Cns394 Unit8 Regulatory

8/12/2019 Cns394 Unit8 Regulatory

1/53

1

Regulatory and InformationSecurity Compliance

Credit: Matthew E. Luallen


2/53

2

AgendaMaturing of Information TechnologyImpact of Regulations and StandardsA Compliance Framework

Regulatory and Compliance InitiativesDeveloping Policies, Procedures,Standards and Guidelines


3/53

3

Maturing of InformationTechnology


4/53

4

Overview of Market Trendsand Future Industry Direction

HBR ( Harvard Business Review ) article

IT Doesnt Matter by Nicholas G. Carr ( HBR , May2003)The article states that IT someday will no longer berevolutionary and will be taken for granted like therailroad system.Portions of IT become a commodity.

What are your thoughts?How does this apply to information protection?

Cloud computing?A MUST READ:http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/


5/53

5

Maturity of Other SectorsTransportationTelecommunicationsHealthcare

EnergyAgriculture


6/53


7/53

7

Impact of Regulations andStandards


8/53


9/53

9

The Challenges of Legal andRegulatory Compliance

Many laws and regulations are open tointerpretationEnforcement mechanisms for newer

legislation are yet to be seenDue care must be used when preparingcompliance programs; what is due care?

Documentation of rationale is criticalBudgetary hardships can be an issue


10/53

10

The Wide-Reaching Impact ofPrevalent Regulations

Wide reaching impact; no business, industry, or individualseems to be immune from the impact of some legislation orregulationCA SB 1386

Anyone that stores confidential data on CA residentsHIPAA

HealthcareGLBA

Financial ServicesSarbanes-Oxley

Publicly Traded Companies

EU Data ProtectionEuropean and USUS Patriot Act

Just about everyone


11/53

11

Regulation Says What?

Sarbanes OxleySarbanes OxleyHIPAAHIPAA GLBAGLBA

EU Data ProtectionEU Data Protection

CA SB 1386CA SB 1386


12/53


13/53

13

Regulations are Real.Eli Lilly & Co. mistakenly disclosed by e-mail theidentities of 600 people on the antidepressant Prozacto each other and has apologized to them.

In this case they settled, but future violations of the orderwould be subject to civil penalties.

FTC Receives Largest COPPA Civil Penalties to DateinSettlements with Mrs. Fields Cookies and HersheyFoods(February 27, 2003)

Mrs. Fields pays civil penalties of $100,000 and Hershey payscivil penalties of $85,000


14/53

14

Privacy Violations are Real.Victorias Secret reveals too much Insufficient Web site securitycaused breach of privacy of Victoria's Secret customers PII

Customers PII was accessible from August through November, 2002Approximately 560 customers nationwide were affectedSettlement reached in October, 2003

Pay State of New York $50,000 as costs and penaltiesEstablish and maintain an information security program to protectpersonal informationEstablish management oversight and employee training programsHire an external auditor to annually monitor compliance with the securityprogramProvide refunds or credits to all affected New York consumers

Privacy policy states: Any information you provide to us at this site

when you establish or update an account, enter a contest, shoponline or request information . . . is maintained in private files on oursecure web server and internal systems . . . ."


15/53

15

A Compliance Framework


16/53

16

Some Guiding Solutions

Regulatory Compliance

compliance n.The act of complying with a wish,

request, or demand


17/53


18/53

18

A Framework - Investigation

Need to identify regulations regardless of immediateunderstanding of their applicability

Data privacy is gigantic and far-reaching, be cautious

Document the entire process!


19/53

19

A Framework - Validation

Is your organization international?

What about your clients requirements?

Should the organization adopt compliance categoriesthat are outside of its operational scope?


20/53

20

A Framework - Interpretation

What is the difference between addressable andrequired ?

What effect (and who will be affected) will legal /regulatory requirements have on the organization?

Do you really mitigate liability by doing nothing?


