For any organization, legal, regulatory, and contractual requirements play a major role in how the organization is governed, and this is no different from how IT risk is managed. Failure to comply with the local laws and applicable regulations could lead to severe penalties causing monetary and reputational damages. Multinational organizations need to be wary of the local, federal, and international regulations in addition to the specific laws of each industry, making it extremely difficult for the organization to comply with all the laws of each location.

Historically, these requirements were delegated to business owners to ensure controls against business processes such as financial fraud and corporate governance controls were in place. However, in the last two decades, the responsibility has also equally shifted on the IT side with the responsibilities of confidentiality/integrity/availability of data, privacy requirements...

Compliance is a fundamental consideration for any organization dealing with information security and privacy. Implementing and monitoring internal controls is critical for an organization that handles information that falls within the scope of many continuously evolving state, federal, and industry requirements.

IT incidents such as data leakage or ransomware could lead an organization to not only fall out of compliance but also deal with major financial and reputational damages caused by a data breach or similar incident.

For this section, we can start by asking what the most common regulatory compliance laws are that organizations need to be aware of. But this question is very broad, and many regulations are industry-specific. In the following section, we will review some of the regulatory compliance requirements irrespective of the industry they apply to:

• The Federal Financial Institutions Examinations Council (FFIEC):
  • The FFIEC was...

Ethics are moral principles that drive an employee’s judgment to perform daily activities and define socially acceptable behavior. Often, risk is impacted by professional ethics. It is easy to understand that an organization with poor ethical standards may be more susceptible to fraud or theft. Each organization has its own measures of maintaining ethical values and culture. For example, some organizations allow employees to receive gifts from clients and suppliers, but this is not acceptable at all for other organizations.

The risk of an employee violating the ethics policy of the enterprise can best be addressed by letting the senior management communicate the ethics policy to everyone and ensure that employees at all levels are appropriately trained on those policies.

Relationship between ethics and culture

Ethics and culture cannot be separated. Ethics is not a once-a-year check-the-box function, rather ethics must be inherent in an organization...

Unlike in the past, when IT used to operate in complete silos and had a minimal effect on the rest of the organization, things have changed, and IT has become ingrained in each area of business. It is extremely prudent for the IT team to ensure that the right IT practices are followed across the organization without any exceptions.

Since IT teams have, historically, had more access than the rest of the employees so that they can perform maintenance activities and such, I have seen IT team members using those privileges to install malicious software for personal work. That malicious software installed viruses on their machine that then cascaded to other machines on the network. These types of incidents are not uncommon, but they cannot be completely eliminated unless the employees who are part of the IT teams follow the policies themselves.

It is important for organizations to make employees aware of the risk of breaching IT policies and how to report...

ISACA has defined and set forth a code of professional conduct for members of the association, including CRISC holders and certified risk practitioners. ISACA certification holders shall do the following:

• Support the implementation of, and encourage compliance with, appropriate standards and procedures for the effective governance and management of enterprise information systems and technology, including audit, control, security, and risk management.
• Perform their duties with objectivity, due diligence, and professional care, in accordance with professional standards.
• Serve in the interest of stakeholders in a lawful manner, while maintaining high standards of conduct and character, and not discrediting their profession or the association.
• Maintain the privacy and confidentiality of information obtained in the course of their activities unless disclosure is required by a legal authority. Such information shall not be used for personal...

At the beginning of this chapter, we learned about the major laws and regulations over a variety of industries and geographies that may pose a legal requirement for the organization to adhere to those regulations. Then, we learned about the relationship between ethics, culture, and IT risk management that is critical to determine an organization’s response to risks. In the next section, we learned about the importance of professional ethics and ISACA’s Code of Professional Ethics, which all the CRISC candidates and certification holders are expected to comply with.

In the next chapter, we will be diving into domain 2, IT Risk Assessment, and learn about the risk management life cycle.

1. Which of the following is a federal law that provides guidance on protecting sensitive health information?
   1. CCPA
   2. HIPAA
   3. FFIEC
   4. GDPR
2. Which of the following groups is a beneficiary of CCPA law?
   1. US residents
   2. EU residents
   3. California residents
   4. Canada residents
3. According to the HIPAA Breach Notification Rule, which of the following is true and would require a Covered entity (CE) to report the breach to the OCR?
   1. Breach of more than 100 California residents’ information
   2. IT incident that occurs in the CE
   3. IT incident that occurs in the business associate
   4. Breach of health information of more than 500 individuals
4. Failure to comply with the ISACA Code of Ethics could lead to which of the following?
   1. Mandatory training from ISACA
   2. An additional 20 questions in the exam
   3. Investigation and disciplinary measures from ISACA
   4. Immediate revocation of certification or membership

1. B. CCPA is related to the personal information of California residents, FFIEC is a banking regulation, and GDPR is related to the personal information of EU residents.
2. C. California residents is the correct answer. The other options are distractors.
3. D. The HIPAA Breach Notification Rule requires a notification to the OCR for the breach of health information of more than 500 individuals. The other options are distractors.
4. C. ISACA will conduct an investigation and take additional disciplinary actions upon failure to comply with the Code of Ethics. The other options are distractors.