S 1.16 Compliance management
Description
In every organisation, there are statutory, contractual, structural and internal rules, regulations and policies from different directions that must be complied with. Many of them have a direct or indirect impact on the information security management. The requirements differ depending on the industry, country and other general conditions. In addition, a government agency, for example, is subject to different external rules and regulations to a public limited company. The management of the organisation must ensure compliance with the requirements by means of adequate monitoring safeguards.
The objective of compliance management is to have an overview over the different requirements to be met by the individual areas of the organisation at any time and to identify and implement suitable safeguards in order to prevent violations of these requirements.
This task is typically assigned to an employee. In the following, this role is referred to as Compliance Manager. Unless specified by other regulations, it is not necessary to establish a new position for this. For example, the task may be assumed by security management, auditing, controlling, or the legal advisors.
Depending on the size of an organisation, this task may have different management processes dealing with different aspects of risk management, e.g. security management, data protection management, compliance management and controlling. They should collaborate on a trustful basis to use synergy effects and to avoid conflicts at an early stage.
This module examines a selection of requirements that have an impact on the design of information security in the organisation.
Threat scenario
In this module, the following threat is examined as an example of all threats in the area of compliance management:
Organisational Shortcomings
| T 2.105 | Violation of statutory regulations and contractual agreements |
Method recommendation
To secure the information system examined, other modules will need to be implemented in addition to this module. These modules are selected based on the results of the IT-Grundschutz modelling process.
A series of security safeguards must be implemented in the framework of compliance management, starting in the conception phase and the design of organisational structures to the regular auditing phase. The steps to take to accomplish this as well as the safeguards to consider in each of the steps are listed in the following.
Planning and design
Processes and organisational structures should be established to ensure the overview over the different requirements (see S 2.439 Design and organisation of compliance management). In addition to external regulations relevant to the organisation, the internal policies and requirements must also be defined and transparent. An essential basis for adequately securing all business-related information, business processes, and systems is to classify them based on their protection requirements (see S 2.217 Careful classification and handling of information, applications, and systems). As a consequence, concrete security policies can be derived from this for these objects.
Implementation
The requirements identified are implemented by the management processes of the organisation and also by the security process in particular. Employees, but also visitors and external service providers must be informed of their obligation to exercise due care when handling information and IT systems, before they are granted access to them (see S 3.2 Commitment of staff members to compliance with relevant laws, regulations and provisions).
Operation
The security policies drawn up by the organisation to meet the requirements must be permanently complied with. This compliance should be checked at regular intervals (see S 2.199 Maintaining information security). Both the organisation's internal rules or regulations and the legal framework conditions which an organisation is subject to may change. These changes must be taken into consideration within the framework of compliance management (see S 2.340 Consideration of legal framework conditions).
The bundle of security safeguards for "compliance management" is presented in the following.
Planning and design
| S 2.163 | (A) | Determining the factors influencing cryptographic procedures and products |
| S 2.205 | (C) | Transmission and retrieval of personal data |
| S 2.439 | (C) | Design and organisation of compliance management |
Implementation
| S 3.2 | (A) | Commitment of staff members to compliance with relevant laws, regulations and provisions |
| S 4.99 | (C) | Protection against subsequent change to information |
Operation
| S 2.199 | (A) | Maintaining information security |
| S 2.217 | (B) | Careful classification and handling of information, applications and systems |
| S 2.340 | (A) | Consideration of legal framework conditions |
| S 2.380 | (C) | Granting exceptions |
| S 3.26 | (A) | Instructing staff members in the secure handling of IT |