MAX 2007 CONNECT. DISCOVER. INSPIRE. LiveCycle Digital Security and Certification Duane Nickull, Sr. Technology Evangelist - Adobe Systems

Abstract (Remove) This session will focus on the persistent rights management and document security technologies in the LiveCycle Enterprise Suite. The components explored will include LiveCycle Digital Signatures ES and LiveCycle Rights Management (formerly Policy Server). The thrust of the talk will focus on LiveCycle ES as a service oriented platform for delivering key interactions with remote clients but will also showcase core capabilities and delve quickly into SDK's and API's for developers.

This session will focus on the persistent rights management and document security technologies in the LiveCycle Enterprise Suite. The components explored will include LiveCycle Digital Signatures ES and LiveCycle Rights Management (formerly Policy Server). The thrust of the talk will focus on LiveCycle ES as a service oriented platform for delivering key interactions with remote clients but will also showcase core capabilities and delve quickly into SDK's and API's for developers.

Today’s Agenda – one hour Architecture Dive – Adobe LiveCycle ES Security Architecture Digital Signatures LiveCycle Digital Signatures – Intro, Deployment, API’s Adobe LiveCycle Rights Management – Intro, Architecture for deployment, Demo Acrobat Digital Signature API Reference – Review Resources: Adobe Developer Network Google Groups (LiveCycle)

Architecture Dive – Adobe LiveCycle ES

Security Architecture

Digital Signatures

LiveCycle Digital Signatures – Intro, Deployment, API’s

Adobe LiveCycle Rights Management – Intro, Architecture for deployment, Demo

Acrobat Digital Signature API Reference – Review

Resources:

Adobe Developer Network

Google Groups (LiveCycle)

Old model for enterprise architecture (simple) Server Client

Enterprise 2.0 Definition: An adoption of Web 2.0 design patterns by Enterprises Abstract Model for connecting and integrating capabilities and users Patterns of interaction “ Don't treat software as an artifact, but as a process of engagement with your users. “ - Tim O’Reilly Users Services Capabilities Client Applications/Runtimes Connectivity/Reachability SOA

Definition: An adoption of Web 2.0 design patterns by Enterprises

Abstract Model for connecting and integrating capabilities and users

LiveCycle ES Architecture

The Genesis of LiveCycle ES I want to connect these world! Distributors & Agencies Internal Processes ERP / ECM / CRM / BPM / Accounting Customers & Citizens Suppliers & Contractors

Closing the Engagement Gap with LiveCycle Distributors & Agencies Internal Processes ERP / ECM / CRM / BPM / Accounting Customers & Citizens Suppliers & Contractors LiveCycle Scalable engagement services Document Output Electronic Forms Rich Internet Applications Enterprise Rights Management Digital Signatures “ Human-centric” BPM

The Adobe technology platform architecture Service Tier Resource Tier EIS Databases Directories ECM Repository Message Queues Legacy Systems Design & Development Tools Client Application Tier HTTP/S, Sockets, AMF, RTMP, SOAP, WS*, REST, … Printing & Scanning Reader Acrobat Connect Browsers Flash Player Flex AIR (Apollo) Acrobat Service Invocation Layer Service Container Registry Service Provider Interface LC Core Services 3rd Party Services Other? ? … LC Data Services Flex Builder Eclipse Notepad LiveCycle Designer WorkBench

Adobe LiveCycle ES Service Components Service Tier Service Invocation Layer Service Container Registry Service Provider Interface LC Core Services 3rd Party Services Forms Process Management Production Print Barcoded Forms PDF Generator Reader Extensions Common Administration, Orchestration, Security, Encryption Output Rights Management Digital Signatures Data Services

LC ES Digital Signature Ecosystem

LiveCycle Invocation

Digital Signatures Adobe LiveCycle Document Security Server

Digital Signatures DSig enables recipients to verify the integrity of an electronic document. Integrity subject to many types of attacks. Mechanisms to combat include: Parity Bits or Cyclical Redundancy Checking ( CRC ) functions - works well for intentional modifications but clever hackers can circumvent. One way hash (fixed length value) - unique fingerprint can detect if document has been altered by re-computing the hash (commonly MD5, SHA-1, SHA-256 ) Message Authentication Codes (MAC) - prevent hacker from intercepting, modifying and attaching new hash. Symmetric key is connected to the MAC then hashed ( HMAC ). Without the key, attacker cannot forge new message.