21/53

21

A Framework - ImplementationInformation Security and Data Privacy

Legal & Regulatory Compliance

IMPLEMENTATION

How mustthe existinginformationsecurityframework /program berefined toassure legal& regulatorycompliance?

Development

Deployment

Sustainment

Design

Enforcement

Change management:

How may longevity ofcompliance be assuredamong ever-changing

legal / regulatorylandscape?


22/53

22

Regulatory and ComplianceInitiatives


23/53

23

Legal / Regulatory Compliance

TrendsIncreasing presence oflegislationIncreasing governmentagency enforcement

mechanisms

Do not allow your organization to be a poster child


24/53

24

Legal / Regulatory Potpourri

The following is a list of some prevalentregulations:

CA SB 1386CA SB 1386

HIPAAHIPAA

GLBAGLBA

Sarbanes-OxleySarbanes-Oxley

EU Data ProtectionEU Data Protection

Patriot ActPatriot Act

FISMAFISMA

COPPACOPPA

The Can-Spam ActThe Can-Spam Act

Basel IIBasel II


25/53

25

HIPAA and GLBAHIPAA (Health Care)

45 CFR parts 160 and 164 provides the federal basis ofprivacy protection for health information in the United States,while allowing more protective (stringent) state laws tocontinue in force. Under the privacy rule, PHIis defined very broadly.

GLBA (Finance)Also called the Financial Services Modernization Actof 1999. This act provides limited privacy protections againstthe sale of your private financial information. Additionally, theGLBA codifies protections against pretexting, the practice ofobtaining personal information through false pretenses.


26/53


27/53

27

CA SB 1386 and SOXCA SB 1386 (California Residents)

Provides Californians with immediate notification,when confidential information about them has beencompromised due to a breach on any computersystem that stores such information and this breachis discovered

Sarbanes-Oxley (Publicly Traded Companies)Requires new attention to security as a part of arisk management framework to certify internalcontrols and attest to the accuracy of financialinformation (for example, relating to fraud,accidents, or lack of discipline)


28/53

28

Basel IIRegulatory framework governing risk

management practices for financialinstitutionsDefines minimum capital requirement foradherence and review of public disclosureproceduresMay require well-defined businesscontinuity operationsProvides financial institutions a standardmethodology to evaluate risk


29/53


30/53

30

Outside of the Regulatory Space -

Payment Card Industry (PCI) StandardHow did this standard arrive?

Identity Theft and Revenue Loss

What credit card companies are involved?VISAMastercardAmerican Express

Discover Card


31/53

31

PCI 1.0 Level Requirements


32/53

32

PCI Standard version 1.0 - 12

Build and Maintain a Secure Network1. Install and Maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords

and other security parametersProtect Cardholder Data3. Protect stored data4. Encrypt transmission of cardholder data and sensitive

information across public networksMaintain a Vulnerability Management Program5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications


33/53

33

PCI Standard version 1.0 - 12

Implement Strong Access Control Measures7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with computer

access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks10. Track and monitor all access to network resourcesand cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy12. Maintain a policy that addresses information

security


34/53


35/53

35

Others?

Securities and Exchange Commission (SEC)

Federal, State and Local RequirementsFood and Drug Administration (FDA)Federal Communications Commission (FCC)NERCList of other government agencies

http://www.lib.lsu.edu/gov/alpha


36/53

36

Developing Policies, Procedures,Standards and Guidelines


37/53

37

Information Security Policies

Policies are high-level statements that

provide guidance when making presentand future decisions (that is, businessrules or organization-specific laws).Mandatory (compliance is required)

For example, Do not, You must, or Youare obligated to


38/53

38

Why are Policies Critical?

Assures the proper implementation of

controlsGuides the product selection anddevelopment processDemonstrates management supportAvoids liability

Protect proprietary information and tradesecrets


39/53

39

Developing Good Policies

Gathering key information and reference materialsReference a recent risk assessment, EDP audit, etc.Understand the business and nature of information

Defining a framework for policiesTopics to be covered

Ways in which organization expresses policyHow policies will be usedAppropriate level of detail

Establish controls categories for each audienceEnd users, management, systems department, businesspartners, etc.

