365 365 Lecture 10 Lecture 10 Industry Regulations Industry Regulations
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Information Systems 365Information Systems 365Lecture 10Lecture 10
Industry RegulationsIndustry Regulations
Today’s Chocolate Bar 3 Today’s Chocolate Bar 3 MusketeersMusketeers
When introduced in When introduced in 1932, 3 Musketeers 1932, 3 Musketeers had three pieces of had three pieces of candy in one candy in one package, flavored package, flavored vanilla, chocolate and vanilla, chocolate and strawberry, hence the strawberry, hence the name. In 1945, the name. In 1945, the product was changed product was changed to a single bar with to a single bar with the aforementioned the aforementioned chocolate filling. chocolate filling.
Some Of This Stuff Is TediousSome Of This Stuff Is Tedious
So, after each section we will have So, after each section we will have “take away slides”, PAY “take away slides”, PAY ATTENTION TO THOSE!ATTENTION TO THOSE!
Industry RegulationsIndustry RegulationsWhy Bother Learning Them?Why Bother Learning Them?
Ability to impress interviewersAbility to impress interviewers It all relies on TECHNOLOGYIt all relies on TECHNOLOGY Learn:Learn: PoliciesPolicies ProceduresProcedures LegislationLegislation GuidanceGuidance
TodayToday
Regulation, legislation and guidance Regulation, legislation and guidance definitions. Provide a common definitions. Provide a common understanding of the different types understanding of the different types of requirements.of requirements.
Commercial Guidance:Commercial Guidance: Industry must be concerned with Industry must be concerned with
compliance, legislation and guidance. compliance, legislation and guidance. Federal, State, International and Federal, State, International and
Industry RegulationsIndustry Regulations
Information Security Related LawsInformation Security Related Laws
Federal Information Security Management Federal Information Security Management Act of 2002 (“FISMA”)Act of 2002 (“FISMA”)
Gramm-Leach-Bliley Act (“GLBA”)Gramm-Leach-Bliley Act (“GLBA”) Health Insurance Portability and Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”)Accountability Act of 1996 (“HIPAA”) Sarbanes-Oxley ActSarbanes-Oxley Act USA PATRIOT ActUSA PATRIOT Act Counterfeit Access Devices and Computer Counterfeit Access Devices and Computer
Fraud and Abuse Act of 1984 (“CFAA”)Fraud and Abuse Act of 1984 (“CFAA”) Electronic Communications Privacy Act Electronic Communications Privacy Act
(“ECPA”)(“ECPA”)
Take AwayTake Away
There are 5 or 6 major information There are 5 or 6 major information security lawssecurity laws
They all pretty much say the same They all pretty much say the same things with about 20% special things with about 20% special differences related to the specific differences related to the specific industries they coverindustries they cover
The 80% 20% ruleThe 80% 20% rule
What’s the difference between What’s the difference between Federal laws and regulations?Federal laws and regulations?
Laws generally specify what is required, but not how it should be done.
Laws are frequently vague and can be ambiguous.
What Are Regulations?What Are Regulations?
Regulations stipulate requirements Regulations stipulate requirements to be compliant with lawsto be compliant with laws
Regulations may contain specific Regulations may contain specific steps or procedures for compliancesteps or procedures for compliance
Frequently composed with help from Frequently composed with help from industry expertsindustry experts
Take AwayTake Away
Laws are generalLaws are general Regulations are more specificRegulations are more specific
Federal Activities Related to Federal Activities Related to Information SecurityInformation Security
Major Federal responsibility is securing Major Federal responsibility is securing Federally owned/operated systems.Federally owned/operated systems.
Federal government does not generally Federal government does not generally regulate security of non-government regulate security of non-government systems.systems.
HOWEVER, Federal government does HOWEVER, Federal government does require that certain types of information require that certain types of information be protected.be protected.
Federal government working with industry Federal government working with industry regarding security of critical infrastructure.regarding security of critical infrastructure.
Federal Laws We’re Going Federal Laws We’re Going to Cover Todayto Cover Today
Federal Information Security Federal Information Security Management ActManagement Act
Gramm-Leach-Bliley Act (GLBA)Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Health Insurance Portability and
Accountability Act (HIPAA)Accountability Act (HIPAA) Sarbanes-Oxley Act (SOX)Sarbanes-Oxley Act (SOX)
Federal Information Security Federal Information Security Management ActManagement Act
Builds on requirements of:Builds on requirements of: Computer Security Act of 1987Computer Security Act of 1987 Paperwork Reduction Act of 1995Paperwork Reduction Act of 1995 Information Technology Management Information Technology Management
Reform Act of 1996Reform Act of 1996 Provides basic statutory framework Provides basic statutory framework
for securing Federally for securing Federally owned/operated computer systems.owned/operated computer systems.
