There are various laws and security standards for the IT/information security field. Some of these deal with protecting specific types of data (credit cards, or health information) and others are voluntary standards that an organization can choose to follow and be assessed/audited against.
For some of these standards it is difficult to find information on exactly how the compliance process works, who it applies to, what the requirements are, etc. We need articles written for each of the compliance standards we've identified. Research will need to be conducted to be able to answer the outlined questions and write a detailed article.
The article should have references for the presented information, preferably from original sources.
The article should be between 1500 and 2000 words (5-7 pages).
Topics for the articles include:
- Federal Information Security Management Act of 2002
- Financial Services Modernization Act of 1996 (GLBA)
- Health Insurance Portability and Accountability Act of 1996 (HIPAA / HITECH Act)
- Payment Card Industry Data Security Standard
- Experian Independent Third Party Assessment (EI3PA)
- ISO 27001
- SSAE 16/SOC I/II/III
- NERC Critical Infrastructure Protection (CIP)
A rough outline of information the article should contain:
1. What is the history of the compliance standard
- Who created the standard and when
- Why was the standard created
- What is the body that created and maintains the standard
- Is there any history that would help someone understand the purpose for the standards creation?
- What are some helpful historical dates relating to the standard. For example: http://ssae16.com/SSAE16_history.html
2. Outline the main requirements of the standard, i.e. an overview of what is required to become compliant with the standard
3. What does the certification process look like?
- Is there a specific body that governs certification?
- Is an audit by a certified company required?
- What is the lifecycle of the assessment/audit process? Is it required annually, or are there different types of audits required to gain/maintain compliance?
4. Who requires organizations to become compliant with the standard? Is is just a way of showing they meet a minimum level of security or is there a legal or industry requirement that the organization must comply with?
5. What is the cost of becoming compliant? Specific dollar estimates for receiving any required audits and also an estimate of work required for the organization to become compliant. This may require contacting providers of these services to get a range.
6. What are some common questions about the security standard and their answers. For example:
- Who must comply with this standard?
- Is the assessment a point-in-time assessment?
- How long does the assessment take?
- What portions of the standards are particularly difficult to meet?
7. List and describe all of the official resources/documents that relate to the standard. For example, for PCI compliance, this would include the PCI DSS, PCI SAQ forms, Information supplements, etc., found on the council's website: https://www.pcisecuritystandards.org/document_library. For ISO 27001, This would include the other documents in the 27000 series that relate to the compliance standard and assessment process.
8. What are the deliverables of the assessment process. I.e. for PCI compliance you receive an Attestation of Compliance and a Report on Compliance.
- Can the deliverables be shared publicly
9. What are the benefits of becoming compliant with the standard?