Information Systems 365       Lecture 10  Industry Regulations
Today’s Chocolate Bar 3              Musketeers   When introduced in    1932, 3 Musketeers    had three pieces of    cand...
Some Of This Stuff Is TediousSo, after each section we will have “take away slides”, PAY ATTENTION TO THOSE!
Industry Regulations      Why Bother Learning Them?   Ability to impress interviewers   It all relies on TECHNOLOGY   L...
Today   Regulation, legislation and guidance    definitions. Provide a common    understanding of the different types of ...
Information Security Related Laws   Federal Information Security Management Act of    2002 (“FISMA”)   Gramm-Leach-Blile...
Take Away   There are 5 or 6 major information    security laws   They all pretty much say the same things    with about...
What’s the difference betweenFederal laws and regulations?   Laws generally specify what is required,    but not how it s...
What Are Regulations?   Regulations stipulate requirements to be    compliant with laws   Regulations may contain specif...
Take Away   Laws are general   Regulations are more specific
Federal Activities Related to          Information Security   Major Federal responsibility is securing Federally    owned...
Federal Laws We’re Going            to Cover Today   Federal Information Security Management    Act   Gramm-Leach-Bliley...
Federal Information Security             Management Act   Builds on requirements of:       Computer Security Act of 1987...
FISMA   Requires each agency to       Inventory computer systems,       Identify and provide appropriate security      ...
Take Away   FISMA covers Federal Government    systems   Encrypted information   Defense information   National Securi...
Gramm-Leach-Bliley Act   Requires “financial institutions” to protect    security and confidentiality of customers’    no...
GLBA (cont)FTC GLBA regulations:     Published at 16 CFR 314     Require “financial institutions” to develop,      imple...
So what is a “financial       institution” under GLBA?   Under GLBA rule, “financial    institutions” generally includes ...
GLBA Continued   FTCs GLBA rule also regulates non-affiliated third    parties (parties that are not financial institutio...
What do you need to do under          GLBA?If GLBA applies to your company: Create, implement and maintain an  informatio...
GLBA, What You Need To Do Create, document, implement and  maintain policies and procedures to  manage and control risk, ...
Take AwayRequires “financial institutions” to protect security and confidentiality of customers’ non-public financial info...
Health Insurance Portability and       Accountability Act   Authorizes Secretary of Health and Human    Services to adopt...
HIPAA Continued HIPAA security regulations are much  more substantive than GLBA security  regulations. GLBA is vague, HI...
HIPAA Scope & Key DefinitionsRequires health care entities to implement new privacy policies, comply with technical securi...
Definitions You Will Forget   HIPAA Key Definitions     Protected health information (“PHI”) includes      all individua...
HIPAA Security Rule - General   Requires CEs to implement unified security    approach based on “defense in depth.”   Is...
HIPAA Security Regulations   HIPAA security requirements fall into three    categories:       Administrative Safeguards ...
HIPAA Administrative               Safeguards   Administrative safeguards require    documented policies and procedures f...
HIPAA Physical Safeguards   Physical safeguards are intended to    protect information systems and protected    informati...
HIPAA Technical Safeguards   Technical Safeguards are requirements for    using technology to control access to    protec...
HIPAA Documentation             Requirements   CE must maintain documentation (e.g.,    policies and procedures) required...
Take Away   HIPAA covers healthcare related    institutions, both public and private   Technical Controls   Physical Co...
Sarbanes-Oxley   After Enron, Adelphia Communications,    MCI/Worldcom (among others) showed    there were flaws in curre...
Sarbanes-Oxley          Sections 302 and 404   Section 302 states that CEO and CFO must    personally certify that financ...
Godzilla Size Take AwayNo assessment of internal controls is complete without an understanding of information security. In...
What do you have to do to          comply with SOX?   Comply with requirements of ITGI    Framework Topics:       Securi...
SOX Audit   Auditors will look for:       Whether policies exist for appropriate        information security topics     ...
Take Away   A core goal of SOX is to protect investors    by providing assurance that financial data    is truthful and h...
California has been leading the               wayRequires notification to California-resident data owners if a security br...
Covered InformationName (full name or first initialand last name)Social security numberDriver’s license numberCalifornia I...
SB 1386 (cont)   Companies are not required to notify    customers if the information was stored in    encrypted form.   ...
