An Information Security Metrics Program : Compliance With Legal Requirements

1422 Words Feb 8th, 2015 6 Pages
There are three primary goals for an information security metrics program: compliance with legal requirements; reduce risk by adding new or improving existing capabilities; improve efficiency or reduce cost. In order to achieve any of these goals it is extremely important to gather the appropriate data and formulate useful metrics. The need for useful security metrics cannot be overstated, but there can be confusion about what a metric is, and difficulty determining what a useful metric is. As a business USAA has a duty to protect and improve shareholder investments, and of course must comply with all applicable laws and regulations. There are a variety of laws and regulations that dictate security requirements for financial institutions.

Legal Requirements

There are many state, federal, and international laws that affect financial institutions that operate throughout the United States and internationally. This paper will focus on five United States federal laws and two state laws that pertain directly to financial institutions operating in the United States. CSO online provides a useful list of computer security laws that includes the laws being discussed in this paper: the Fair and Accurate Credit Transaction Act (FACTA) of 2003; the Sarbanes-Oxley Act (SOX) of 2002; the Gramm-Leach-Bliley Act (GLB) Act of 1999; the Electronic Fund Transfer Act, Regulation E of 1978; Federal Rules of Civil Procedure (FRCP) (1938 updated in 2006); Massachusetts 201 CMR 17 (aka Mass Data…
Open Document