“It is not merely good enough to do good you must be seen to be doing good.”
As the above adage highlights the secure management and handling of information is only part of the issue. Being able to prove that you are in deed in full compliance with all relevant regulations and standards is the real crux of the matter.
With the multitude and often duplicity of current laws, regulations and standards, it can be very bewildering just knowing where to start. If you have cross border and jurisdictional transactions, the issues become even cloudier.
Here are some of the issues and best practices pertaining to information security, management and compliance from a documentary evidence perspective.
Logging Requirements
Fortunately, IT does offer a number of options to ease the burden of regulatory compliance and associated creation and management of substantiating evidence. One of the easiest to implement strategies is the development of customized logging procedures, practices and policies.
The beauty with IT logging processes is that for the large part their mechanics are automatable. The reviewing of logs will require some degree of manual involvement. However, log creation and review processes performed in conjunction with data management techniques present us with many filters that are useful in producing a higher degree of granular inspection and control than is possible by manual observation and review alone.
The secret to the effective and efficient use of these procedures lies in both the plan and procedures you develop taking the specifics or your requirements into account and the consistent adherence to the documented review, analysis, response to anomalies, retention and final destruction procedures thereby developed.
Here are a few of the laws, regulations and standards that you may need to take into consideration:
- The US Health Insurance Portability and Accountability Act (HIPAA) along with the US Federal Information Security Management Act (FISMA) are of particular importance here. Others US laws of note in the area of information security include Sarbanes-Oxley (SOX) Act, Gramm-Leach-Bliley Act (GLBA). Various states also have a number of individual breach notice laws that will apply differently in their various jurisdictions.
- Canada's Personal Information Protection and Electronic Data Act (PIPEDA)
- The EU's Data Protection Directive along with the European Community Directive Data Privacy Principles (ECDDPP) need evaluating in any assessment(s) undertaken by individual(s) and/or organization(s) currently conducting or hoping to conduct business with organization9s) and/or individual(s), resident or domicile in the EU or jurisdiction thereof
- The Australian Federal Privacy Act (1988) and the subsequent Australian Federal Privacy Act December 2001 Amendments with the provisions pertaining to personally identifiable health related information being of particular note
- The Australian Federal Telecommunications Act 1997, The Australian Federal Corporations Act 2001 and The Australian Federal Spam Act 2003 also merit consideration when developing logging policies pertaining to activities conducted within or with Australian institutions, organizations or individuals
- Local breach notice laws exit in many regional and municipal areas and will therefore need consulting where applicable
- Payment Card Industry (PCI) Data Security Standard (DSS) is a global set of standards more or less adopted by financial institutions and merchants in regards to payment via payment card systems
The Global Perspective
With the multiplicity of these laws, a number of organizations with a more “global” perspective formed to assist with the establishment of greater standards and consistency globally include:
Organisation for Economic Cooperation and Development (OECD) - The OECD is an international organisation that sets policies in areas where multilateral consensus is advantageous for individual countries to make progress in a global economy. The eight basic principles put forth by the OECD are:
- Collection Limitation - Data must be collected lawfully & fairly with subject's knowledge & consent
- Data Quality - All data collected and retained must be accurate, complete, current, and relevant for its intended use
- Purpose Specification - The purpose for the collection of the data should be specified & remain unchanged
- Use Limitation - Any data collected is not to be used for any purpose other than that originally stated & agreed
- Security Safeguards - Data collected and held must be protected against unauthorised access, modification, or disclosure
- Openness Principle - Data Policies should exist and a data controller should be clearly identified
- Individual Participation - The subject of the data can review, challenge, and enforce correction of their data
- Accountability - The data controller is responsible for ensuring the above principles are met
Other Agencies and Bodies
Other leading privacy agencies and bodies around the world that incorporate the following basic principles, provisions and functionalities either in law or in statue, Opt-out Policy, Opt-in Policy, Additional Personal Privacy Legislation, Wiretaps, Pen Register and Trap and Trace, include:
- Better Business Bureau Online (BBB Online) (USA)
- TRUSTe (USA)
- Communications Assistance for Law Enforcement Agencies (CALEA) (USA)
