cns394 unit8 regulatory
TRANSCRIPT
-
8/12/2019 Cns394 Unit8 Regulatory
1/53
1
Regulatory and InformationSecurity Compliance
Credit: Matthew E. Luallen
-
8/12/2019 Cns394 Unit8 Regulatory
2/53
2
AgendaMaturing of Information TechnologyImpact of Regulations and StandardsA Compliance Framework
Regulatory and Compliance InitiativesDeveloping Policies, Procedures,Standards and Guidelines
-
8/12/2019 Cns394 Unit8 Regulatory
3/53
3
Maturing of InformationTechnology
-
8/12/2019 Cns394 Unit8 Regulatory
4/53
4
Overview of Market Trendsand Future Industry Direction
HBR ( Harvard Business Review ) article
IT Doesnt Matter by Nicholas G. Carr ( HBR , May2003)The article states that IT someday will no longer berevolutionary and will be taken for granted like therailroad system.Portions of IT become a commodity.
What are your thoughts?How does this apply to information protection?
Cloud computing?A MUST READ:http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/all/
-
8/12/2019 Cns394 Unit8 Regulatory
5/53
5
Maturity of Other SectorsTransportationTelecommunicationsHealthcare
EnergyAgriculture
-
8/12/2019 Cns394 Unit8 Regulatory
6/53
-
8/12/2019 Cns394 Unit8 Regulatory
7/53
7
Impact of Regulations andStandards
-
8/12/2019 Cns394 Unit8 Regulatory
8/53
-
8/12/2019 Cns394 Unit8 Regulatory
9/53
9
The Challenges of Legal andRegulatory Compliance
Many laws and regulations are open tointerpretationEnforcement mechanisms for newer
legislation are yet to be seenDue care must be used when preparingcompliance programs; what is due care?
Documentation of rationale is criticalBudgetary hardships can be an issue
-
8/12/2019 Cns394 Unit8 Regulatory
10/53
10
The Wide-Reaching Impact ofPrevalent Regulations
Wide reaching impact; no business, industry, or individualseems to be immune from the impact of some legislation orregulationCA SB 1386
Anyone that stores confidential data on CA residentsHIPAA
HealthcareGLBA
Financial ServicesSarbanes-Oxley
Publicly Traded Companies
EU Data ProtectionEuropean and USUS Patriot Act
Just about everyone
-
8/12/2019 Cns394 Unit8 Regulatory
11/53
11
Regulation Says What?
Sarbanes OxleySarbanes OxleyHIPAAHIPAA GLBAGLBA
EU Data ProtectionEU Data Protection
CA SB 1386CA SB 1386
-
8/12/2019 Cns394 Unit8 Regulatory
12/53
-
8/12/2019 Cns394 Unit8 Regulatory
13/53
13
Regulations are Real.Eli Lilly & Co. mistakenly disclosed by e-mail theidentities of 600 people on the antidepressant Prozacto each other and has apologized to them.
In this case they settled, but future violations of the orderwould be subject to civil penalties.
FTC Receives Largest COPPA Civil Penalties to DateinSettlements with Mrs. Fields Cookies and HersheyFoods(February 27, 2003)
Mrs. Fields pays civil penalties of $100,000 and Hershey payscivil penalties of $85,000
-
8/12/2019 Cns394 Unit8 Regulatory
14/53
14
Privacy Violations are Real.Victorias Secret reveals too much Insufficient Web site securitycaused breach of privacy of Victoria's Secret customers PII
Customers PII was accessible from August through November, 2002Approximately 560 customers nationwide were affectedSettlement reached in October, 2003
Pay State of New York $50,000 as costs and penaltiesEstablish and maintain an information security program to protectpersonal informationEstablish management oversight and employee training programsHire an external auditor to annually monitor compliance with the securityprogramProvide refunds or credits to all affected New York consumers
Privacy policy states: Any information you provide to us at this site
when you establish or update an account, enter a contest, shoponline or request information . . . is maintained in private files on oursecure web server and internal systems . . . ."
-
8/12/2019 Cns394 Unit8 Regulatory
15/53
15
A Compliance Framework
-
8/12/2019 Cns394 Unit8 Regulatory
16/53
16
Some Guiding Solutions
Regulatory Compliance
compliance n.The act of complying with a wish,
request, or demand
-
8/12/2019 Cns394 Unit8 Regulatory
17/53
-
8/12/2019 Cns394 Unit8 Regulatory
18/53
18
A Framework - Investigation
Need to identify regulations regardless of immediateunderstanding of their applicability
Data privacy is gigantic and far-reaching, be cautious
Document the entire process!
-
8/12/2019 Cns394 Unit8 Regulatory
19/53
19
A Framework - Validation
Is your organization international?
What about your clients requirements?
Should the organization adopt compliance categoriesthat are outside of its operational scope?
-
8/12/2019 Cns394 Unit8 Regulatory
20/53
20
A Framework - Interpretation
What is the difference between addressable andrequired ?
What effect (and who will be affected) will legal /regulatory requirements have on the organization?
Do you really mitigate liability by doing nothing?
