Which of the following statements is true of legal compliance and its evaluation in organizations?

I.I Individual Plant Examinations

In the Policy Statement on Severe Reactor Accidents, the NRC concluded that reactors currently operating were safe. However, the NRC also recognized that a systematic evaluations using PRA may result in the identification of plant specific vulnerabilities to severe accidents that could be remedied with low-cost improvements. This led to the Individual Plant Examination program, where each nuclear plant was required to have a limited scope PRA performed in order to determine if it had vulnerabilities to severe accidents. Frequency of core damage and the probability of containment failure (given core damage) was the primary focus of this study. Risk to the public was not evaluated.

Various Levels of Policy and their Functions

Enterprise-wide or corporate policy is the highest level of policy and consists of a high-level document that provides a direction or thrust to be implemented at lower levels in the enterprise. The ISO 17799 (ISO 27002) approach to this, for information security, is a letter of endorsement from senior management. This policy must exist to properly assess lower level policy. If this policy does not exist, begin work to create this policy document and get it approved before attempting to assess lower level policy. This enterprise or corporate level security policy is the demonstration of management's intent and commitment for the information security in the organization. This should be based on facts about the criticality of information for business, as identified during our assessment and evaluation of security posture (SANS).

The security policy statement should strongly reflect the management's belief that if information is not secure, the business will suffer. The policy should clearly address issues like:

Why is information strategically important for the organization?

What are business and legal requirements for information security for the organization?

What are the organization's contractual obligations toward security of the information pertaining to business processes, information collected from clients, employees, etc.?

What steps will the organization take to ensure information security?

A clear and concise security policy provides the bearings that the information security efforts of the organization will follow. It also helps to instill confidence in the various stakeholders within the organization.

The managing director or chief executive officer of the organization should issue or act as the approving authority of the security policy statement, to build the momentum toward information security and set clear security goals and objectives. Figure 6.4 is a diagram of a hierarchichal policy structure.

A framework should be based on the concept of policy hierarchy. Start with the organization's mission statement and corporate policy in hand, and then proceed (prepared) to assess the lower level policies. The following are categories of policies that should be considered:

Division-wide policy Typically, this consists of an amplification of enterprise-wide policy as well as implementation guidance. This level might apply to a particular region of a national corporation.

Local policy This policy contains information specific to the local organization or corporate element.

Issue-specific policy Policy related to specific issues, can include firewall or antivirus policy.

Security procedures and checklists Local standard operating procedures (SOPs) are derived from security policy.

Security policy may exist on some levels and not on others. You might not need a division-wide policy for every division. Documents interact and support one another and generally contain many of the same elements. This is almost always true in a multi-national organization. For example, the legal framework is radically different in France, Australia, and the United States. This could have a profound impact on the specifics of policy. However, the policy attempts to achieve the same effect in all three countries, so the similarities probably exceed the differences. In a typical organization, policy written to implement higher-level directives may not relieve (waive) any of the requirements or conditions stipulated at a higher level. After all, we really can't have the data center manager overturning policy signed by the Chief Executive Officer of the company. In addition, security policy must always be in accordance with local, state, and federal computer-crime laws and regulations. As an example, the security policy for a hospital in the United States would fall within the regulatory guidance of HIPAA.

Policy Statements

The policy is really only as good as the policy statements that it contains. Policy statements must be written in a very clear and formal style.

Good examples of policy statements are:

All computers must have antivirus protection activated to provide real-time, continuous protection.

All servers must be configured with the minimum of services to perform their designated functions.

All access to data will be based on a valid business need and subject to a formal approval process.

All computer software must always be purchased by the IT department in accordance with the organization’s procurement policy.

A copy of the backup and restoration media must be kept with the off-site backups.

While using the Internet, no person is allowed to abuse, defame, stalk, harass, or threaten any other person or violate local or international legal rights.

Now, as referred to earlier, you must have established a basic asset register and performed a business impact analysis on those assets (even if it is only notional analysis in your head but based on your discussion with senior management). This should help guide the level of control you mandate in your policy (and other controls). For example, if availability of your core systems is your most pressing threat, this must be reflected in your policy. If all your assets are in the public domain, confidentiality and encryption might not be major policy areas.

To ensure enforcement, policy statements should be related to baseline configuration standards. This aids implementation and permits effective compliance checking. If you don’t do this you are ensuring that the company’s whole security strategy is in the hands of an anonymous server administrator; more on this later in the chapter.

