and answered?
Numerous laws and regulatory mandates focus on corporate governance and accountability around sensitive information (specifically financial, non-public information and protected health care information). This has significantly impacted the underlying IT systems that support the applications and repositories holding this sensitive information. Organizations are continuously looking for help in preventing fraud and protecting sensitive information.
The fact that key corporate executives carry personal liability in the event of non-compliance virtually ensures compliance to be a key initiative in any large organizations. Additionally, there are other internal cost-containment requirements that can be effectively met by defining and implementing a sound auditing and compliance methodology. Most corporations agree that compliance leads to better corporate governance and management.
Federal and state government regulations (see state compliance requirements) can be a big problem for today's organizations. There are more than 100 such regulations in the U.S. alone, and that number continues to grow. These are in addition to industry-specific mandates. They are all designed to safeguard the confidentiality, integrity, and availability of electronic data from information security breaches. So, what are the consequences if your organization fails to comply? Heavy fines and legal action. In short, it's serious.
Save over 35%
Special Offer for COBIT Compliance Toolkit
The first step in the process is the creation of an IT Infrastructure that supports best practices processes. These are all addressed in Janco's IT Governance Infrastructure, Strategy, and Charter Template. A further expansion of that infrastructure is supported by the Cobit Compliance Toolkit.
IT Governance Compliance - COBIT Compliance Kit
The kit includes:
- Compliance Management White Paper
- Record Management and Destruction Policy Template
- IT Governance Infrastructure, Strategy, and Charter Template
- Disaster Recovery Business Continuity Template
- Practical Guide for IT Outsourcing
- Service Level Agreement Policy Template with Sample Metrics
- Metrics for the Internet, Information Technology, and Service Management
- IT Service Management (ITSM) Service Oriented Architecture (SOA)
- Internet and Information Technology Position Descriptions HandiGuide
- HIPAA Audit Program
- Security Policies and Procedures Template
- Security Audit Program
- Business and IT Impact Questionnaire
- IT Salary Survey
See also CIO IT Infrastructure Policy Bundle
Save over 35% off of the individual product cost by purchasing the COBIT Compliance Toolkit.
Audit Program for Disaster Recovery Business Continuity Updated for ISO 22310
ISO 22310 is a more robust standard than the earlier ones set by ISO
ISO 22301 is the latest ISO Business Continuity standard. It is called "Societal security - Business continuity management systems - Requirements". In addition ISO's "Plan-Act-Do-Check" it addresses:
- Objectives and monitoring performance - While continuity objectives were required in BS 25999, the requirement for them to be measurable was not specifically defined. ISO 22301 changes this by placing emphasis on measurable objectives as well as emphasis on monitoring performance.
- Terms and Definitions - The terms and definition section (Clause 3) have been expanded significantly. It now includes reference to terms that have been common in business continuity such as RPO (Recovery Point Objective).
- Legal and Regulatory Requirements - Similar to ISO 27001 Annex A.15, ISO 22301 places a requirement on the organization to establish, implement, and maintain a procedure to identify, have access to and assess the applicable legal and regulatory requirements for its organization as they relate to continuity of its operations, products, services, and the interests of interested parties.
- Communication - There is an expanded communication section within the new standard which specifically requires communication plans for internal and external interested parties.
- Business Continuity Strategy - BS 25999 did an excellent laying out a framework for Business Impact Analysis and Risk Assessment. ISO 22301 goes into much more detail on business continuity strategy.
- Alignment to other Management System Standards - BS 25999 was not a fully integrated management system standard; although many companies implemented BS 25999 as if it was a full management system ISO 22301. ISO 22301 follows the new requirements and alignment for all management system standards and is the 1st new standard to adopt these practices.