FISMA FISMA
Requires each agency to Requires each agency to Inventory computer systems, Inventory computer systems, Identify and provide appropriate security Identify and provide appropriate security
protections, and protections, and Develop, document and implement agency-Develop, document and implement agency-
wide information security programwide information security program Authorizes National Institute of Standards Authorizes National Institute of Standards
& Technology (NIST) to develop security & Technology (NIST) to develop security standards and guidelines for systems standards and guidelines for systems used by federal government.used by federal government.
Take AwayTake Away FISMA covers Federal Government FISMA covers Federal Government
systemssystems Encrypted informationEncrypted information Defense informationDefense information National Security informationNational Security information
Inventory computer systems, Inventory computer systems, Identify and provide appropriate Identify and provide appropriate
security protections, and security protections, and Develop, document and implement Develop, document and implement
agency-wide information security agency-wide information security programprogram
Gramm-Leach-Bliley ActGramm-Leach-Bliley Act
Requires “financial institutions” to Requires “financial institutions” to protect security and confidentiality of protect security and confidentiality of customers’ non-public financial customers’ non-public financial information.information.
Authorizes various agencies to coordinate Authorizes various agencies to coordinate development of regulations: Comptroller development of regulations: Comptroller of the Currency, SEC, FDIC, FTC, etc.of the Currency, SEC, FDIC, FTC, etc.
FTC announced final rule implementing FTC announced final rule implementing GLBA in May 2002.GLBA in May 2002.
GLBA (cont)GLBA (cont)FTC GLBA regulations:FTC GLBA regulations:
Published at 16 CFR 314Published at 16 CFR 314 Require “financial institutions” to develop, Require “financial institutions” to develop,
implement and maintain comprehensive implement and maintain comprehensive information security program with appropriate information security program with appropriate administrative, technical and physical administrative, technical and physical safeguards, including:safeguards, including: Designating employee to coordinate programDesignating employee to coordinate program Performing risk assessmentsPerforming risk assessments Performing regular testing and monitoringPerforming regular testing and monitoring Process for making changes in light of test results or Process for making changes in light of test results or
changes in circumstances.changes in circumstances.
So what is a “financial So what is a “financial institution” under GLBA?institution” under GLBA?
Under GLBA rule, “financial Under GLBA rule, “financial institutions” generally includes institutions” generally includes anyone who extends credit to anyone who extends credit to consumersconsumers, but also includes , but also includes debt debt collection agenciescollection agencies, , mortgage mortgage lenderslenders, , real estate settlement real estate settlement servicesservices, and , and entities that process entities that process consumers' non-public personal consumers' non-public personal financial informationfinancial information. .
GLBA ContinuedGLBA Continued FTC's GLBA rule also regulates non-affiliated FTC's GLBA rule also regulates non-affiliated
third parties (parties that are not financial third parties (parties that are not financial institutions) by limiting the transfer of non-institutions) by limiting the transfer of non-public personal information they receive public personal information they receive from financial institutions.from financial institutions.
What’s tricky about GLBA?What’s tricky about GLBA? Broad definition of “financial institution” Broad definition of “financial institution”
could potentially include array of companies could potentially include array of companies that may not consider themselves as such that may not consider themselves as such (e.g., department store that offers lay-away (e.g., department store that offers lay-away services or manufacturers that offer services or manufacturers that offer equipment financing).equipment financing).
Multiple agencies with authority to issue Multiple agencies with authority to issue regulations. Could conflict.regulations. Could conflict.
What do you need to do under What do you need to do under GLBA? GLBA?
If GLBA applies to your company:If GLBA applies to your company: Create, implement and maintain an Create, implement and maintain an
information security program.information security program. The information security program The information security program
should have the regular involvement should have the regular involvement of the Board of Directors (this may of the Board of Directors (this may be beyond your scope).be beyond your scope).
Regularly assess risks.Regularly assess risks.
GLBA, What You Need To DoGLBA, What You Need To Do
Create, document, implement and Create, document, implement and maintain policies and procedures maintain policies and procedures to manage and control risk, to manage and control risk, including training, testing and including training, testing and managing/monitoring third party managing/monitoring third party service providers.service providers.