3.3 The Tools of Population Policy: Aid Programs

The tools of bilateral population programming have included policy statements, speeches, persuasion, advertising, and funding. Assistance has included policy-influencing computer simulations, assistance to demographic and census departments, soap opera presentations, and research on a wide variety of reproductive health elements. Much program activity focused very directly on the provision of family planning services. Funds have been provided for contraceptive development, dissemination, and for the creation of national family programs.

Family planning programs had no real counterpart in developed countries, and were often ‘vertical’ or stand-alone programs, like some immunization campaigns. They occasionally became the focus of religious, traditional, and xenophobic criticism. These clinics often provided the only services available or available to poor women. In terms of impact on fertility, family planning programs were deemed to have succeeded; they probably accounted for about 40 percent of the decline in otherwise anticipated births that characterized the world as the demographic transition progressed in the countries of Asia and Latin America.

Because of the sensitivity of population and reproductive health issues, many donor countries directed a substantial percentage of their assistance through multilateral and international delivery mechanisms. Almost US$500 million flowed through multilateral agencies two years after the 1994 Cairo Conference. The programs of the primary multilateral agency, the UN Population Fund, reached $320 million in its high water years, usually providing a channel for about 25 percent of available donor funding. World Bank lending at one point reached $500 but declined at the end of the century. The regional banks have not been major players, with some exception for the Asian Development Bank. An increasingly important element of support was the assistance provided by (largely US) foundations to the population field, reaching as high as $150 million just after the 1994 Cairo Conference.

Aid or official development assistance to population/family planning was never large in relation to overall expenditures in the field or to overall levels of overseas development assistance. By the end of the twentieth century, developing countries were paying three-quarters of the costs of their own reproductive health and population programs.

Nor have population programs dominated the overall aid programs. Even within the US program, population assistance only ever represented about 7 percent of all US aid. Australia, Denmark, Finland, The Netherlands, Norway, and UK the population comprised about 3 percent and in France and Italy only 1 percent of their respective ODA programs. In dollar terms, when the totality of all countries' official development assistance was running around US $60 billion per year, population assistance (mostly family planning) never got above $2.0 billion in total. Eight countries almost always supplied 90 percent of all population assistance. The US gave the biggest amount, usually about half of all bilateral aid to population. Denmark, Norway, Sweden, and The Netherlands gave higher percentages, relative to their own economic weight.

If not significant as a percentage of overall aid, or as a proportion of each countries' aid program, foreign aid to population has often been very significant in relation to the total health budget of many developing countries. It has had a catalytic impact in determining the scope, content, impact, and in some places existence of programs across the world.

Top five toughest questions

1.

Which of the following would be an example of a policy statement?

Protect PII by hardening servers

Harden Windows 7 by first installing the pre-hardened OS image

You may create a strong password by choosing the first letter of each word in a sentence and mixing in numbers and symbols

Download the CISecurity Windows benchmark and apply it

Use the following scenario to answer questions 2-4:

Your company sells Apple iPods online and has suffered many Denial of Service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000 per month. You have tested this service and believe it will mitigate the attacks.

What is the Annual Rate of Occurrence in the above scenario?

$20,000

40%

7

$10,000

What is the Annualized Loss Expectancy (ALE) of lost iPod sales due to the DoS attacks?

$20,000

$8000

$84,000

$56,000

Is the DoS-mitigation service a good investment?

Yes, it will pay for itself

Yes, $10,000 is less than the $56,000 Annualized Loss Expectancy

No, the annual Total Cost of Ownership is higher than the Annualized Loss Expectancy

No, the annual Total Cost of Ownership is lower than the Annualized Loss Expectancy

Which of the following describes a duty of the data owner?