AB 1950   On Sept. 29, California enacted AB 1950,    which requires a business that       Stores personal information a...
My organization isn’t in    California, why should I care?   Because SB 1386 applies to any person or    organization tha...
FTC has started enforcing        security “promises”FTC Actions Regarding Security: Eli Lilly       Disclosure of email a...
You’ve been cracked…         And now you’re sued.   US law requires people to behave    “reasonably”.   If you don’t beh...
You’ve been sued…          And you might lose.   If you cannot show that you were    “reasonable” - which may be defined ...
LECTURE TAKE AWAYS   Knowing regulations is impressive to    employers, I’m not sure why…   GLB, SOX and HIPAA all requi...
Upcoming SlideShare
Loading in …5
×

It industry regulations

290 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
290
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

It industry regulations

  1. 1. Information Systems 365 Lecture 10 Industry Regulations
  2. 2. Today’s Chocolate Bar 3 Musketeers When introduced in 1932, 3 Musketeers had three pieces of candy in one package, flavored vanilla, chocolate and strawberry, hence the name. In 1945, the product was changed to a single bar with the aforementioned chocolate filling.
  3. 3. Some Of This Stuff Is TediousSo, after each section we will have “take away slides”, PAY ATTENTION TO THOSE!
  4. 4. Industry Regulations Why Bother Learning Them? Ability to impress interviewers It all relies on TECHNOLOGY Learn: Policies Procedures Legislation Guidance
  5. 5. Today Regulation, legislation and guidance definitions. Provide a common understanding of the different types of requirements. Commercial Guidance: Industry must be concerned with compliance, legislation and guidance. Federal, State, International and Industry Regulations
  6. 6. Information Security Related Laws Federal Information Security Management Act of 2002 (“FISMA”) Gramm-Leach-Bliley Act (“GLBA”) Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Sarbanes-Oxley Act USA PATRIOT Act Counterfeit Access Devices and Computer Fraud and Abuse Act of 1984 (“CFAA”) Electronic Communications Privacy Act (“ECPA”)
  7. 7. Take Away There are 5 or 6 major information security laws They all pretty much say the same things with about 20% special differences related to the specific industries they cover The 80% 20% rule
  8. 8. What’s the difference betweenFederal laws and regulations? Laws generally specify what is required, but not how it should be done. Laws are frequently vague and can be ambiguous.
  9. 9. What Are Regulations? Regulations stipulate requirements to be compliant with laws Regulations may contain specific steps or procedures for compliance Frequently composed with help from industry experts
  10. 10. Take Away Laws are general Regulations are more specific
  11. 11. Federal Activities Related to Information Security Major Federal responsibility is securing Federally owned/operated systems. Federal government does not generally regulate security of non-government systems. HOWEVER, Federal government does require that certain types of information be protected. Federal government working with industry regarding security of critical infrastructure.
  12. 12. Federal Laws We’re Going to Cover Today Federal Information Security Management Act Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley Act (SOX)
  13. 13. Federal Information Security Management Act Builds on requirements of:  Computer Security Act of 1987  Paperwork Reduction Act of 1995  Information Technology Management Reform Act of 1996 Provides basic statutory framework for securing Federally owned/operated computer systems.
  14. 14. FISMA Requires each agency to  Inventory computer systems,  Identify and provide appropriate security protections, and  Develop, document and implement agency- wide information security program Authorizes National Institute of Standards & Technology (NIST) to develop security standards and guidelines for systems used by federal government.
  15. 15. Take Away FISMA covers Federal Government systems Encrypted information Defense information National Security information  Inventory computer systems,  Identify and provide appropriate security protections, and  Develop, document and implement agency- wide information security program
  16. 16. Gramm-Leach-Bliley Act Requires “financial institutions” to protect security and confidentiality of customers’ non-public financial information. Authorizes various agencies to coordinate development of regulations: Comptroller of the Currency, SEC, FDIC, FTC, etc. FTC announced final rule implementing GLBA in May 2002.
  17. 17. GLBA (cont)FTC GLBA regulations:  Published at 16 CFR 314  Require “financial institutions” to develop, implement and maintain comprehensive information security program with appropriate administrative, technical and physical safeguards, including:  Designating employee to coordinate program  Performing risk assessments  Performing regular testing and monitoring  Process for making changes in light of test results or changes in circumstances.
