An Information Security Metrics Program Compliance With...

There are three primary goals for an information security metrics program: compliance with legal requirements; reduce risk by adding new or improving existing capabilities; improve efficiency or reduce cost. In order to achieve any of these goals it is extremely important to gather the appropriate data and formulate useful metrics. The need for useful security metrics cannot be overstated, but there can be confusion about what a metric is, and difficulty determining what a useful metric is. As a business USAA has a duty to protect and improve shareholder investments, and of course must comply with all applicable laws and regulations. There are a variety of laws and regulations that dictate security requirements for financial institutions.†¦show more content†¦These federal and state laws impact financial organizations in a few different ways but generally revolve around three functions: confidentiality; integrity; and compliance through audits. FACTA includes requirements fo r protection of consumer data including social security numbers, and credit card information. It also contains provisions for data integrity with consumer reports and disputes. SOX requires publicly traded organizations to conduct annual assessments of their audit controls to the government. Additionally they must be audited by an external third party. SOX is designed to protect investors from fraudulent financial reporting from the organization. GLB requires financial institutions to protect the privacy and integrity of their customers information. Additionally, the companies must implement fraud protection programs to prevent unauthorized disclosure of customer information. Regulation E has rules and restrictions for electronic funds transfers, and creates requirements for information disclosures, and records retention. FRCP outlines requirements for the collection, retention, and production of data that could be required for discovery for a civil lawsuit. A common thread for all of these federal laws is the need for information confidentiality and integrity, and the ability to effectively audit the systems for compliance of these