Regulatory and Information Security Compliance

Credit: Matthew E. Luallen

Agenda
Maturing of Information Technology Impact of Regulations and Standards A Compliance Framework Regulatory and Compliance Initiatives Developing Policies, Procedures, Standards and Guidelines

Maturing of Information Technology

Overview of Market Trends and Future Industry Direction

HBR (Harvard Business Review) article
IT Doesnt Matter by Nicholas G. Carr (HBR, May 2003) The article states that IT someday will no longer be revolutionary and will be taken for granted like the railroad system. Portions of IT become a commodity.

What are your thoughts?

How does this apply to information protection? Cloud computing?
A MUST READ: http://www.wired.com/gadgetlab/2012/08/apple-amazonmat-honan-hacking/all/
4

Maturity of Other Sectors

Transportation Telecommunications Healthcare Energy Agriculture

Regulatory Bodies
Federal Energy Regulatory Commission Federal Communications Commission Surface Transportation Board National Highway Traffic Safety Administration Federal Highway Administration U.S. Consumer Product Safety Commission Securities and Exchange Commission Illinois Commerce Commission And many others
6

Impact of Regulations and Standards

The Impact of Legal and Regulatory Compliance

The impact of legal and regulatory compliance can be tremendous and can have the following effects: Budgetary burdens Fines and penalties Civil action Criminal action Revocation of licenses and rights to conduct business Reputation and integrity

The Challenges of Legal and Regulatory Compliance

Many laws and regulations are open to interpretation Enforcement mechanisms for newer legislation are yet to be seen Due care must be used when preparing compliance programs; what is due care? Documentation of rationale is critical Budgetary hardships can be an issue
9

The Wide-Reaching Impact of Prevalent Regulations

Wide reaching impact; no business, industry, or individual seems to be immune from the impact of some legislation or regulation
CA SB 1386
Anyone that stores confidential data on CA residents

HIPAA
Healthcare

GLBA
Financial Services

Sarbanes-Oxley
Publicly Traded Companies

EU Data Protection
European and US

US Patriot Act
Just about everyone

10

Regulation Says What?

HIPAA

GLBA

Sarbanes Oxley

CA SB 1386

EU Data Protection
11

Regulations are Real.

Eli Lilly & Co. mistakenly disclosed by e-mail the identities of 600 people on the antidepressant Prozac to each other and has apologized to them.
In this case they settled, but future violations of the order would be subject to civil penalties.

FTC Receives Largest COPPA Civil Penalties to Date in Settlements with Mrs. Fields Cookies and Hershey Foods (February 27, 2003)
Mrs. Fields pays civil penalties of $100,000 and Hershey pays civil penalties of $85,000
13

Privacy Violations are Real.

Victorias Secret reveals too much Insufficient Web site security caused breach of privacy of Victoria's Secret customers PII
Customers PII was accessible from August through November, 2002
Approximately 560 customers nationwide were affected

Settlement reached in October, 2003

Pay State of New York $50,000 as costs and penalties Establish and maintain an information security program to protect personal information Establish management oversight and employee training programs Hire an external auditor to annually monitor compliance with the security program Provide refunds or credits to all affected New York consumers

Privacy policy states: Any information you provide to us at this site when you establish or update an account, enter a contest, shop online or request information . . . is maintained in private files on our secure web server and internal systems . . . ."

14

A Compliance Framework

15

Some Guiding Solutions

Regulatory Compliance
compliance n. The act of complying with a wish, request, or demand

16

Information Security and Data Privacy Legal & Regulatory Compliance Framework

Information Security and Data Privacy Legal & Regulatory Compliance

What info. sec. & data privacy laws & regs. are out there?

INVESTIGATION Research

IMPLEMENTATION Design How must the existing information security framework / program be refined to assure legal & regulatory compliance?

Your enterprise Your customers / clients Your business partners

VALIDATION Applicability

Development

Deployment

Change management: How may longevity of compliance be assured among ever-changing legal / regulatory landscape?

Info. sec. & data privacy legal & regulatory business impact assessment

INTERPRETATION Business Impact

Sustainment

Enforcement

17

A Framework - Investigation

Need to identify regulations regardless of immediate understanding of their applicability Data privacy is gigantic and far-reaching, be cautious Document the entire process!

18

A Framework - Validation

Is your organization international? What about your clients requirements? Should the organization adopt compliance categories that are outside of its operational scope?

19

A Framework - Interpretation

What is the difference between addressable and required? What effect (and who will be affected) will legal / regulatory requirements have on the organization? Do you really mitigate liability by doing nothing?
20

A Framework - Implementation
Information Security and Data Privacy Legal & Regulatory Compliance

IMPLEMENTATION

How must the existing information security framework / program be refined to assure legal & regulatory compliance?

Design

Development

Deployment

Change management: How may longevity of compliance be assured among ever-changing legal / regulatory landscape?