DSig enables recipients to verify the integrity of an electronic document.

Integrity subject to many types of attacks. Mechanisms to combat include:

Parity Bits or Cyclical Redundancy Checking ( CRC ) functions - works well for intentional modifications but clever hackers can circumvent.

One way hash (fixed length value) - unique fingerprint can detect if document has been altered by re-computing the hash (commonly MD5, SHA-1, SHA-256 )

Message Authentication Codes (MAC) - prevent hacker from intercepting, modifying and attaching new hash. Symmetric key is connected to the MAC then hashed ( HMAC ). Without the key, attacker cannot forge new message.

How it works - Signing PDF Documents

ByteRange and Signature value

The PDF Save/Hash/Update Process Hash computed over entire PDF file byte 0 to last, excluding signature Signature placed in PDF: PDF -> disk worst case space left for sig value. Once sig value is known (offsets in file), ByteRange array overwritten with absolutes. NOTE: byte offsets MUST NOT change, extra bytes overwritten with spaces. Hash of entire file computed using SHA-1. Hash encrypted with signer’s private key PKCS#7 signature object generated. Signature object placed in file on disk, overwrites placeholder value. Space not used for the signature object is overwritten with spaces. PDF re-loaded in Acrobat. Ensures in-memory and disk versions match.

Hash computed over entire PDF file

byte 0 to last, excluding signature

Signature placed in PDF:

PDF -> disk worst case space left for sig value.

Once sig value is known (offsets in file), ByteRange array overwritten with absolutes. NOTE: byte offsets MUST NOT change, extra bytes overwritten with spaces.

Hash of entire file computed using SHA-1.

Hash encrypted with signer’s private key

PKCS#7 signature object generated.

Signature object placed in file on disk, overwrites placeholder value. Space not used for the signature object is overwritten with spaces.

PDF re-loaded in Acrobat. Ensures in-memory and disk versions match.

Multiple Signatures

Dsig Check list Public Key Infrastructure (PKI) Certificate Revocation List (CRL) Online Certificate Status Protocol (OCSP)

Public Key Infrastructure (PKI)

Certificate Revocation List (CRL)

Online Certificate Status Protocol (OCSP)

PKI mechanisms Public Key Cryptography Standards (PKCS) - set of standard protocols used by PKI vendors including RSA encryption, cryptographic syntax for S/MIME, extended certificate syntax and more. Registration Authority (RA) - background checks of people, PDP authentication. Certificate Repositories;, Key update, backup, recover, history; Cross-certification and Time stamping.

Public Key Cryptography Standards (PKCS) - set of standard protocols used by PKI vendors including RSA encryption, cryptographic syntax for S/MIME, extended certificate syntax and more.

Registration Authority (RA) - background checks of people, PDP authentication.

Certificate Repositories;, Key update, backup, recover, history; Cross-certification and Time stamping.

Demo Adobe Acrobat Custom Communications Form Sample Simple signing and break signature value.

Adobe Acrobat

Custom Communications Form Sample

Simple signing and break signature value.

Adobe LiveCycle Digital Signatures

LiveCycle Digital Signatures Server used for: Publishing "certified" documents that can prove the authenticity and integrity of the document. Control the changes that are permitted in documents as they flow through a business process with a certification signature. Digitally sign documents before they are archived to improve compliance metrics. Automate the signature validation process for PDF documents. Leverage existing investments in public key infrastructure (PKI) protocols.

Server used for:

Publishing "certified" documents that can prove the authenticity and integrity of the document.

Control the changes that are permitted in documents as they flow through a business process with a certification signature.

Digitally sign documents before they are archived to improve compliance metrics.

Automate the signature validation process for PDF documents.

Leverage existing investments in public key infrastructure (PKI) protocols.

