(5) Risk Treatment Ch13

13 Compliance

13.1 Compliance with legal and contractual requirements

Objective: To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements.

13.1.1 Identification of applicable legislation and contractual requirements

All relevant legislative statutory, regulatory, contractual requirements and how the organization meets these requirements should be identified, documented and kept up to date.

For the organization and, if applicable, for information systems define and document the specific controls and individual responsibilities to meet requirements from applicable legislation and contracts.

13.1.2 Intellectual property rights

Appropriate procedures should be implemented to ensure compliance with legislative, regulatory and contractual requirements related to intellectual property rights and use of proprietary software products.

Intellectual property rights include software or document copyright, design rights, trademarks, patents and source code licences. Copyright infringement can lead to legal action, which may involve fines and criminal proceedings.
To protect any material that may be considered intellectual property:
a) maintain appropriate asset registers and identify all assets with requirements to protect intellectual property rights;
b) acquire software only through known and reputable sources, to ensure that copyright is not violated;
c) comply with terms and conditions for software and information obtained from public networks;
d) maintain proof and evidence of ownership of licences, master disks, manuals, etc.; e) implement controls to ensure that any maximum number of users permitted within the licence is not exceeded;
f) carry out reviews that only authorized software and licensed products are installed; g) maintain awareness of policies to protect intellectual property rights and take disciplinary action against personnel breaching them;
h) do not copy in full or in part, books, reports or other documents, other than permitted by copyright law.

13.1.3 Protection of records

Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with legislatory, regulatory, contractual and business requirements.

Retain securely records that are needed to meet statutory, regulatory or contractual requirements, as well as to support essential business activities. First, categorize these records into record types, e.g. accounting records, database records, transaction logs, audit logs and operational procedures, each with details of of allowable storage media, e.g. paper, microfiche, magnetic, optical.
Establish a retention schedule identifying records and the period of time for which they should be retained. National law or regulation may set the time period and data content for information retention.
Safeguard against loss of records due to future technology change and be aware of the possibility of deterioration of media used for storage of records. Where electronic storage media are chosen, establish procedures to ensure the ability to access data (both media and format readability) throughout the retention period. Storage and handling procedures should be implemented in accordance with manufacturer’s recommendations.
Cryptographic keys and programs associated with encrypted archives or digital signatures should also be stored to enable decryption of the records for the length of time the records are retained.
This system chosen for storage should permit appropriate destruction of records after that period if they are not needed by the organization.

13.1.4 Privacy and protection of personally identifiable information

Privacy and protection of personally identifiable information should be ensured as required in relevant legislation and regulation where applicable.

Introduce controls and impose duties on those collecting, processing and disseminating personally identifiable information (generally information on living individuals who can be identified from that information). Data privacy is about the appropriate use and management of data, not just encryption. Data is no longer only inside the organisation’s perimeter; it is in the cloud, on portable end-user devices where users work from home, and is often shared with partners or online services that might have it anywhere in the world.
Develop organization’s data policy for protection of personally identifiable information and if applicable, appoint of a person responsible, such as a privacy officer, who provides guidance to managers, users and service providers on their individual responsibilities and the specific procedures that should be followed.

NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-122.pdf

13.2 Compliance with security policies and standards

Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and other security requirements.

Organization’s management should introduce and use operational monitoring, automatic measurement and reporting tools to review that information security requirements defined in policies, standards and other applicable regulations are met.
Technical compliance review involves the examination of systems to ensure that hardware and software controls have been correctly implemented. Use automated tools that generate technical reports for subsequent interpretation by a technical specialist. Alternatively, manual reviews (supported by appropriate software tools, if necessary) by ancompetent authorized persons could be performed.
Penetration testing and vulnerability assessments provide a snapshot of a system in a specific state at a specific time. If penetration tests or vulnerability assessments are used, plan and document them properly as such activities could lead to a compromise of the security of the system.
The results of reviews and corrective actions should be recorded and maintained.
In case the requirements are not met, manager of the organization:
a) identifies the causes of the non-compliance;
b) evaluates the need for actions to achieve compliance;
c) implements appropriate corrective action;
d) initiates review to verify the effectiveness of the corrective action and to identify any deficiencies or weaknesses.

NIST Special Publication 800-115, Technical Guide to Information Security Testing and Assessment