Understanding Regulations, Legislation, and Guidance Interview Q&A

Posted on 11:15 AM by Bharathvn

Q: Why does my organization need to worry about regulations and legislation?
A: Two concepts drive this discussion: compliance and due diligence. If your organization falls under any particular piece of legislation or regulation, you must show that you are taking steps to be in compliance with the directive. If you are not in compliance, you may face fines or other sanctions against your organization. The other concept is due diligence. Due diligence addresses a logical, minimum, and necessary level of security within organizations to support and serve the customer and the employees. Failure with due diligence can result in customer dissatisfaction
and employee loss.

Q: Don’t all the regulations and legislation basically say the same thing?
A: Approximately 80 percent of all information security–related regulations and legislation basically say the same thing, which relates to the concept of due diligence. The remaining 20 percent relates to industry or governmental specific implementation requirements.

Q: What is the difference between a requirement and guidance?
A: A requirement is something you must do. Guidance is something you might consider doing and implementing if it makes sense in your environment.

Q: What federal law regarding computer security and compliance applies to all government agencies under the executive branch of the United States government?
A: FISMA (Federal Information System Management Act).

Q: What FIPS document provides the guidance on the categorization and classification of risk for federal computer systems?
A: FIPS 199 – Standards for Security Categorization of Federal Information and Information Systems.

Q: What two NIST Special Publications provide the listing of security controls for federal information systems and how to access the controls?

A: NIST SP 800-53 – Recommended Security Controls for Federal Information Systems and NIST SP 800-53A – Guide for Assessing the Security Controls in Federal Information Systems.

Q: What government agency has the authority to set requirements for systems that contain national intelligence information?
A: The Central Intelligence Agency (CIA). The Director, CIA establishes rules for intelligence systems working with DoD and the military services.

Q: What is considered to be national infrastructure?
A: Food supplies, water supplies, power, public health, national defense, national icons, and national financial stability.

Q: I am a publicly held health care organization. What regulations or legislation do I have to worry about?
A: HIPAA, Sarbanes-Oxley, state requirements, and possibly PCI.

Q: Why was Sarbanes-Oxley passed?
A: In the wake of financial scandals at Enron and other companies, Congress passed Sarbanes- Oxley in an attempt to get public companies to provide accurate and ethical financial results to protect shareholders and employees from being financially hurt by intentional actions of individual decision-makers in the organization. With Sarbanes-Oxley, CEOs and CFOs must account for the accuracy of the information in the financial statements and can be held individually
accountable if they are not accurate.