Hong%Kong%Information%and%System%Security%Professional%Association

Size: px

Start display at page:

Download "Hong%Kong%Information%and%System%Security%Professional%Association"

Derek Gibson
5 years ago
Views:

5 Framework&Of&Information&Technology&Integrated&Compliances& LAYER&1 International&De5inition&Of&Digital&Evidence LAYER&2 LAYER&3 Common&Criteria&And&Scope&Of&Information& Technology&Management Industry&Standard&And&Requirement&Of&Information& Technology&Management LAYER&4 Technical&Con5iguration&and&Security&Baseline LAYER&5 International&Treaty&And&Country&Law&Requirement LAYER&6 Audit&Standards&And&Activities&Requirement

7 Security and Public Responsibility Business Operation and Management Technical Operation and Management Law and Compliance

8 COS/ COBIT SOX 404 ISO COS/ COBIT ITIL Business Operation and Management ISO SAS 70 Technical Operation and Management ISO CMMIs PMP GB PMP CMMIs

9 NIST PCI- DSS ISO GLBA SOX 404 HIPAA Security and Public Responsibility ISO HIPAA Law and Compliance PCI- DSS HKMA CBRC GLBA HKMA CBRC COS/ COBIT

11 ANSI/TIA/EIA(568(B.1(2001, : ; ANSI/TlA/EIA(568(B.2(2001, ANSI/TIA/EIA(568,B.3(2000, ANSi/TIA(569(B, ANSI/TIA/EIA(606(A(2002, ANSI/TIA/EIA(J.STD(607(2001, ANSI/TIA(758(A, ANSI/NFPA75(2003, ANSITI.336, ANSI(T1,404, (DS3 ASHRAE, TelcordiaGR(63(CORE,NEBS(TM) : TelcordiaGR(139(CORE,

Front Front A B C A/C Rear Rear Filtered.Fresh.Air DryMBulbMTemperature:M20 om CM(68 om F)MtoM25 om CM(77 om F); RelativeMHumidity:M40%MtoM55%; MaximumMDewMPoint:M21 om CM(69.

14 Front Front A B C A/C Rear Rear Filtered.Fresh.Air DryMBulbMTemperature:M20 om CM(68 om F)MtoM25 om CM(77 om F); RelativeMHumidity:M40%MtoM55%; MaximumMDewMPoint:M21 om CM(69.8 om F); MaximumMRateMofMChange:M5 om CM(9 om F)MperMhour; Cool+Air Power(Cable Telecom(Cable (Trays Power(Cable Telecom(Cable (Trays Power(Cable Power(Cable Hot+Air Turbulence Turbulence Hot+Air Cabinet(Exhaust(Air((A/C) Cabinet(Inlet(Air((A/C(Cabinet(A(is(the(bottom(fed) A/C A B A/C

15 ISO$38500 ISO$27001$ () ISO$20000$ () ISO$14000$ (,$ ) ISO$15408$ ()

16 ISO/IEC%38500%Corporate%governance%of%Information%Technology The& ISO/IEC& 38500& Corporate& governance& of& information& technology& standard,& provides& a& framework& for& effective& governance& of& IT& to& assist& those& at& the& highest& level& of& organizations&to&understand&and&fulcill&their&legal,&regulatory,&and&ethical&obligations&in&respect&of&their&organizations &use&of&it. ISO/IEC& 38500& is& applicable& to& organizations&from& all& sizes,& including& public& and& private& companies,& government& entities,& and& notqforqprocit& organizations.& This& standard& provides&guiding&principles&for&directors&of&organizations&on&the&effective,&efcicient,&and&acceptable&use&of&information&technology&(it)&within&their&organizations.&it&is&organized& into&three&prime&sections,&specicically,&scope,&framework&and&guidance. The&framework&comprises&deCinitions,&principles&and&a&model.&It&sets&out&six&principles&for&good&corporate&governance&of&IT: Responsibility; Strategy; Acquisition; Performance; Conformance; Human&behavior. The&purpose&of&this&standard&is&to&promote&effective,&efCicient,&and&acceptable&use&of&IT&in&all&organizations&by: Assuring&stakeholders&(including&consumers,&shareholders,&and&employees)&that,&if&the&standard&is&followed,&they&can&have&conCidence&in&the&organization s&corporate& governance&of⁢ Informing&and&guiding&directors&in&governing&the&use&of&IT&in&their&organization;&and Providing&a&basis&for&objective&evaluation&of&the&corporate&governance&of&IT. This& standard& establishes& principles& for& the& effective,& efcicient& and& acceptable& use& of& IT.& Ensuring& that& their& organizations& follow& these& principles& will& assist& directors& in& balancing&risks&and&encouraging&opportunities&arising&from&the&use&of&it. And&establishes&a&model&for&the&governance&of&IT.&The&risk&of&directors&not&fulCilling&their&obligations&is&mitigated&by&giving&due&attention&to&the&model&in&properly&applying&the& principles. Conformance%of%the%organization%with%ISO%38500 Proper& corporate& governance& of& IT& may& assist& directors& in& assuring& conformance& with& obligations& (regulatory,& legislation,& common& law,& contractual)& concerning& the& acceptable&use&of&it. Inadequate& IT& systems& can& expose& the& directors& to& the& risk& of& not& complying& with& legislation.& For& example,& in& some& jurisdictions,& directors& could& be& held& personally& accountable&if&an&inadequate&accounting&system&results&in&tax&not&being&paid. Processes&dealing&with&IT&incorporate&speciCic&risks&that&must&be&addressed&appropriately.&For&example,&directors&could&be&held&accountable&for&breaches&of: 1. Security+standards; 2. Privacy+legislation; 3. Spam+legislation; 4. Trade+practices+legislation; 5. Intellectual+property+rights,+including+software+licensing+agreements; 6. Record+keeping+requirements; 7. Environmental+legislation+and+regulations; 8. Health+and+safety+legislation; 9. Accessibility+legislation; 10. Social+responsibility+standards. Directors&using&the&guidelines&in&this&standard&are&more&likely&to&meet&their&obligations.

18 Activity* Support Maintain Territoriality Reinforcement CPTED Crime*Prevention* Through* Environmental* Design Target Hardening Natural* Surveillance* Access* Control The*Wider*Environment

HITRUST CSF: One Framework

HITRUST CSF: One Framework Leveraging the HITRUST CSF to Support ISO, HIPAA, & NIST Implementation and Compliance, and SSAE 16 SOC Reporting Dr. Bryan Cline, CISSP-ISSEP, CISM, CISA, CCSFP, HCISPP Senior