For developers http://livedocs.adobe.com/

http://livedocs.adobe.com/

Samples - retrieve Dsig field names import java.util.*; import java.io.FileInputStream; import com.adobe.livecycle.signatures.client.*; import com.adobe.livecycle.signatures.client.types.*; import com.adobe.idp.Document; import com.adobe.idp.dsc.clientsdk.ServiceClientFactory; public class GetSignatureFields { public static void main(String[] args) { try { //Set connection properties required to invoke LiveCycle ES Properties connectionProps = new Properties(); connectionProps.setProperty("DSC_DEFAULT_EJB_ENDPOINT", "jnp://localhost:1099"); connectionProps.setProperty("DSC_TRANSPORT_PROTOCOL","EJB"); connectionProps.setProperty("DSC_SERVER_TYPE", "JBoss"); connectionProps.setProperty("DSC_CREDENTIAL_USERNAME", "administrator"); connectionProps.setProperty("DSC_CREDENTIAL_PASSWORD", "password");

import java.util.*;

import java.io.FileInputStream;

import com.adobe.livecycle.signatures.client.*;

import com.adobe.livecycle.signatures.client.types.*;

import com.adobe.idp.Document;

import com.adobe.idp.dsc.clientsdk.ServiceClientFactory;

public class GetSignatureFields {

public static void main(String[] args) {

try {

//Set connection properties required to invoke LiveCycle ES Properties connectionProps = new Properties();

connectionProps.setProperty("DSC_DEFAULT_EJB_ENDPOINT", "jnp://localhost:1099");

connectionProps.setProperty("DSC_TRANSPORT_PROTOCOL","EJB");

connectionProps.setProperty("DSC_SERVER_TYPE", "JBoss");

connectionProps.setProperty("DSC_CREDENTIAL_USERNAME", "administrator");

connectionProps.setProperty("DSC_CREDENTIAL_PASSWORD", "password");

Samples - retrieve Dsig field names (2) //Create a ServiceClientFactory instance ServiceClientFactory myFactory ServiceClientFactory.createInstance(connectionProps); //Create a SignatureServiceClient object SignatureServiceClient signClient = new SignatureServiceClient(myFactory); //Specify a PDF document that contains signature fields FileInputStream fileInputStream = new FileInputStream("C:\Adobe\Loan.pdf"); Document inDoc = new Document (fileInputStream); //Retrieve the name of the document’s signature fields List fieldNames = signClient.getSignatureFieldList(inDoc);

//Create a ServiceClientFactory instance

ServiceClientFactory myFactory

ServiceClientFactory.createInstance(connectionProps);

//Create a SignatureServiceClient object

SignatureServiceClient signClient = new SignatureServiceClient(myFactory);

//Specify a PDF document that contains signature fields

FileInputStream fileInputStream = new FileInputStream("C:\Adobe\Loan.pdf");

Document inDoc = new Document (fileInputStream);

//Retrieve the name of the document’s signature fields

List fieldNames = signClient.getSignatureFieldList(inDoc);

Samples - retrieve Dsig field names (3) //Obtain the name of each signature field by iterating List Iterator iter = fieldNames.iterator(); int i = 0 ; String fieldName=""; while (iter.hasNext()) { PDFSignatureField signatureField = (PDFSignatureField)iter.next(); fieldName = signatureField.getName(); System.out.println("The name of the signature field is " +fieldName); i++; } }catch (Exception ee) { ee.printStackTrace(); }

//Obtain the name of each signature field by iterating List

Iterator iter = fieldNames.iterator();

int i = 0 ;

String fieldName="";

while (iter.hasNext()) {

PDFSignatureField signatureField = (PDFSignatureField)iter.next();

fieldName = signatureField.getName();

System.out.println("The name of the signature field is " +fieldName);

i++;

}

}catch (Exception ee) {

ee.printStackTrace();

}

Adobe LiveCycle Rights Management

Securing information is important ”not optional” Mandatory compliance with: Sarbanes-Oxley (Section 404) (USA) NASD 2711 (USA) BS1779 – (UK) ITAR Export Control Directive 95/46/EC of the European Parliament California's Information Practices Act (SB 1386) SEC Rule 17a-4 HIPAA Personal Information Protection and Electronic Documents Act (Canada) Protect corporate image / brand trust Employee turnover increases risk; mobile workstations, theft of laptops etc. Prevent Phishing (customer relations ruined) Mitigate the risk of espionage Removes the temptation and mitigates accidental disclosure.