Sustainment

Enforcement

21

Regulatory and Compliance Initiatives

22

Legal / Regulatory Compliance

Trends
Increasing presence of legislation Increasing government agency enforcement mechanisms

Do not allow your organization to be a poster child

23

Legal / Regulatory Potpourri

The following is a list of some prevalent regulations:
CA CA SB SB 1386 1386 HIPAA HIPAA GLBA GLBA Sarbanes-Oxley Sarbanes-Oxley EU EU Data Data Protection Protection Patriot Patriot Act Act FISMA FISMA COPPA COPPA The The Can-Spam Can-Spam Act Act Basel Basel II II

24

HIPAA and GLBA

HIPAA (Health Care)
45 CFR parts 160 and 164 provides the federal basis of privacy protection for health information in the United States, while allowing more protective (stringent) state laws to continue in force. Under the privacy rule, PHI is defined very broadly.

GLBA (Finance)
Also called the Financial Services Modernization Act of 1999. This act provides limited privacy protections against the sale of your private financial information. Additionally, the GLBA codifies protections against pretexting, the practice of obtaining personal information through false pretenses.

25

GISRA / FISMA and EU Data Privacy

GISRA / FISMA (Government Agencies)
All agency programs will include procedures for detecting, reporting, and responding to security incidents, including notifying and consulting with law enforcement officials, other offices and authorities, and the FedCIRC.

EU Data Privacy (European Union Residents)

Sets standards for protecting personal data within the European Union.
26

CA SB 1386 and SOX

CA SB 1386 (California Residents)
Provides Californians with immediate notification, when confidential information about them has been compromised due to a breach on any computer system that stores such information and this breach is discovered

Sarbanes-Oxley (Publicly Traded Companies)

Requires new attention to security as a part of a risk management framework to certify internal controls and attest to the accuracy of financial information (for example, relating to fraud, accidents, or lack of discipline)
27

Basel II
Regulatory framework governing risk management practices for financial institutions Defines minimum capital requirement for adherence and review of public disclosure procedures May require well-defined business continuity operations Provides financial institutions a standard methodology to evaluate risk
28

Legal / Regulatory Potpourri (cont)

Norway Personal D Reg Act In force 14 April 2000 Sweden Personal Data Act In force 24 October 1998 Belgium Data Protection Act In force 1 Sep 2001 Germany Data Protection Act In force 23 May 2001 Austria Data Protection Act In force 1 January 2000 United States (Federal) CPP Act 1984 VPP Act 1988 COPPA Act 1998 In force 21 April 2000 HIPPA Act In force 14 April 2001 GLB Act In force 1 July 2001 Canada PIP&ED Act Commenced 1 Jan 2001 Mexico eCommerce Act In force 7 June 2000 Taiwan Computer Processed DP In force 11 August 1995 Switzerland Data Protection Act In force 1 June 1999 Hong Kong Personal Data (Privacy) In force 20 Dec 1996 Australia Privacy Act In force 21 Dec 2001 New Zealand Privacy Act In force 1 July 1993 South Korea eCommerce Act In force January 1999 Italy Data Protection Act In force 8 May 2000 Spain Data Protection Act In force 14 January 2000 Portugal Personal DP Act In force 27 October 1998 Finland Personal DP Act In force 1 June 1999 Denmark Act on Processing of PD In force 1 July 2000 Ireland EC Data Protection Reg In force 1 April 2002 United Kingdom Data Protection Act In force 1 March 2000 Luxembourg Data Protection Law 8 February 2002 Netherlands Personal DP Act In force June 2001 France Data Protection Act In force 6 January 1978 Greece Protection Processing PD In force 10 April 1997

Eastern Europe Estonia; Poland; Slovakia; Slovenia Hungary; Czech; Latvia; Lithuania

29

Outside of the Regulatory Space Payment Card Industry (PCI) Standard

How did this standard arrive?
Identity Theft and Revenue Loss

What credit card companies are involved?

VISA Mastercard American Express Discover Card

30

PCI 1.0 Level Requirements

31

PCI Standard version 1.0 - 12

Build and Maintain a Secure Network
1. 2.

Install and Maintain a firewall configuration to protect data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored data Encrypt transmission of cardholder data and sensitive information across public networks Use and regularly update anti-virus software Develop and maintain secure systems and applications

Protect Cardholder Data

3. 4.

Maintain a Vulnerability Management Program

5. 6.

32

PCI Standard version 1.0 - 12

Implement Strong Access Control Measures
7. 8. 9.

Restrict access to data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain a policy that addresses information security
33

Regularly Monitor and Test Networks

10. 11.

Maintain an Information Security Policy

12.