Patch systems

Report suspicious activity

Ensure their files are backed up

Ensure data has proper security labels

Clear Organizational Policies

First, each institution must have an accessibility policy that states the normative guidance and degree of importance the institution attaches to equal access for persons with disabilities. It must not be a double super-secret policy, but one that the institution announces to the world, so that consumers, especially consumers with disabilities know what to expect. Microsoft, for example, publishes an extensive and detailed accessibility policy [9]. With a few notable exceptions, like SharePoint, Microsoft has succeeded for some time in having products accessible at the time of their introduction to the market. IBM, which has at various times promoted accessibility, has, if not a policy, an accessibility statement of some detail [10]. It becomes believable that Pearson, which still offers much in the way of inaccessible content and software, is committed to changing that, given its detailed policy statement that commits it not only to accessibility, but to being open about the accessibility status of its products [11]. Google, with many inaccessible products, but recent efforts to address the accessibility of some, contents itself with a single precatory statement, “Everyone should be able to access and enjoy the web. We’re committed to making that a reality” [12]. Apple congratulates itself as done with the job: “We’ve done everything possible to make anything possible” [13]. Apparently, Apple doesn’t think it is possible to let consumers know which apps for iOS are inaccessible or to require developers to follow Apple’s API for accessibility. These may reflect economic concerns at Apple, but in the absence of a public policy, it seems doubtful that the public or Apple employees can know where Apple strikes the balance between accessibility and economics, other than it falls short of its claim that it has done everything possible. But, at least, accessibility is there as a focal point. Facebook consciously falls short of promising equal access, stating only, “Facebook is committed to creating a great experience for all people. Learn about the built-in features and technologies that help people with disabilities get the most out of Facebook” [14]. Amazon, to the surprise of no one in the disability community, has no public accessibility policy. Fortuitously, the authors of this book discovered that the publisher of this book, Elsevier, has one of the more thoughtful and detailed public accessibility policies [15].

It is not that accessibility policies are self-executing that makes them significant; they are not. Rather, the policies legitimate actors within the institution who press for accessibility and can foster a sense of corporate responsibility. Moreover, the existence of a policy can help make the issue visible and part of the conversation.

A number of educational institutions, some after legal prodding and some not, have produced some thoughtful and thorough accessibility policy statements addressed to web accessibility, EIT accessibility, or both. They vary in focus, length, and detail, and cites to a number of different models appear below. However, the introduction to Ohio State University’s web accessibility policy best captures that which is necessary to further the narrative of equal opportunity. That policy introduction states as follows:

The creation and dissemination of knowledge is a defining characteristic of universities and is fundamental to The Ohio State University's mission. The use of state of the art digital and web based information delivery of information is increasingly central in carrying out our mission. Ohio State is committed to ensuring equal access to information for all its constituencies. This policy establishes minimum standards for the accessibility of web based information and services considered necessary to meet this goal and ensure compliance with applicable state and federal regulations. [16]

Others worthy of review include those of Penn State, George Mason University, Oregon State, University of Montana, and Temple University. A policy is just a first step [18–22].

Early agreements between the National Federation of the Blind and a number of e-commerce sites simply set an accessibility standard and a deadline. Given that changing the companies’ culture was not addressed and given the dynamic nature of the web sites, the resulting accessibility was variable over time. The CEO might have been gung-ho for accessibility, but if the person responsible for the next release and its features on a timely basis reports to a middle manager who is not reviewed for accessibility, then accessibility may fall victim to the pressures of time and the CEO may be none the wiser.

To keep accessibility top of mind, companies must undertake to ensure that new releases onto a web site or of software are tested for and determined to be accessible before release. Thus, the recent consent decree entered into by H&R Block with the Department of Justice and NFB requires user testing of any “substantial proposed change” to the web site, mobile apps, or the online tax software prior to release and requires the Accessibility Coordinator to certify that all new releases have been made accessible prior to their release [22].

Pre-release testing addresses the problem of “later.” When accessibility is an afterthought and persons with disabilities are told to wait for accessibility to follow, their ability to compete is significantly compromised. Their consequent inability to perform tasks between the time new software is introduced and the time it is made accessible also contributes to the stereotype of disability as incapacity.

Similarly, when accessibility bugs develop, their priority should not float, but should be incorporated into existing bug fix or service level agreements. Thus, the H&R Block agreement provided, “[t]he Modified Bug Fix Priority Policies shall ensure that any bugs that create nonconformance with WCAG 2.0 AA to www.hrblock.com, its mobile applications, or its Online Tax Preparation Product are remedied with the same level of priority, speed and resources used to remediate any other equivalent loss of function for individuals without disabilities” [22].

The H&R Block agreement contains a number of other procedures and requirements for training to keep accessibility in the “conversation” in the corporate environment, but two are critical: (1) performance reviews of the Web Accessibility Coordinator and “all employees who write or develop programs or code for, or who publish final content to, www.hrblock.com, its mobile applications, or the Online Tax Preparation Product … of the degree and effectiveness with which each took accessibility considerations into account in the performance of their respective duties …” and (2) reporting on accessibility issues to the Chief Information Officer. The first ensures that those who are evaluated will become accessibility evangelists within the company for the sake of their own job security and advancement. The second ensures that the status of accessibility is visible at a top executive level. Finally, the requirement of user testing for accessibility ensures that some persons with disabilities will be “visible” to at least some in the corporate world.

