2. Today’s Chocolate Bar 3
Musketeers
When introduced in
1932, 3 Musketeers
had three pieces of
candy in one
package, flavored
vanilla, chocolate and
strawberry, hence the
name. In 1945, the
product was changed
to a single bar with
the aforementioned
chocolate filling.
3. Some Of This Stuff Is Tedious
So, after each section we will have
“take away slides”, PAY ATTENTION
TO THOSE!
4. Industry Regulations
Why Bother Learning Them?
Ability to impress interviewers
It all relies on TECHNOLOGY
Learn:
Policies
Procedures
Legislation
Guidance
5. Today
Regulation, legislation and guidance
definitions. Provide a common
understanding of the different types of
requirements.
Commercial Guidance:
Industry must be concerned with
compliance, legislation and guidance.
Federal, State, International and Industry
Regulations
6. Information Security Related Laws
Federal Information Security Management Act of
2002 (“FISMA”)
Gramm-Leach-Bliley Act (“GLBA”)
Health Insurance Portability and Accountability
Act of 1996 (“HIPAA”)
Sarbanes-Oxley Act
USA PATRIOT Act
Counterfeit Access Devices and Computer Fraud
and Abuse Act of 1984 (“CFAA”)
Electronic Communications Privacy Act (“ECPA”)
7. Take Away
There are 5 or 6 major information
security laws
They all pretty much say the same things
with about 20% special differences related
to the specific industries they cover
The 80% 20% rule
8. What’s the difference between
Federal laws and regulations?
Laws generally specify what is required,
but not how it should be done.
Laws are frequently vague and can be
ambiguous.
9. What Are Regulations?
Regulations stipulate requirements to be
compliant with laws
Regulations may contain specific steps or
procedures for compliance
Frequently composed with help from
industry experts
10. Take Away
Laws are general
Regulations are more specific
11. Federal Activities Related to
Information Security
Major Federal responsibility is securing Federally
owned/operated systems.
Federal government does not generally regulate
security of non-government systems.
HOWEVER, Federal government does require
that certain types of information be protected.
Federal government working with industry
regarding security of critical infrastructure.
12. Federal Laws We’re Going
to Cover Today
Federal Information Security Management
Act
Gramm-Leach-Bliley Act (GLBA)
Health Insurance Portability and
Accountability Act (HIPAA)
Sarbanes-Oxley Act (SOX)
13. Federal Information Security
Management Act
Builds on requirements of:
Computer Security Act of 1987
Paperwork Reduction Act of 1995
Information Technology Management Reform
Act of 1996
Provides basic statutory framework for
securing Federally owned/operated
computer systems.
14. FISMA
Requires each agency to
Inventory computer systems,
Identify and provide appropriate security
protections, and
Develop, document and implement agency-
wide information security program
Authorizes National Institute of Standards
& Technology (NIST) to develop security
standards and guidelines for systems used
by federal government.
15. Take Away
FISMA covers Federal Government
systems
Encrypted information
Defense information
National Security information
Inventory computer systems,
Identify and provide appropriate security
protections, and
Develop, document and implement agency-
wide information security program
16. Gramm-Leach-Bliley Act
Requires “financial institutions” to protect
security and confidentiality of customers’
non-public financial information.
Authorizes various agencies to coordinate
development of regulations: Comptroller
of the Currency, SEC, FDIC, FTC, etc.
FTC announced final rule implementing
GLBA in May 2002.
17. GLBA (cont)
FTC GLBA regulations:
Published at 16 CFR 314
Require “financial institutions” to develop,
implement and maintain comprehensive
information security program with appropriate
administrative, technical and physical
safeguards, including:
Designating employee to coordinate program
Performing risk assessments
Performing regular testing and monitoring
Process for making changes in light of test results
or changes in circumstances.
18. So what is a “financial
institution” under GLBA?
Under GLBA rule, “financial
institutions” generally includes
anyone who extends credit to consumers,
but also includes debt collection
agencies, mortgage lenders, real estate
settlement services, and entities that
process consumers' non-public personal
financial information.