Mandatory compliance with:

Sarbanes-Oxley (Section 404) (USA)

NASD 2711 (USA)

BS1779 – (UK)

ITAR Export Control

Directive 95/46/EC of the European Parliament

California's Information Practices Act (SB 1386)

SEC Rule 17a-4

HIPAA

Personal Information Protection and Electronic Documents Act (Canada)

Protect corporate image / brand trust

Employee turnover increases risk; mobile workstations, theft of laptops etc.

Prevent Phishing (customer relations ruined)

Mitigate the risk of espionage

Removes the temptation and mitigates accidental disclosure.

Lack persistent access controls to prevent information re-distribution Cannot dynamically change rights/access after distribution Shortcomings of Current Information Assurance Approaches Author Secure Pipe Approach Access Control Approach File System Recipient Unauthorized Users

Lack persistent access controls to prevent information re-distribution

Cannot dynamically change rights/access after distribution

Adobe® LiveCycle™ Rights Management Controls Who can open a document What they can do with it Expiration/revocation Version control Auditing Works with Adobe Acrobat, Microsoft Office and CATIA

Controls

Who can open a document

What they can do with it

Expiration/revocation

Version control

Auditing

Works with Adobe Acrobat, Microsoft Office and CATIA

Adobe provides persistent protection for information

Adobe’s Contribution to Information Assurance Data is secured at the document level, throughout its lifecycle Document authenticity/integrity can be verified at any time Only the intended recipients can view protected documents A chain of custody is maintained for all documents via an audit trail Protected documents are easily shared across organizations

Data is secured at the document level, throughout its lifecycle

Document authenticity/integrity can be verified at any time

Only the intended recipients can view protected documents

A chain of custody is maintained for all documents via an audit trail

Protected documents are easily shared across organizations

Security technologies

Secure Messaging (WS-Security)

Deployment Architecture – within enterprise

Deployment Architecture – external use

Demo ! LiveCycle Rights Management

LiveCycle Rights Management

Orchestrating Security And demo…

Digital Signature Plug in Architecture Adobe Acrobat implements digital signatures using plug-ins for generic functions common to all digital signatures. Support for specific kinds of signatures (signing methods): Public-private key (PPK) Handwriting Biometrics (retinal scans, fingerprints) … Development Kit (SDK): http://partners.adobe.com/asn/developer/acrosdk/main.html

Adobe Acrobat implements digital signatures using plug-ins for generic functions common to all digital signatures.

Support for specific kinds of signatures (signing methods):

Public-private key (PPK)

Handwriting

Biometrics (retinal scans, fingerprints)

…

Development Kit (SDK):

http://partners.adobe.com/asn/developer/acrosdk/main.html

Digital Signature Plug in Architecture

Q & A Contacts: Dnickull@adobe.com (Blog: http://technoracle.blogspot.com) References: LiveCycle Developer Centre: http://www.adobe.com/devnet/livecycle/ Google Groups - LiveCycle Developers Group

Contacts:

Dnickull@adobe.com (Blog: http://technoracle.blogspot.com)

References:

LiveCycle Developer Centre: http://www.adobe.com/devnet/livecycle/

Google Groups - LiveCycle Developers Group

Architecture Summary – LiveCycle ES LC ES is a true platform. Core services for PDF security, rights management, generation and various core libraries. Service invocation layer calls underlying capabilities and APIs. Operations exposed by Invocation later for the PDF Encryption Service may be called locally or remotely. Remote callers can use: Watch Folder Web Services EJB’s Other… PDF Encryption Service exposed via a Developer SDK used for integration with Third Party Applications.

LC ES is a true platform.

Core services for PDF security, rights management, generation and various core libraries.

Service invocation layer calls underlying capabilities and APIs.

Operations exposed by Invocation later for the PDF Encryption Service may be called locally or remotely.

Remote callers can use:

Watch Folder

Web Services

EJB’s

Other…

PDF Encryption Service exposed via a Developer SDK used for integration with Third Party Applications.

Advanced Encryption Standard (AES) How it actually works

AES AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits. The key is expanded using Rijndael's key schedule. Most of AES calculations are done in a special finite field. Operates on a 4×4 array of bytes (the State ) For encryption, each round of AES (except the last round) consists of four stages: SubBytes, ShiftRows, MixColumns and AddRoundKey The final round omits the MixColumns stage.