Having a locus of responsibility for accessibility is critical. Several companies, Microsoft and IBM among them, as well as some state agencies, such as Minnesota’s MN. IT, have a position called Chief Accessibility Officer. The success associated with that position, of course, is tied directly to the authority and reporting associated with the position.

Involvement of persons with disabilities, particularly consumer organizations of persons with disabilities, such as the National Federation of the Blind, Autism Self-Advocacy Network, National Council on Independent Living, and the National Association of the Deaf, ensures a wealth of knowledge and an approach that is authentic, rather than merely plausible (as imagined by someone without a disability).

Different procedures are called for in noncorporate environments like universities. There the acquisition of technology is diffuse, with decisions being made by individual departments, the CIO, the CBO, admissions, HR, development, and a host of other bailiwicks. Thus, presidential leadership is required to get sign-on throughout academe. When that happens, some extraordinary procedures and policies can produce a set of best practices, which when enforced can change the landscape. Two of the most thoughtful and thorough such procedures in post-secondary education may be found at http://ada.osu.edu/resources/Links.htm and http://accessibility.temple.edu/.

Making accessibility the default for those more episodically linked to technology is also key. Thus, it is desirable to build in for, say, content creators at the universities reminders to put alt tags on images, followed, if ignored, by “Are you sure? Failure to label will make this image inaccessible to blind users.” Templates that will reject uploading of image PDFs can also help.

4 Locale

In the United States the first RECs were established in the institutions in which research was conducted. The 1966 Surgeon General's policy statement required a committee of ‘institutional associates.’ In 1971 the FDA promulgated regulations which required committee review only when regulated research was conducted in institutions; hence their name, Institutional Review Committee (IRC). Regulations proposed in 1973 by the Department of Health, Education and Welfare, forerunner of DHHS, also reflected a local setting in their term, Organizational Review Board (ORB). In 1974 the National Research Act established a statutory requirement for review by a committee to which it assigned the name, Institutional Review Board (IRB), a compromise between the two names then extant.

RECs are required to comply with federal regulations when reviewing activities involving FDA-regulated ‘test articles’ such as investigational drugs and devices, and when reviewing research supported by federal funds (Robertson 1979b). Moreover, all institutions that receive federal research grants and contracts are required to file ‘statements of assurance’ of compliance with federal regulations. In these assurances virtually all institutions voluntarily promise to apply the principles of federal regulations to all research they conduct regardless of the source of funding.

These points notwithstanding, each REC has a decidedly local character. Most have local names such as Human Investigation Committee, or Committee for the Protection of Human Subjects. Each is appointed by its own institution and each lends its own interpretation to the requirements of federal regulations. For example, at one university medical students are forbidden to serve as research subjects while at another, involvement of medical students as research subjects is sometimes required as a condition of approval (Levine 1988, pp. 80–2).

The National Commission recommended that RECs should be ‘located in institutions where research … is conducted. Compared to the possible alternatives of a regional or national review … local committees have the advantage of greater familiarity with the actual conditions’ (1978, pp. 1–2). The National Commission envisioned the local REC as an ally of the investigator in safeguarding the rights and welfare of research subjects as well as a contributor to the education of both the research community and the public.

FDA's change in regulations in 1981 to require REC review of all regulated research regardless of where it was done created a problem for the many physicians who were conducting investigations in their private offices, many of whom had no ready access to RECs. In response, private corporations developed ‘noninstitutional review boards’ (NRBs) (Herman 1989). Although there are theoretical reasons to question the validity of NRB review, they appear to be performing satisfactorily (Levine and Lasagna 2000).

In 1986, FDA began to waive the requirement for local REC review for some protocols designed to evaluate, or to make available for therapeutic purposes, investigational new drugs, particularly those intended for the treatment of HIV infection. In such cases RECs were offered the option of accepting review by a national committee as fulfilling the regulatory requirement for REC review. Such practices have caused some commentators to question the strength of the government's commitment to the principle of local review.

Internationally, there is much less commitment to the importance of local review. The International Ethical Guidelines for Biomedical Research Involving Human Subjects, promulgated by the Council for International Organizations of Medical Sciences, require REC approval for all research involving human subjects and recognize the validity of review at a regional or, ‘in a highly centralized administration,’ a national level (1992). In many European countries, RECs are regional (McNeill 1989).

Several commentators have expressed concern that in the United States the local institution has too much power in the field of protection of human research subjects. Robertson, for example, alerts us to ‘the danger … that research institutions will use [RECs] to protect themselves and researchers rather than subjects’ (1979a); others point to the close associations between RECs and risk-management offices in many institutions as evidence that RECs are being used in this manner.