S i I f i S i


40/53

40

Supporting Information Security

Standards and ProceduresPolicies

Includes a statement of purpose, description of theaffected parties, history of revisions, a few specialterm definitions, and specific policy instructionsfrom management

StandardsProvides specific technical requirements

ProceduresDescribes specific operational steps

Should be succinct

R l i hi b P li i


41/53

41

Relationship between Policies,

Standards, Procedures & GuidelinesPolicy

All laptop computers must be physically secured.

Standard

All laptop computers must be secured using theMicroSaver Retractable cable lock (model no. 64149).

Procedure

As a laptop owner, ensure that a cable lock isreceived from the resource center.

The cable lock may be secured to the laptop by firstpositioning the eye of the lock into ...

GuidelinesGuidelines

It is recommendedthat you never leaveany computer systemunattended.

It is recommendedthat you never leaveany computer systemunattended.

C I f i P i


42/53

42

Common Information Protection

PoliciesAcceptable Use Policy

Usage restrictions forequipment andcomputing systems

Information Sensitivity

PolicyInformationclassification system

Access Control PolicyStandards foraccessing information

Accreditation

A s s e s s m

e n t

D e s

i g nD e p l o y

M o n i t o r s

& a

u d i t

Policies &

standards

Eff ti l A l i I f ti


43/53

43

Effectively Applying Information

Protection PoliciesEthics Policy

Openness, trust, and integrity in businesspracticeBusiness Continuity Policy

Mission-critical operationsRisk Assessment Policy

Threat and vulnerability assessments

Extranet PolicyThird-party access requirements

I l i d E f f


44/53

44

Implementation and Enforcement of

Policies, Standards, and ProceduresThe following activities need to be performed before information

security policies, standards, and procedures may be effectively

implemented and enforced:Develop collaboratively among several business units,and not in a vacuumDevelop in such a way where compliance may beevaluated and measured accordinglyDocumentIntegrate in applicable business units throughout theorganizationIncorporate in organizations knowledge bases,awareness and education programs


45/53


46/53


47/53


48/53

48

Considerations When Implementing

Needs to begin at newhire orientation and be

reinforced regularly

Helps employeesunderstand why to take

information securityseriously

How it will help theemployees with their

responsibilities and tasks

What will employees gainfrom compliance (the me

factor)


49/53

49

Successful Campaign Components

The three key components necessary toeffectively develop and execute an informationsecurity program include:

People : Key program development and executioncomponent

Process : Guidance component for programexecutionAlignment with business operations, processes, andobjectives is mission-critical

Technology : Key enabler for program execution;ineffective in the absence of people and processes


50/53

50

Operational Security (OPSEC)

Security Must Be IntegratedBuilt in to the business processesMust provide a value to the business model

Value Proposition / Business DriversConsumersWorkforceBusiness PartnersIntellectual Property

Makes Information Discovery nonObviousSecure Information Architecture


51/53

51

Information Discovery

How can you find out *things*; where should you look?

Internet Archive (Wayback Machine)SEC Edgar DatabaseUS State and Federal Criminal DatabasesCorporate or External Search EnginePatent DatabasesAttrition.org DatalossTechnical Information Leakages (Newsgroups, LeakedWebsite Information,

Examples given in class


52/53

52

Secure Information Architecture

Evaluate and refine business processesRetrofit your information systems to align with key business

processesDont be tempted by the dark side of the force and fall intothe common trap of doing the opposite

Build secure systems around the business processDo not simply install products for securityKnow the differences between the business process versusthe business practice

Think of system architecture as evaluating thebusiness processes, identifying appropriatetechnologies and then issuing building permits


53/53

53

True Business Integration

Information Security is NOT mature until

we can electronically identify thefollowing internal eventsA new hire additionAn insider position change

Documents

Cns394 Unit8 Regulatory