AES has a fixed block size of 128 bits and a key size of 128, 192 or 256 bits.

The key is expanded using Rijndael's key schedule.

Most of AES calculations are done in a special finite field.

Operates on a 4×4 array of bytes (the State )

For encryption, each round of AES (except the last round) consists of four stages:

SubBytes, ShiftRows, MixColumns and AddRoundKey

The final round omits the MixColumns stage.

Building an AES Cypher – Stages 1 & 2 Subbyte: Non-linear substitution step where each byte is replaced with another according to a lookup table. ShiftRows — a transposition step where each row of the state is shifted cyclically a certain number of steps.

Subbyte: Non-linear substitution step where each byte is replaced with another according to a lookup table.

ShiftRows — a transposition step where each row of the state is shifted cyclically a certain number of steps.

Building an AES Cypher – Stage 3 MixColumns - four bytes of each column (state) are combined using invertible linear transformation. Each column is treated as a polynomial over GF ( 28 ) and is then multiplied modulo x 4 + 1 with a fixed polynomial c ( x ) = 3 x 3 + x 2 + x + 2.

MixColumns - four bytes of each column (state) are combined using invertible linear transformation. Each column is treated as a polynomial over GF ( 28 ) and is then multiplied modulo x 4 + 1 with a fixed polynomial c ( x ) = 3 x 3 + x 2 + x + 2.

Building an AES Cypher – Stage 4 AddRoundKey - the subkey is combined with the state. For each round, a subkey is derived from the main key using the key schedule; each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR.

AddRoundKey - the subkey is combined with the state. For each round, a subkey is derived from the main key using the key schedule; each subkey is the same size as the state. The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR.

Technical Notes Supplemental

Confidentiality and Encryption of Information Encryption is the process of transforming information (plaintext) into an incomprehensible form (ciphertext). Encryption is an effective technique for managing document access. Decryption is the reverse process that transforms ciphertext back to the original plaintext. Cryptography refers to the two processes of encryption and decryption and its implementation is referred to as a cryptosystem . Keys are used for encryption and decryption. Symmetric Keys – Adobe uses 128 bit AES keys for documents. Asymmetric Keys – Adobe uses RSA (512-, 1024-, and 2048-bit) elsewhere Adobe also offers a hybrid approach for encryption.

Encryption is the process of transforming information (plaintext) into an incomprehensible form (ciphertext). Encryption is an effective technique for managing document access.

Decryption is the reverse process that transforms ciphertext back to the original plaintext.

Cryptography refers to the two processes of encryption and decryption and its implementation is referred to as a cryptosystem .

Keys are used for encryption and decryption.

Symmetric Keys – Adobe uses 128 bit AES keys for documents.

Asymmetric Keys – Adobe uses RSA (512-, 1024-, and 2048-bit) elsewhere

Adobe also offers a hybrid approach for encryption.

Other security features… Authentication/integrity of electronic data. Parity bits or Cyclical Redundancy Checking (CRC) functions —CRC functions work well for unintentional modifications, such as wire interference, but they can be circumvented by a clever attacker. One-way hash —creates hash value or message digest for a message of any length. Adobe has adopted the SHA-1 and SHA-256 algorithms because of their wide acceptance as a security standard. Message Authentication Codes (MAC) —prevents an attacker from obtaining the original message, modifying it, and attaching a new hash. In this case, a symmetric key is connected to the MAC and then hashed (HMAC). Without the key, an attacker cannot forge a new message. Adobe uses HMACs where appropriate.

Authentication/integrity of electronic data.

Parity bits or Cyclical Redundancy Checking (CRC) functions —CRC functions work well for unintentional modifications, such as wire interference, but they can be circumvented by a clever attacker.

One-way hash —creates hash value or message digest for a message of any length. Adobe has adopted the SHA-1 and SHA-256 algorithms because of their wide acceptance as a security standard.

Message Authentication Codes (MAC) —prevents an attacker from obtaining the original message, modifying it, and attaching a new hash. In this case, a symmetric key is connected to the MAC and then hashed (HMAC). Without the key, an attacker cannot forge a new message. Adobe uses HMACs where appropriate.

