One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 459429 |
| Date de publication | 2018-01-19 15:33:48 (vue: 2018-01-19 15:33:48) |
| Titre | NBlog January 17 - the compliance case for security awareness |
| Texte |  Security awareness may be something you have to do for compliance reasons (mostly to avoid penalties) or something you want to do to gain the benefits, often both.Today I'll concentrate on the compliance aspects, the most straightforward part, leaving the business case for another day's blogging.Compliance pressures come at us from all sides!Laws and regulations: many information-related laws and regs mandate adequate information security, particularly those concerning privacy and governance, plus those applicable to the healthcare, financial services, government, infrastructure/utility and defense industries. Some of them specify awareness and training explicitly, others are more circumspect, typically referring to ensuring compliance without saying precisely how to achieve that.Contracts and agreements: PCI-DSS is the classic example of a contractual obligation to secure information, specifically card holder information relating to credit and debit cards. Security awareness is a mandatory requirement of PCI-DSS. Another example is the typical employment or service contract, containing clauses about securing personal and proprietary information and protecting the organization's interests. Yet another is cyber insurance: the policy small-print may include requirements along the lines of 'generally accepted standards and practises of information security', or mention particular laws and standards, or may specify particular controls (such as incident management and breach notification). Many a lawyer's fee results from the nuances in this area! Claiming that an incident occurred because workers were unaware of their security obligations would be a strong case for the prosecution, not the defense.Corporate strategies, policies and standards: many organizations have formal company rules relating to information risk and security, website privacy policies for instance. If employees don't know and care about them, what is the point in even having them? Despite being an obvious requirement (obvious to us anyway, and now you too!), awareness and training is not universal although the requireme |
| Envoyé | Oui |
| Condensat | are about accepted accounting achieve adequate adopt aggrieved agreements: all along although another anyway applicable apply are area aren aside aspects auditing auditors authentication authorities availability available avoid awareness bare because being benefits beyond blogging both brands breach business but can card cards care case circumspect claiming class classic clauses coals come commercial company compliance comply concentrate concerning confidentiality conform consultancy containing content contract contracts contractual controls corporate covering credit critically criticized customers cyber damage day debit decides defense dependent despite different discipline discretionary don dss efficiently employees employers employment encryption enforced enhancing ensure ensuring especially essential etc ethical even example expenses explicitly fee financial formal from furthermore gain generally get given good governance government hauled have having health healthcare here holder how impacts imposed incident incidents include industries information informed infrastructure/utility instance insurance: integrity interests international interoperability iso27k january just know lasting laws lawyer leaving legal less lines long look making management mandate mandatory many may media mention minimum more most mostly national nblog nist noncompliance not noticebored notification now nuances numerous obligation obligations obvious occurred off often organization organizations others over overtime owners part particular particularly parties partners pci penalties perhaps personal plus point policies policy potential practical practises practises: the precisely pressure pressures print privacy products professional program properly proprietary prosecution prospects protecting published qualifications/certifications quickly reasons referring regs regulations regulations: regulatory related relating reporting etc reputational requirement requirements resonate results risk rough rules safety say saying secure securing security sense service services setting severe should shunned sides small some something sp800 specifically specify stand standards standards: straightforward strategies strong such suppliers support take technical them those through time today too touch training trust typical typically unaware under universal used want website what whether will without workers world would yet |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.