Adjust information security Adjust information security program as necessary based on program as necessary based on testing or other changes.testing or other changes.
Take AwayTake Away
Requires “financial institutions” to Requires “financial institutions” to protect security and confidentiality of protect security and confidentiality of customers’ non-public financial customers’ non-public financial information.information.
Health Insurance Portability and Health Insurance Portability and Accountability ActAccountability Act
Authorizes Secretary of Health and Human Authorizes Secretary of Health and Human Services to adopt standards that require “health Services to adopt standards that require “health plans”, “health care providers” and “health care plans”, “health care providers” and “health care clearinghouses” to take reasonable and clearinghouses” to take reasonable and appropriate administrative, technical and physical appropriate administrative, technical and physical safeguards to:safeguards to: Ensure integrity and confidentiality of Ensure integrity and confidentiality of
individually identifiable health information held individually identifiable health information held or transferred by them;or transferred by them;
Protect against any reasonably anticipated Protect against any reasonably anticipated threats, unauthorized use or disclosure; andthreats, unauthorized use or disclosure; and
Ensure compliance by officers and employees.Ensure compliance by officers and employees.
HIPAA ContinuedHIPAA Continued
HIPAA security regulations are HIPAA security regulations are much more substantive than much more substantive than GLBA security regulations.GLBA security regulations.
GLBA is vague, HIPAA is more GLBA is vague, HIPAA is more specific!specific!
HIPAA Scope & Key DefinitionsHIPAA Scope & Key Definitions
Requires health care entities to Requires health care entities to implement new privacy policies, implement new privacy policies, comply with technical security comply with technical security requirements, provide notice/secure requirements, provide notice/secure authorizations for a range of uses authorizations for a range of uses and disclosures of health information, and disclosures of health information, and enter into written agreements and enter into written agreements with business partners regarding the with business partners regarding the ability to share such informationability to share such information
Definitions You Will ForgetDefinitions You Will Forget HIPAA Key DefinitionsHIPAA Key Definitions
Protected health information Protected health information (“PHI”)(“PHI”) includes includes all individually identifiable health information all individually identifiable health information (“IIHI”) in the hands of “covered entities.”(“IIHI”) in the hands of “covered entities.”
““Covered EntityCovered Entity” includes the following types : ” includes the following types : 1) health care plans; 2) health care 1) health care plans; 2) health care clearinghouses; and 3) health care providers clearinghouses; and 3) health care providers who electronically transmit health information who electronically transmit health information in connection with certain specified in connection with certain specified transactions.transactions.
““Business AssociatesBusiness Associates” are any people or ” are any people or entities that perform certain activities or entities that perform certain activities or functions on behalf of a Covered Entity that functions on behalf of a Covered Entity that involves the use or disclosure of protected involves the use or disclosure of protected health information (i.e., claims processing, health information (i.e., claims processing, benefit management, etc.). benefit management, etc.).
HIPAA Security Rule - GeneralHIPAA Security Rule - General
Requires CEs to implement unified security Requires CEs to implement unified security approach based on “defense in depth.”approach based on “defense in depth.”
Is technology neutral. CEs select appropriate Is technology neutral. CEs select appropriate technology to protect information.technology to protect information.
Requires CEs to protect information from both Requires CEs to protect information from both internal and external threats.internal and external threats.
Requires CEs to conduct regular, thorough and Requires CEs to conduct regular, thorough and accurate risk assessments. See accurate risk assessments. See http://www.hipaadvisory.com/alert/vol4/numbehttp://www.hipaadvisory.com/alert/vol4/number2.htm#fourr2.htm#four for a detailed discussion of how to for a detailed discussion of how to conduct a risk analysis.conduct a risk analysis.
HIPAA Security RegulationsHIPAA Security Regulations
HIPAA security requirements fall into HIPAA security requirements fall into three categories:three categories: Administrative SafeguardsAdministrative Safeguards Physical SafeguardsPhysical Safeguards Technical SafeguardsTechnical Safeguards
Each category includes: Each category includes: ““standards”: WHAT the organization must standards”: WHAT the organization must
do; anddo; and ““implementation specifications”: HOW it implementation specifications”: HOW it
must be done.must be done.
HIPAA Administrative HIPAA Administrative SafeguardsSafeguards
Administrative safeguards require Administrative safeguards require documented policies and procedures documented policies and procedures for managing: for managing: Day-to-day operations;Day-to-day operations; Conduct and access of workforce Conduct and access of workforce
members to protected information;members to protected information; Selection, development and use of Selection, development and use of
security controls.security controls.