Security Regulations supplementry

Compliance Sarbanes-Oxley Section 404 Section 404 of Sarbanes-Oxley specifically calls for US-listed companies to establish and maintain the necessary internal control mechanisms to ensure the financial reporting process complies with the law. In order to comply with section 404 of Sarbanes-Oxley, companies must implement internal controls that: Expire access to spreadsheets with errors Protect data from access and modification by unauthorized users Track actions on data as it crosses application and organizational boundaries http://www.sec.gov/rules/final/33-8238.htm

Sarbanes-Oxley Section 404

Section 404 of Sarbanes-Oxley specifically calls for US-listed companies to establish and maintain the necessary internal control mechanisms to ensure the financial reporting process complies with the law. In order to comply with section 404 of Sarbanes-Oxley, companies must implement internal controls that:

Expire access to spreadsheets with errors

Protect data from access and modification by unauthorized users

Track actions on data as it crosses application and organizational boundaries

http://www.sec.gov/rules/final/33-8238.htm

Compliance NASD 2711 The National Association of Securities Dealers Rule 2711 (NASD 2711) stipulates that investment banking be run separately from research and trading to ensure trust in the public markets. And while organizations may attempt to prohibit communication between these groups, email and other technologies serve as a conduit of improper communication. It may also be in the interest of the bank to allow an analyst to “cross the wall” for a particular engagement. However, it is necessary to ensure that information obtained during that engagement stays on the appropriate side of the wall. In order to comply with NASD 2711, financial organizations must: Identify and protect regulated data wherever it is stored, transmitted or processed Prevent unauthorized data access and usage Ensure that end-users cannot arbitrarily remove protection Provide evidentiary-quality audit trails that prove data is protected http://www.nasd.com/web/idcplg?IdcService=SS_GET_PAGE&nodeId=653

NASD 2711

The National Association of Securities Dealers Rule 2711 (NASD 2711) stipulates that investment banking be run separately from research and trading to ensure trust in the public markets. And while organizations may attempt to prohibit communication between these groups, email and other technologies serve as a conduit of improper communication. It may also be in the interest of the bank to allow an analyst to “cross the wall” for a particular engagement. However, it is necessary to ensure that information obtained during that engagement stays on the appropriate side of the wall.

In order to comply with NASD 2711, financial organizations must:

Identify and protect regulated data wherever it is stored, transmitted or processed

Prevent unauthorized data access and usage

Ensure that end-users cannot arbitrarily remove protection

Provide evidentiary-quality audit trails that prove data is protected

http://www.nasd.com/web/idcplg?IdcService=SS_GET_PAGE&nodeId=653

Compliance ITAR/Export Control The U.S. government’s International Traffic in Arms Regulations (ITAR) govern the dissemination of a broad array of information. Among other requirements, they prohibit disclosing or transferring regulated technical data to a foreign person, whether in the United States or abroad. Companies that export products—particularly in the high-tech, aviation, and military sectors—must put in place mechanisms that prevent violations of U.S. export laws. These regulations hold companies accountable for the acts of anyone that accesses technical data. Penalties for export violations can be severe—$1M and 10 years in prison per violation, prohibitions against future exports by the company, and the loss of government contracts. The Department of State’s Directorate of Defense Trade Controls has guidelines that suggest: Export controlled documents should be “tagged” to identify their status Establishing a procedure to combat illegal transfers Regular audits to ensure integrity of program Procedures to investigate any potential diversions https://www.pmdtc.org/docs/itar/itar_part_125.pdf

ITAR/Export Control

The U.S. government’s International Traffic in Arms Regulations (ITAR) govern the dissemination of a broad array of information. Among other requirements, they prohibit disclosing or transferring regulated technical data to a foreign person, whether in the United States or abroad. Companies that export products—particularly in the high-tech, aviation, and military sectors—must put in place mechanisms that prevent violations of U.S. export laws. These regulations hold companies accountable for the acts of anyone that accesses technical data. Penalties for export violations can be severe—$1M and 10 years in prison per violation, prohibitions against future exports by the company, and the loss of government contracts.

