Challenges of Recent Legislation and the Need for IT Policy Jacqueline Craig University of California Office of the President Secure IT 2004 April 28,

Challenges of Recent Legislation and the Need for IT Policy

Jacqueline CraigUniversity of CaliforniaOffice of the President

Secure IT 2004April 28, 2004

Secure IT 2004 April 28, 2004

Challenges of Recent Legislation

Examine laws

Policy formulation processes

Steps to achieve policy compliance



Common Themes

Transparency Review and evaluation to

ensure compliance Accountability



Information SecurityProgram

Risk assessment Business Continuity Incident Response Information Security Plans Education and awareness training Audit processes



Family and Educational Rightsand Privacy Act of 1974

(known as the Buckley Amendment)

an early model a high bar for the privacy and

protection of student records set of principles reflected in

subsequent laws



FERPA PrinciplesTransparency - open records ability to inspect - to know what is

happening to ones records ability to correct the record institutional obligation to maintain

a record of disclosure and provide notice

requirement to secure all records



Sectoral Privacy Law

Health Insurance Portability and Accountability Act (HIPAA)

Gramm-Leach-Bliley (G-L-B)



HIPAA Establishes national standards for

electronic health care transactions and national identifiers for providers, health plans, and employers

Privacy Regulations - effective April 14, 2003

Security Regulations - due April 21, 2005



G-L-B Objectives ensure security and confidentiality

of customer records and information protect against any anticipated

threats or hazards to the security or integrity of such records

protect against any authorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer



California: Social Security Numbers

SB 25 - Personal Information: SecurityAB 763 – Privacy: Social Security

Numbers Intent is to prevent identity theft and to

protect social security numbers from being stolen electronically or from paper documents

Effective: January 1, 2004



California legislation prohibits

public posting of SSNs printing SSNs on access cards requiring individuals to transmit SSN over

unsecured Internet requiring use of SSN to access internet web

sites printing of SSN on materials mailed to

individuals encoding SSN on a card or document using

bar code, chip, magnetic strip



Identity Theft

California Civil code section 1798.29 (SB 1386)

effective July 1, 2003

Requires notification to any California resident

whose unencrypted personal information isreasonably believedto have been acquiredas a result of a security breach



Intellectual Property LawsDMCA and the Teach Act

DMCADo we monitor our networks to

identify illegal file sharing?How does that practice comport with

your network management practice?



Teach Act – requires institutions to apply technological protection measures to reasonably prevent

Retention for longer than is necessary

Prevent downstream copying or dissemination



USA PATRIOT ACT

Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism

Act2001

impacts or modifies more than 15 existing statutes

enhances government’s ability to engage in surveillance activities



USA PATRIOT ACT

Establishes lower threshold for obtaining records than required by FERPA

Reduces requirements for requests for information (subpoenas, search warrants, pen/trap or wiretap order)

Accelerates and expands foreign student visa monitoring program - SEVIS



USA PATRIOT ACT be sure you have a protocol for any

“information” requests establish a single point of entry for all

information or surveillance requests maintain a confidential log of these requests establish procedures for requests establish emergency and computer

trespasser procedures involve legal counsel if requests are

received



Common themes

Establish policy and procedures Identify roles and assign

responsibility Conduct education and awareness

programs



Risk Assessment

Conduct classification of data/records

Identify vulnerabilities and threats



Workforce Issues Education and training Background checks Identify individuals authorized to

access data Establish access controls relative to

need to know Establish procedures for

noncompliance



Implement Risk Controls

Physical security Technical (logical) security Evaluate: test and monitor

controls



Business Continuity Planning

recovery back up work in emergency mode test plans and procedures



Outsourcing

Select and retain capable vendors

Update/create contracts containing safeguard requirements



Why common themes?

International Information Security Standard

ISO/IEC 17799



SANS Institute

See Sheldon Borkin, The HIPAA Final Security Standards and ISO/IEC 17799, July 15, 2003

http://www.sans.org/rr/papers/53/1193.pdf

HIPAA security standards contain some requirements not covered by ISO 17799

ISO 17799 has some controls not required by HIPAA



Creating Policy

must take into account the culture of your organization

must engage the entire campus community



Look to your localgovernance structure

defines the principles of the institution

establishes the “risk appetite” of the institution



InstitutionalGovernance Structure

defines the academic and business values of the institution

establishes priorities and allocation of resources



InstitutionalGovernance Structure

Is IT at the table?

Is IT a partner in the institutional decisions?



Policy

a broad statement

describes “what” and “why”



“How” includes:

Standards and Guidelines: Specify technologies and methodologies to be used to secure systems

Procedures: detailed steps to accomplish particular security-related tasks



Flavors of policy

Program policy

Issue-specific policy

System-specific policy



Flavors of policy

Program policy: high-level policy that determines your IT security program

has a longer life-span defines scope within the institution, assigns responsibilities establishes strategic direction may assigns resources for

implementation



Issue-specific Policy

must periodically revisit and modify in response to current environment

addresses such elements as contingency planning risk assessment methodology implementation of laws



System-specific policies

Configuration of systems - setting business rules to ensure compliance with policy, such as permission sets or access control measures

System specific - terms and conditions of use of email systems, mailing lists policies, or web-use policies



Security Policycommon elements

designate authority conduct risk assessments establish security plans conduct education/awareness training communicate review and evaluate



Policy must be known and understood to be effective

websites handbooks procedures meetings



National Institute ofStandards and Technology

Guide to Information Technology Security Services

http://csrc.nist.gov/publications/nistpubs/800-35/NIST-SP800-35.pdf



IT Security Program

A set of security controls grouped under the terms

management operational technical



May need multiple security programs to address different business sectors

Broad - institutional view orSectoral views healthcare services financial services



Information Security Program

guided by institutional policy provides supporting guidelines,

standards, procedures offers clarity converts policy to reality




risk assessment classification of assets determination of level of security

appropriate to protect operations and assets




identifies security controls and techniques

incorporates capital planning to ensure future security needs

defines metrics to effectively assess the adequacy of current controls, policies, procedures, and that justify security control investments



Security Plans

separate security plans for individual systems supporting operations and assets

security incident response processes for sharing information

regarding vulnerabilities



Risk Assessment

“information” is an asset a broad campus issue information no longer controlled

by the central campus must identify where information is

held on the campus



Risk Assessment

must undergo a culture change to achieve better levels of protection

failures often lie at the interface traditional risk assessment

isolates a problem to a traditional view



More than 85% have experienced one or more of the following IT incidents in past 12 months

Major system disruption due to virus Denial of services attack Altered/vandalized website Unauthorized access to sensitive

institutional data Threats or abuse behavior via email or

other digital communication

Chronicle of Higher Education/Gartner survey of selected subscribers December 2003



Sarbanes-Oxley Applicable for companies registered

with SEC, but raises the bar for corporate accountability

Established new standards - requires improved internal controls to protect information assets from abuse, loss or fraud

Focuses upper management’s attention on data safeguards

Challenges of Recent Legislation and the Need for IT Policy Jacqueline Craig University of California Office of the President Secure IT 2004 April 28,

Documents

records slide

president secure

customer slide

b slide

security breach slide

dissemination slide

policy compliance slide

information requests