HIPAA Physical SafeguardsHIPAA Physical Safeguards
Physical safeguards are intended to Physical safeguards are intended to protect information systems and protect information systems and protected information from protected information from unauthorized physical access. unauthorized physical access.
CE must limit physical access while CE must limit physical access while still permitting authorized physical still permitting authorized physical access.access.
HIPAA Technical SafeguardsHIPAA Technical Safeguards
Technical Safeguards are requirements Technical Safeguards are requirements for using technology to control access for using technology to control access to protected informationto protected information
Access ControlsAccess Controls Audit ControlsAudit Controls Information Integrity ControlsInformation Integrity Controls Person or entity authenticationPerson or entity authentication Transmission securityTransmission security
HIPAA Documentation HIPAA Documentation RequirementsRequirements
CE must maintain documentation CE must maintain documentation (e.g., policies and procedures) (e.g., policies and procedures) required by HIPAA Security Rule until required by HIPAA Security Rule until LATER OFLATER OF 6 years from date of creation; OR6 years from date of creation; OR 6 years from date policy/procedure was 6 years from date policy/procedure was
last in effect.last in effect. CE must regularly review and update CE must regularly review and update
documentation.documentation.
Take AwayTake Away
HIPAA covers healthcare related HIPAA covers healthcare related institutions, both public and privateinstitutions, both public and private
Technical ControlsTechnical Controls Physical ControlsPhysical Controls Administrative ControlsAdministrative Controls
Sarbanes-OxleySarbanes-Oxley After Enron, Adelphia Communications, After Enron, Adelphia Communications,
MCI/Worldcom (among others) showed there MCI/Worldcom (among others) showed there were flaws in current financial reporting were flaws in current financial reporting requirements, Congress passed SOX.requirements, Congress passed SOX.
Purpose of SOX is “To Purpose of SOX is “To protect investorsprotect investors by by improving the accuracy and reliability of improving the accuracy and reliability of corporate disclosures made pursuant to the corporate disclosures made pursuant to the security laws, and for other purposes.”security laws, and for other purposes.”
Two sections of SOX have impact on Two sections of SOX have impact on information security: Section 302 and Section information security: Section 302 and Section 404.404.
Sarbanes-Oxley Sarbanes-Oxley Sections 302 and 404Sections 302 and 404
Section 302 states that Section 302 states that CEO and CFO must CEO and CFO must personally certifypersonally certify that financial reports are that financial reports are accurate and complete. Must also assess accurate and complete. Must also assess and report on effectiveness of internal and report on effectiveness of internal controls around financial reporting.controls around financial reporting.
Section 404 states that corporation must Section 404 states that corporation must assess assess effectiveness of internal controlseffectiveness of internal controls and report assessment to SEC. and report assessment to SEC. Assessment must also be reviewed by Assessment must also be reviewed by outside auditing firm.outside auditing firm.
Godzilla Size Take AwayGodzilla Size Take Away
No assessment of internal No assessment of internal controls is complete without controls is complete without an understanding of an understanding of information security. Insecure information security. Insecure systems cannot be systems cannot be considered a source of considered a source of reliable financial information.reliable financial information.
What do you have to do to What do you have to do to comply with SOX?comply with SOX?
Comply with requirements of ITGI Comply with requirements of ITGI Framework Topics:Framework Topics: Security PolicySecurity Policy Security StandardsSecurity Standards Access and AuthenticationAccess and Authentication User Account ManagementUser Account Management Network SecurityNetwork Security MonitoringMonitoring Segregation of DutiesSegregation of Duties Physical SecurityPhysical Security
SOX AuditSOX Audit
Auditors will look for:Auditors will look for: Whether policies exist for Whether policies exist for
appropriate information security appropriate information security topicstopics
Whether policies have been Whether policies have been approved at appropriate approved at appropriate management levelsmanagement levels
Whether policies are communicated Whether policies are communicated effectively to personneleffectively to personnel
Take AwayTake Away
A core goal of SOX is to protect A core goal of SOX is to protect investors by providing assurance that investors by providing assurance that financial data is truthful and has financial data is truthful and has maintained its integritymaintained its integrity
Without technical controls, you have Without technical controls, you have no way to verify financial data no way to verify financial data truthfulness and integritytruthfulness and integrity
Hardly begins to explain why we just Hardly begins to explain why we just gave 700 billion to the banks!gave 700 billion to the banks!