The Department of State’s Directorate of Defense Trade Controls has guidelines that suggest:

Export controlled documents should be “tagged” to identify their status

Establishing a procedure to combat illegal transfers

Regular audits to ensure integrity of program

Procedures to investigate any potential diversions

https://www.pmdtc.org/docs/itar/itar_part_125.pdf

Compliance California's Information Practices Act (SB 1386) California's Database Security Breach Notification Act ( SB 1386 ) and General Security Standard for Businesses (AB 1950) require companies and government agencies that store personal information on California residents to implement safety procedures that safeguard data and disclose any breach of security to the individuals affected. Personal information includes an individual's first name or first initial and last name in combination with any one or more of the following data elements: Social security number, driver’s license number or California identification card number Account number, credit or debit card number, in combination with any required security code, access code or password that permits access to an account Medical information Companies that fail to implement information security procedures and/or disclose security breaches face potential liability from class action suits and irreversible brand damage. Furthermore, Congressional legislation is under consideration to set a national standard similar to California's for protecting personal information. http://searchcio.techtarget.com/originalContent/0,289142,sid19_gci941077,00.html

California's Information Practices Act (SB 1386)

California's Database Security Breach Notification Act ( SB 1386 ) and General Security Standard for Businesses (AB 1950) require companies and government agencies that store personal information on California residents to implement safety procedures that safeguard data and disclose any breach of security to the individuals affected. Personal information includes an individual's first name or first initial and last name in combination with any one or more of the following data elements:

Social security number, driver’s license number or California identification card number

Account number, credit or debit card number, in combination with any required security code, access code or password that permits access to an account

Medical information

Companies that fail to implement information security procedures and/or disclose security breaches face potential liability from class action suits and irreversible brand damage. Furthermore, Congressional legislation is under consideration to set a national standard similar to California's for protecting personal information.

http://searchcio.techtarget.com/originalContent/0,289142,sid19_gci941077,00.html

Compliance SEC 17a-4 SEC Rule 17a-4 (in combination with 17a-3) of the Securities Exchange Act of 1934 requires broker-dealers to create and preserve in an easily accessible manner, a comprehensive record of each securities transaction and their securities business in general. These preserved records are used by the SEC to monitor compliance with applicable securities laws including antifraud provisions and financial responsibility standards. To ensure compliance with SEC Rule 17a-4, broker-dealers must: Maintain and retain certain records for the required retention period Store the records in a manner that prevents them from being overwritten, erased or otherwise altered Have in place a system to show the audit trail of each record and provide verification that the records were not altered

SEC 17a-4

SEC Rule 17a-4 (in combination with 17a-3) of the Securities Exchange Act of 1934 requires broker-dealers to create and preserve in an easily accessible manner, a comprehensive record of each securities transaction and their securities business in general. These preserved records are used by the SEC to monitor compliance with applicable securities laws including antifraud provisions and financial responsibility standards.

To ensure compliance with SEC Rule 17a-4, broker-dealers must:

Maintain and retain certain records for the required retention period

Store the records in a manner that prevents them from being overwritten, erased or otherwise altered

Have in place a system to show the audit trail of each record and provide verification that the records were not altered

Photo assets

Three (long) or four (short) bullets go here to describe the image, diagram or screenshot in the pod above *A 10 point footnote can go here, if necessary 50-50 Split Pod Layout

Three (long) or four (short) bullets go here to describe the image, diagram or screenshot in the pod above

This layout is generally used for diagrams or large photos that look awkward in a pod *A 10 point footnote can go here, if necessary No Pod Layout

This layout is generally used for diagrams or large photos that look awkward in a pod

Useful for comparing four concepts side-by-side *A 10 point footnote can go here, if necessary Pod 1 Title Pod 2 Title Pod 3 Title Pod 4 Title 4 Column Split Pod Layout

Useful for comparing four concepts side-by-side

Information goes here, and one or two images can sit in the gray area on the right *A 10 point footnote can go here, if necessary Pod-On-Right Layout

Information goes here, and one or two images can sit in the gray area on the right

Useful for comparing four concepts *A 10 point footnote can go here, if necessary Four Quadrant Split Pod Layout

Useful for comparing four concepts

Useful for comparing two concepts side-by-side with data content below Optional Split Pod Layout

Useful for comparing two concepts side-by-side with data content below

Useful for comparing two concepts side-by-side with data content below Optional Split Pod Layout

Useful for comparing two concepts side-by-side with data content below