-
8/12/2019 Cns394 Unit8 Regulatory
21/53
21
A Framework - ImplementationInformation Security and Data Privacy
Legal & Regulatory Compliance
IMPLEMENTATION
How mustthe existinginformationsecurityframework /program berefined toassure legal& regulatorycompliance?
Development
Deployment
Sustainment
Design
Enforcement
Change management:
How may longevity ofcompliance be assuredamong ever-changing
legal / regulatorylandscape?
-
8/12/2019 Cns394 Unit8 Regulatory
22/53
22
Regulatory and ComplianceInitiatives
-
8/12/2019 Cns394 Unit8 Regulatory
23/53
23
Legal / Regulatory Compliance
TrendsIncreasing presence oflegislationIncreasing governmentagency enforcement
mechanisms
Do not allow your organization to be a poster child
-
8/12/2019 Cns394 Unit8 Regulatory
24/53
24
Legal / Regulatory Potpourri
The following is a list of some prevalentregulations:
CA SB 1386CA SB 1386
HIPAAHIPAA
GLBAGLBA
Sarbanes-OxleySarbanes-Oxley
EU Data ProtectionEU Data Protection
Patriot ActPatriot Act
FISMAFISMA
COPPACOPPA
The Can-Spam ActThe Can-Spam Act
Basel IIBasel II
-
8/12/2019 Cns394 Unit8 Regulatory
25/53
25
HIPAA and GLBAHIPAA (Health Care)
45 CFR parts 160 and 164 provides the federal basis ofprivacy protection for health information in the United States,while allowing more protective (stringent) state laws tocontinue in force. Under the privacy rule, PHIis defined very broadly.
GLBA (Finance)Also called the Financial Services Modernization Actof 1999. This act provides limited privacy protections againstthe sale of your private financial information. Additionally, theGLBA codifies protections against pretexting, the practice ofobtaining personal information through false pretenses.
-
8/12/2019 Cns394 Unit8 Regulatory
26/53
-
8/12/2019 Cns394 Unit8 Regulatory
27/53
27
CA SB 1386 and SOXCA SB 1386 (California Residents)
Provides Californians with immediate notification,when confidential information about them has beencompromised due to a breach on any computersystem that stores such information and this breachis discovered
Sarbanes-Oxley (Publicly Traded Companies)Requires new attention to security as a part of arisk management framework to certify internalcontrols and attest to the accuracy of financialinformation (for example, relating to fraud,accidents, or lack of discipline)
-
8/12/2019 Cns394 Unit8 Regulatory
28/53
28
Basel IIRegulatory framework governing risk
management practices for financialinstitutionsDefines minimum capital requirement foradherence and review of public disclosureproceduresMay require well-defined businesscontinuity operationsProvides financial institutions a standardmethodology to evaluate risk
-
8/12/2019 Cns394 Unit8 Regulatory
29/53
-
8/12/2019 Cns394 Unit8 Regulatory
30/53
30
Outside of the Regulatory Space -
Payment Card Industry (PCI) StandardHow did this standard arrive?
Identity Theft and Revenue Loss
What credit card companies are involved?VISAMastercardAmerican Express
Discover Card
-
8/12/2019 Cns394 Unit8 Regulatory
31/53
31
PCI 1.0 Level Requirements
-
8/12/2019 Cns394 Unit8 Regulatory
32/53
32
PCI Standard version 1.0 - 12
Build and Maintain a Secure Network1. Install and Maintain a firewall configuration to protect data2. Do not use vendor-supplied defaults for system passwords
and other security parametersProtect Cardholder Data3. Protect stored data4. Encrypt transmission of cardholder data and sensitive
information across public networksMaintain a Vulnerability Management Program5. Use and regularly update anti-virus software6. Develop and maintain secure systems and applications
-
8/12/2019 Cns394 Unit8 Regulatory
33/53
33
PCI Standard version 1.0 - 12
Implement Strong Access Control Measures7. Restrict access to data by business need-to-know8. Assign a unique ID to each person with computer
access9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks10. Track and monitor all access to network resourcesand cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy12. Maintain a policy that addresses information
security
-
8/12/2019 Cns394 Unit8 Regulatory
34/53
-
8/12/2019 Cns394 Unit8 Regulatory
35/53
35
Others?
Securities and Exchange Commission (SEC)
Federal, State and Local RequirementsFood and Drug Administration (FDA)Federal Communications Commission (FCC)NERCList of other government agencies
http://www.lib.lsu.edu/gov/alpha
-
8/12/2019 Cns394 Unit8 Regulatory
36/53
36
Developing Policies, Procedures,Standards and Guidelines
-
8/12/2019 Cns394 Unit8 Regulatory
37/53
37
Information Security Policies
Policies are high-level statements that
provide guidance when making presentand future decisions (that is, businessrules or organization-specific laws).Mandatory (compliance is required)
For example, Do not, You must, or Youare obligated to
-
8/12/2019 Cns394 Unit8 Regulatory
38/53
38
Why are Policies Critical?