California has been leading the California has been leading the wayway
Requires notification to California-Requires notification to California-resident data owners if a security resident data owners if a security breach discloses (or might have breach discloses (or might have disclosed) certain information that disclosed) certain information that could lead to identity theft.could lead to identity theft.
Covered InformationCovered Information
Name (full name or first initialName (full name or first initialand last name) and last name) Social security numberSocial security numberDriver’s license numberDriver’s license numberCalifornia Identification CareCalifornia Identification CarenumbernumberAccount number or credit or debitAccount number or credit or debitcard number along with any requiredcard number along with any requiredsecurity code, access code, orsecurity code, access code, orpasswordpassword
SB 1386 (cont)SB 1386 (cont)
Companies are Companies are notnot required to notify required to notify customers if the information was customers if the information was stored in encrypted form.stored in encrypted form. Some speculation that even something Some speculation that even something
as simple as ROT13 would satisfy this as simple as ROT13 would satisfy this requirement, but don’t bank on it.requirement, but don’t bank on it.
AB 1950AB 1950 On Sept. 29, California enacted AB 1950, On Sept. 29, California enacted AB 1950,
which requires a business that which requires a business that Stores personal information about a California resident Stores personal information about a California resident
MUST implement and MUST implement and maintain reasonable securitymaintain reasonable security procedures and practices appropriate to the nature of the procedures and practices appropriate to the nature of the information to protect it from unauthorized access, information to protect it from unauthorized access, destruction, modification, use or disclosure.destruction, modification, use or disclosure.
Discloses personal information about a California resident Discloses personal information about a California resident to a third party as part of a contract will require the to a third party as part of a contract will require the third third partyparty to implement and maintain the same reasonable to implement and maintain the same reasonable security procedures and practices appropriate to the security procedures and practices appropriate to the nature of the information to protect it from unauthorized nature of the information to protect it from unauthorized access, destruction, modification, use or disclosure.access, destruction, modification, use or disclosure.
My organization isn’t in My organization isn’t in California, why should I care?California, why should I care?
Because SB 1386 applies to any Because SB 1386 applies to any person or organization that conducts person or organization that conducts business in California and stores business in California and stores personal information about California personal information about California residents on a computer system. residents on a computer system.
Many states are implementing their Many states are implementing their own regulations, similar to Californiaown regulations, similar to California
FTC has started enforcing FTC has started enforcing security “promises”security “promises”
FTC Actions Regarding Security:FTC Actions Regarding Security: Eli Lilly Eli Lilly
Disclosure of email addresses of Prozac Disclosure of email addresses of Prozac prescription holdersprescription holders
MicrosoftMicrosoftOverpromising regarding security of MS Overpromising regarding security of MS
Passport servicePassport service
Guess, Inc.Guess, Inc.Promising security of information while remaining Promising security of information while remaining
vulnerable to common attacksvulnerable to common attacks
You’ve been cracked…You’ve been cracked…And now you’re sued.And now you’re sued.
US law requires people to behave US law requires people to behave “reasonably”.“reasonably”.
If you don’t behave reasonably and If you don’t behave reasonably and someone is harmed because of it, you may someone is harmed because of it, you may be liable for negligence.be liable for negligence.
So…If your systems get cracked, and the So…If your systems get cracked, and the cracker uses your boxes to launch an attack cracker uses your boxes to launch an attack on someone else, that victim may try to sue on someone else, that victim may try to sue you for negligently configuring your you for negligently configuring your systems so that the cracker could get in. systems so that the cracker could get in.
You’ve been sued…You’ve been sued…And you might lose.And you might lose.
If you cannot show that you were If you cannot show that you were “reasonable” - which may be defined “reasonable” - which may be defined as having complied with industry as having complied with industry regulations, a court may decide that regulations, a court may decide that you were you were negligentnegligent and your and your company is liable for the damages of company is liable for the damages of the downstream victim(s).the downstream victim(s).
This hasn’t happened, yet, but many This hasn’t happened, yet, but many people think it’s coming.people think it’s coming.
LECTURE TAKE AWAYSLECTURE TAKE AWAYS
Knowing regulations is impressive to Knowing regulations is impressive to employers, I’m not sure why…employers, I’m not sure why…
GLB, SOX and HIPAA all require GLB, SOX and HIPAA all require similar thingssimilar things
AuthenticationAuthentication AuditingAuditing ProtectionProtection Data Integrity ProofData Integrity Proof 80% 20% rule!!!80% 20% rule!!!
Related Documents