PCI 1.0 Cliff Notes

Policies, Standards and Procedures Written Technical Documentation External Assessment Successful Integrations Typically Include the Following:
Review and Recommendations by 3rd party (non PCI organization) Integration of Results of Gap Analysis Review by PCI certified organization Annual Review
34

Others?
Securities and Exchange Commission (SEC) Federal, State and Local Requirements Food and Drug Administration (FDA) Federal Communications Commission (FCC) NERC List of other government agencies
http://www.lib.lsu.edu/gov/alpha

35

Developing Policies, Procedures, Standards and Guidelines

36

Information Security Policies

Policies are high-level statements that provide guidance when making present and future decisions (that is, business rules or organization-specific laws). Mandatory (compliance is required)
For example, Do not, You must, or You are obligated to

37

Why are Policies Critical?

Assures the proper implementation of controls Guides the product selection and development process Demonstrates management support Avoids liability Protect proprietary information and trade secrets
38

Developing Good Policies

Gathering key information and reference materials
Reference a recent risk assessment, EDP audit, etc. Understand the business and nature of information

Defining a framework for policies

Topics to be covered Ways in which organization expresses policy How policies will be used Appropriate level of detail

Establish controls categories for each audience

End users, management, systems department, business partners, etc.

39

Supporting Information Security Standards and Procedures

Policies
Includes a statement of purpose, description of the affected parties, history of revisions, a few special term definitions, and specific policy instructions from management

Standards
Provides specific technical requirements

Procedures
Describes specific operational steps

Should be succinct
40

Relationship between Policies, Standards, Procedures & Guidelines

Policy
All laptop computers must be physically secured.

Standard
All laptop computers must be secured using the MicroSaver Retractable cable lock (model no. 64149).

Guidelines Guidelines
It It is is recommended recommended that that you you never never leave leave any computer system any computer system unattended. unattended.

Procedure
As a laptop owner, ensure that a cable lock is received from the resource center. The cable lock may be secured to the laptop by first positioning the eye of the lock into ...

41

Common Information Protection Policies

Acceptable Use Policy
Moni ors & aut dit

Usage restrictions for equipment and computing systems

Accreditation

ment Assess

Information Sensitivity Policy

Information classification system

Policies & standards

Access Control Policy

Standards for accessing information

De p lo

n ig s De

42

Effectively Applying Information Protection Policies

Ethics Policy
Openness, trust, and integrity in business practice

Business Continuity Policy

Mission-critical operations

Risk Assessment Policy

Threat and vulnerability assessments

Extranet Policy
Third-party access requirements
43

Implementation and Enforcement of Policies, Standards, and Procedures

The following activities need to be performed before information security policies, standards, and procedures may be effectively implemented and enforced:

Develop collaboratively among several business units, and not in a vacuum Develop in such a way where compliance may be evaluated and measured accordingly Document Integrate in applicable business units throughout the organization Incorporate in organizations knowledge bases, awareness and education programs
44

Policy, Standard, and Procedure Enforcement

Ownership
Identify the owner of the process

Investigation
Establish adequate policy controls and evaluate compliance measures

Human Resources
Couple information protection and job descriptions

Compensation and Incentives

Develop an incentive program for compliance

45

Security Awareness Program Development

You must understand the needs and current levels of training.
Relevance to the audience must be considered (not everyone in the organization needs the same degree of awareness to do their jobs).

You should distinguish by function and familiarity of systems. People are the weakest link and must be educated and trained.

46

Information Security Awareness and Education Goals

Must stress how security will support the organizations business objectives Identify the following:
What the business needs and objectives are How the security program supports the business needs and objectives

Needs to be integrated into a comprehensive risk management program

47

Considerations When Implementing

Helps employees understand why to take information security seriously What will employees gain from compliance (the me factor) How it will help the employees with their responsibilities and tasks Needs to begin at new hire orientation and be reinforced regularly

48

Successful Campaign Components

The three key components necessary to effectively develop and execute an information security program include:
People: Key program development and execution component Process: Guidance component for program execution
Alignment with business operations, processes, and objectives is mission-critical

Technology: Key enabler for program execution; ineffective in the absence of people and processes

49

Operational Security (OPSEC)

Security Must Be Integrated
Built in to the business processes Must provide a value to the business model

Value Proposition / Business Drivers

Consumers Workforce Business Partners Intellectual Property

Makes Information Discovery nonObvious Secure Information Architecture

50

Information Discovery
How can you find out *things*; where should you look?
Internet Archive (Wayback Machine) SEC Edgar Database US State and Federal Criminal Databases Corporate or External Search Engine Patent Databases Attrition.org Dataloss Technical Information Leakages (Newsgroups, Leaked Website Information,

Examples given in class

51

Secure Information Architecture

Evaluate and refine business processes
Retrofit your information systems to align with key business processes Dont be tempted by the dark side of the force and fall into the common trap of doing the opposite

Build secure systems around the business process

Do not simply install products for security Know the differences between the business process versus the business practice

Think of system architecture as evaluating the business processes, identifying appropriate technologies and then issuing building permits
52

True Business Integration

Information Security is NOT mature until we can electronically identify the following internal events
A new hire addition An insider position change

53