19. GLBA Continued
FTC's GLBA rule also regulates non-affiliated third
parties (parties that are not financial institutions)
by limiting the transfer of non-public personal
information they receive from financial
institutions.
What’s tricky about GLBA?
Broad definition of “financial institution” could
potentially include array of companies that may not
consider themselves as such (e.g., department
store that offers lay-away services or
manufacturers that offer equipment financing).
Multiple agencies with authority to issue
regulations. Could conflict.
20. What do you need to do under
GLBA?
If GLBA applies to your company:
Create, implement and maintain an
information security program.
The information security program
should have the regular involvement of
the Board of Directors (this may be
beyond your scope).
Regularly assess risks.
21. GLBA, What You Need To Do
Create, document, implement and
maintain policies and procedures to
manage and control risk, including
training, testing and
managing/monitoring third party service
providers.
Adjust information security program as
necessary based on testing or other
changes.
22. Take Away
Requires “financial institutions” to protect
security and confidentiality of customers’
non-public financial information.
23. Health Insurance Portability and
Accountability Act
Authorizes Secretary of Health and Human
Services to adopt standards that require “health
plans”, “health care providers” and “health care
clearinghouses” to take reasonable and
appropriate administrative, technical and
physical safeguards to:
Ensure integrity and confidentiality of
individually identifiable health information
held or transferred by them;
Protect against any reasonably anticipated
threats, unauthorized use or disclosure; and
24. HIPAA Continued
HIPAA security regulations are much
more substantive than GLBA security
regulations.
GLBA is vague, HIPAA is more specific!
25. HIPAA Scope & Key Definitions
Requires health care entities to
implement new privacy policies,
comply with technical security
requirements, provide notice/secure
authorizations for a range of uses and
disclosures of health information, and
enter into written agreements with
business partners regarding the
ability to share such information
26. Definitions You Will Forget
HIPAA Key Definitions
Protected health information (“PHI”) includes
all individually identifiable health information
(“IIHI”) in the hands of “covered entities.”
“Covered Entity” includes the following types :
1) health care plans; 2) health care
clearinghouses; and 3) health care providers
who electronically transmit health information
in connection with certain specified
transactions.
“Business Associates” are any people or
entities that perform certain activities or
functions on behalf of a Covered Entity that
involves the use or disclosure of protected
health information (i.e., claims processing,
benefit management, etc.).
27. HIPAA Security Rule - General
Requires CEs to implement unified security
approach based on “defense in depth.”
Is technology neutral. CEs select appropriate
technology to protect information.
Requires CEs to protect information from both
internal and external threats.
Requires CEs to conduct regular, thorough and
accurate risk assessments. See
http://www.hipaadvisory.com/alert/vol4/number
2.htm#four for a detailed discussion of how to
conduct a risk analysis.
28. HIPAA Security Regulations
HIPAA security requirements fall into three
categories:
Administrative Safeguards
Physical Safeguards
Technical Safeguards
Each category includes:
“standards”: WHAT the organization must do;
and
“implementation specifications”: HOW it must
be done.
29. HIPAA Administrative
Safeguards
Administrative safeguards require
documented policies and procedures for
managing:
Day-to-day operations;
Conduct and access of workforce members to
protected information;
Selection, development and use of security
controls.
30. HIPAA Physical Safeguards
Physical safeguards are intended to
protect information systems and protected
information from unauthorized physical
access.
CE must limit physical access while still
permitting authorized physical access.
31. HIPAA Technical Safeguards
Technical Safeguards are requirements for
using technology to control access to
protected information
Access Controls
Audit Controls
Information Integrity Controls
Person or entity authentication
Transmission security
32. HIPAA Documentation
Requirements
CE must maintain documentation (e.g.,
policies and procedures) required by
HIPAA Security Rule until LATER OF
6 years from date of creation; OR
6 years from date policy/procedure was last in
effect.
CE must regularly review and update
documentation.