Assures the proper implementation of
controlsGuides the product selection anddevelopment processDemonstrates management supportAvoids liability
Protect proprietary information and tradesecrets
-
8/12/2019 Cns394 Unit8 Regulatory
39/53
39
Developing Good Policies
Gathering key information and reference materialsReference a recent risk assessment, EDP audit, etc.Understand the business and nature of information
Defining a framework for policiesTopics to be covered
Ways in which organization expresses policyHow policies will be usedAppropriate level of detail
Establish controls categories for each audienceEnd users, management, systems department, businesspartners, etc.
S i I f i S i
-
8/12/2019 Cns394 Unit8 Regulatory
40/53
40
Supporting Information Security
Standards and ProceduresPolicies
Includes a statement of purpose, description of theaffected parties, history of revisions, a few specialterm definitions, and specific policy instructionsfrom management
StandardsProvides specific technical requirements
ProceduresDescribes specific operational steps
Should be succinct
R l i hi b P li i
-
8/12/2019 Cns394 Unit8 Regulatory
41/53
41
Relationship between Policies,
Standards, Procedures & GuidelinesPolicy
All laptop computers must be physically secured.
Standard
All laptop computers must be secured using theMicroSaver Retractable cable lock (model no. 64149).
Procedure
As a laptop owner, ensure that a cable lock isreceived from the resource center.
The cable lock may be secured to the laptop by firstpositioning the eye of the lock into ...
GuidelinesGuidelines
It is recommendedthat you never leaveany computer systemunattended.
It is recommendedthat you never leaveany computer systemunattended.
C I f i P i
-
8/12/2019 Cns394 Unit8 Regulatory
42/53
42
Common Information Protection
PoliciesAcceptable Use Policy
Usage restrictions forequipment andcomputing systems
Information Sensitivity
PolicyInformationclassification system
Access Control PolicyStandards foraccessing information
Accreditation
A s s e s s m
e n t
D e s
i g nD e p l o y
M o n i t o r s
& a
u d i t
Policies &
standards
Eff ti l A l i I f ti
-
8/12/2019 Cns394 Unit8 Regulatory
43/53
43
Effectively Applying Information
Protection PoliciesEthics Policy
Openness, trust, and integrity in businesspracticeBusiness Continuity Policy
Mission-critical operationsRisk Assessment Policy
Threat and vulnerability assessments
Extranet PolicyThird-party access requirements
I l i d E f f
-
8/12/2019 Cns394 Unit8 Regulatory
44/53
44
Implementation and Enforcement of
Policies, Standards, and ProceduresThe following activities need to be performed before information
security policies, standards, and procedures may be effectively
implemented and enforced:Develop collaboratively among several business units,and not in a vacuumDevelop in such a way where compliance may beevaluated and measured accordinglyDocumentIntegrate in applicable business units throughout theorganizationIncorporate in organizations knowledge bases,awareness and education programs
-
8/12/2019 Cns394 Unit8 Regulatory
45/53
-
8/12/2019 Cns394 Unit8 Regulatory
46/53
-
8/12/2019 Cns394 Unit8 Regulatory
47/53
-
8/12/2019 Cns394 Unit8 Regulatory
48/53
48
Considerations When Implementing
Needs to begin at newhire orientation and be
reinforced regularly
Helps employeesunderstand why to take
information securityseriously
How it will help theemployees with their
responsibilities and tasks
What will employees gainfrom compliance (the me
factor)
-
8/12/2019 Cns394 Unit8 Regulatory
49/53
49
Successful Campaign Components
The three key components necessary toeffectively develop and execute an informationsecurity program include:
People : Key program development and executioncomponent
Process : Guidance component for programexecutionAlignment with business operations, processes, andobjectives is mission-critical
Technology : Key enabler for program execution;ineffective in the absence of people and processes
-
8/12/2019 Cns394 Unit8 Regulatory
50/53
50
Operational Security (OPSEC)
Security Must Be IntegratedBuilt in to the business processesMust provide a value to the business model
Value Proposition / Business DriversConsumersWorkforceBusiness PartnersIntellectual Property
Makes Information Discovery nonObviousSecure Information Architecture
-
8/12/2019 Cns394 Unit8 Regulatory
51/53
51
Information Discovery
How can you find out *things*; where should you look?
Internet Archive (Wayback Machine)SEC Edgar DatabaseUS State and Federal Criminal DatabasesCorporate or External Search EnginePatent DatabasesAttrition.org DatalossTechnical Information Leakages (Newsgroups, LeakedWebsite Information,
Examples given in class
-
8/12/2019 Cns394 Unit8 Regulatory
52/53
52
Secure Information Architecture
Evaluate and refine business processesRetrofit your information systems to align with key business
processesDont be tempted by the dark side of the force and fall intothe common trap of doing the opposite
Build secure systems around the business processDo not simply install products for securityKnow the differences between the business process versusthe business practice
Think of system architecture as evaluating thebusiness processes, identifying appropriatetechnologies and then issuing building permits
-
8/12/2019 Cns394 Unit8 Regulatory
53/53
53
True Business Integration
Information Security is NOT mature until
we can electronically identify thefollowing internal eventsA new hire additionAn insider position change