The policy on gifts and donations

Most libraries are willing to accept material offered to them on the understanding that the donor does not expect payment, though the policy statement on the matter may well seem rather lukewarm to anyone brought up to consider it good manners to greet any gift with a show of enthusiastic gratitude! The subdued response is partly because what is ostensibly free needs to be processed by the library at significant cost. It is also because, as anyone who has ever been assigned the task of sorting through material donated to a library will affirm, material offered to libraries can be of remarkably little interest or appeal. It may be irrelevant to the collection, obsolete or very dated, in poor physical condition, propagandist, or markedly inferior in quality to other works on the same subject already held. The policy on gifts and donations will almost invariably reserve the right to refuse donations or to accept them only on condition that the library may dispose of unsuitable material.

Self Test

Note

Please see the Self Test Appendix for explanations of all correct and incorrect answers.

Which of the following would be an example of a policy statement?

Protect PII by hardening servers

Harden Windows 7 by first installing the pre-hardened OS image

You may create a strong password by choosing the first letter of each word in a sentence and mixing in numbers and symbols

Download the CISecurity Windows benchmark and apply it

Which of the following describes the money saved by implementing a security control?

Total Cost of Ownership

Asset Value

Return on Investment

Control Savings

Which of the following is an example of program policy?

Establish the information security program

Email Policy

Application development policy

Server policy

Which of the following proves an identity claim?

Authentication

Authorization

Accountability

Auditing

Which of the following protects against unauthorized changes to data?

Confidentiality

Integrity

Availability

Alteration

Use the following scenario to answer questions 6 through 8:

Your company sells Apple iPods online and has suffered many denial-of-service (DoS) attacks. Your company makes an average $20,000 profit per week, and a typical DoS attack lowers sales by 40%. You suffer seven DoS attacks on average per year. A DoS-mitigation service is available for a subscription fee of $10,000/month. You have tested this service, and believe it will mitigate the attacks.

What is the Annual Rate of Occurrence in the above scenario?

$20,000

40%

7

$10,000

What is the annualized loss expectancy (ALE) of lost iPod sales due to the DoS attacks?

$20,000

$8000

$84,000

$56,000

Is the DoS mitigation service a good investment?

Yes, it will pay for itself

Yes, $10,000 is less than the $56,000 Annualized Loss Expectancy

No, the annual Total Cost of Ownership is higher than the Annualized Loss Expectancy

No, the annual Total Cost of Ownership is lower than the Annualized Loss Expectancy

Which of the following steps would be taken while conducting a Qualitative Risk Analysis?

Calculate the Asset Value

Calculate the Return on Investment

Complete the Risk Analysis Matrix

Complete the Annualized Loss Expectancy

What is the difference between a standard and a guideline?

Standards are compulsory and guidelines are mandatory

Standards are recommendations and guidelines are requirements

Standards are requirements and guidelines are recommendations

Standards are recommendations and guidelines are optional

An attacker sees a building is protected by security guards, and attacks a building next door with no guards. What control combination are the security guards?

Physical/Compensating

Physical/Detective

Physical/Deterrent

Physical/Preventive

Which canon of The (ISC)2® Code of Ethics should be considered the most important?

Protect society, the commonwealth, and the infrastructure

Advance and protect the profession

Act honorably, honestly, justly, responsibly, and legally

Provide diligent and competent service to principals

Which doctrine would likely allow for duplication of copyrighted material for research purposes without the consent of the copyright holder?

First sale

Fair use

First privilege

Free dilution

Which type of intellectual property is focused on maintaining brand recognition?

Patent

Trade Secrets

Copyright

Trademark

Drag and drop: Identify all objects listed below. Drag and drop all objects from left to right.

Practical implications for compliance

The TNA standard is detailed and must be read in full, but key issues for compliance can be summarised as follows. Organisations must:

develop a policy statement establishing the objectives of the repository and the service it will provide (§1.3)

employ sufficient staff to be ‘commensurate with the extent and nature of records held and with the intensity of their use’ (§2.4)

develop a clearly defined statement of collecting policy identifying the subject areas, geographical scope and medium of material that will be collected by the institution, and ensure this policy is publicly available (§§3.2, 3.4)

provide a designated study area for access and ensure that records open to inspection are clearly described and these descriptions are readily available (§§4.1, 4.7)

ensure that records are stored broadly in compliance with the British Standard 5454 recommendations for the storage and exhibition of archival documents (§5.1.1).