33. Take Away
HIPAA covers healthcare related
institutions, both public and private
Technical Controls
Physical Controls
Administrative Controls
34. Sarbanes-Oxley
After Enron, Adelphia Communications,
MCI/Worldcom (among others) showed
there were flaws in current financial
reporting requirements, Congress passed
SOX.
Purpose of SOX is “To protect investors by
improving the accuracy and reliability of
corporate disclosures made pursuant to
the security laws, and for other purposes.”
Two sections of SOX have impact on
information security: Section 302 and
Section 404.
35. Sarbanes-Oxley
Sections 302 and 404
Section 302 states that CEO and CFO must
personally certify that financial reports are
accurate and complete. Must also assess and
report on effectiveness of internal controls
around financial reporting.
Section 404 states that corporation must assess
effectiveness of internal controls and report
assessment to SEC. Assessment must also be
reviewed by outside auditing firm.
36. Godzilla Size Take Away
No assessment of internal controls
is complete without an
understanding of information
security. Insecure systems cannot
be considered a source of reliable
financial information.
37. What do you have to do to
comply with SOX?
Comply with requirements of ITGI
Framework Topics:
Security Policy
Security Standards
Access and Authentication
User Account Management
Network Security
Monitoring
Segregation of Duties
Physical Security
38. SOX Audit
Auditors will look for:
Whether policies exist for appropriate
information security topics
Whether policies have been approved
at appropriate management levels
Whether policies are communicated
effectively to personnel
39. Take Away
A core goal of SOX is to protect investors
by providing assurance that financial data
is truthful and has maintained its integrity
Without technical controls, you have no
way to verify financial data truthfulness
and integrity
Hardly begins to explain why we just gave
700 billion to the banks!
40. California has been leading the
way
Requires notification to California-resident
data owners if a security breach discloses
(or might have disclosed) certain
information that could lead to identity
theft.
41. Covered Information
Name (full name or first initial
and last name)
Social security number
Driver’s license number
California Identification Care
number
Account number or credit or debit
card number along with any
required
security code, access code, or
42. SB 1386 (cont)
Companies are not required to notify
customers if the information was stored in
encrypted form.
Some speculation that even something as
simple as ROT13 would satisfy this
requirement, but don’t bank on it.
43. AB 1950
On Sept. 29, California enacted AB 1950,
which requires a business that
Stores personal information about a California resident
MUST implement and maintain reasonable security
procedures and practices appropriate to the nature of the
information to protect it from unauthorized access,
destruction, modification, use or disclosure.
Discloses personal information about a California resident
to a third party as part of a contract will require the third
party to implement and maintain the same reasonable
security procedures and practices appropriate to the
nature of the information to protect it from unauthorized
access, destruction, modification, use or disclosure.
44. My organization isn’t in
California, why should I care?
Because SB 1386 applies to any person or
organization that conducts business in
California and stores personal information
about California residents on a computer
system.
Many states are implementing their own
regulations, similar to California
45. FTC has started enforcing
security “promises”
FTC Actions Regarding Security:
Eli Lilly
Disclosure of email addresses of Prozac
prescription holders
Microsoft
Overpromising regarding security of MS
Passport service
Guess, Inc.
Promising security of information while
remaining vulnerable to common attacks
46. You’ve been cracked…
And now you’re sued.
US law requires people to behave
“reasonably”.
If you don’t behave reasonably and
someone is harmed because of it, you
may be liable for negligence.
So…If your systems get cracked, and the
cracker uses your boxes to launch an
attack on someone else, that victim may
try to sue you for negligently configuring
your systems so that the cracker could get
47. You’ve been sued…
And you might lose.
If you cannot show that you were
“reasonable” - which may be defined as
having complied with industry regulations,
a court may decide that you were
negligent and your company is liable for
the damages of the downstream victim(s).
This hasn’t happened, yet, but many
people think it’s coming.
48. LECTURE TAKE AWAYS
Knowing regulations is impressive to
employers, I’m not sure why…
GLB, SOX and HIPAA all require similar
things
Authentication
Auditing
Protection
Data Integrity Proof
80% 20% rule!!!