  18. 18. So what is a “financial institution” under GLBA? Under GLBA rule, “financial institutions” generally includes anyone who extends credit to consumers, but also includes debt collection agencies, mortgage lenders, real estate settlement services, and entities that process consumers non-public personal financial information.
  19. 19. GLBA Continued FTCs GLBA rule also regulates non-affiliated third parties (parties that are not financial institutions) by limiting the transfer of non-public personal information they receive from financial institutions. What’s tricky about GLBA?  Broad definition of “financial institution” could potentially include array of companies that may not consider themselves as such (e.g., department store that offers lay-away services or manufacturers that offer equipment financing).  Multiple agencies with authority to issue regulations. Could conflict.
  20. 20. What do you need to do under GLBA?If GLBA applies to your company: Create, implement and maintain an information security program. The information security program should have the regular involvement of the Board of Directors (this may be beyond your scope). Regularly assess risks.
  21. 21. GLBA, What You Need To Do Create, document, implement and maintain policies and procedures to manage and control risk, including training, testing and managing/monitoring third party service providers. Adjust information security program as necessary based on testing or other changes.
  22. 22. Take AwayRequires “financial institutions” to protect security and confidentiality of customers’ non-public financial information.
  23. 23. Health Insurance Portability and Accountability Act Authorizes Secretary of Health and Human Services to adopt standards that require “health plans”, “health care providers” and “health care clearinghouses” to take reasonable and appropriate administrative, technical and physical safeguards to:  Ensure integrity and confidentiality of individually identifiable health information held or transferred by them;  Protect against any reasonably anticipated threats, unauthorized use or disclosure; and 
  24. 24. HIPAA Continued HIPAA security regulations are much more substantive than GLBA security regulations. GLBA is vague, HIPAA is more specific!
  25. 25. HIPAA Scope & Key DefinitionsRequires health care entities to implement new privacy policies, comply with technical security requirements, provide notice/secure authorizations for a range of uses and disclosures of health information, and enter into written agreements with business partners regarding the ability to share such information
  26. 26. Definitions You Will Forget HIPAA Key Definitions  Protected health information (“PHI”) includes all individually identifiable health information (“IIHI”) in the hands of “covered entities.”  “Covered Entity” includes the following types : 1) health care plans; 2) health care clearinghouses; and 3) health care providers who electronically transmit health information in connection with certain specified transactions.  “Business Associates” are any people or entities that perform certain activities or functions on behalf of a Covered Entity that involves the use or disclosure of protected health information (i.e., claims processing, benefit management, etc.).
  27. 27. HIPAA Security Rule - General Requires CEs to implement unified security approach based on “defense in depth.” Is technology neutral. CEs select appropriate technology to protect information. Requires CEs to protect information from both internal and external threats. Requires CEs to conduct regular, thorough and accurate risk assessments. See http://www.hipaadvisory.com/alert/vol4/number 2.htm#four for a detailed discussion of how to conduct a risk analysis.
  28. 28. HIPAA Security Regulations HIPAA security requirements fall into three categories:  Administrative Safeguards  Physical Safeguards  Technical Safeguards Each category includes:  “standards”: WHAT the organization must do; and  “implementation specifications”: HOW it must be done.
  29. 29. HIPAA Administrative Safeguards Administrative safeguards require documented policies and procedures for managing:  Day-to-day operations;  Conduct and access of workforce members to protected information;  Selection, development and use of security controls.
  30. 30. HIPAA Physical Safeguards Physical safeguards are intended to protect information systems and protected information from unauthorized physical access. CE must limit physical access while still permitting authorized physical access.
  31. 31. HIPAA Technical Safeguards Technical Safeguards are requirements for using technology to control access to protected information Access Controls Audit Controls Information Integrity Controls Person or entity authentication Transmission security
  32. 32. HIPAA Documentation Requirements CE must maintain documentation (e.g., policies and procedures) required by HIPAA Security Rule until LATER OF  6 years from date of creation; OR  6 years from date policy/procedure was last in effect. CE must regularly review and update documentation.
  33. 33. Take Away HIPAA covers healthcare related institutions, both public and private Technical Controls Physical Controls Administrative Controls
  34. 34. Sarbanes-Oxley After Enron, Adelphia Communications, MCI/Worldcom (among others) showed there were flaws in current financial reporting requirements, Congress passed SOX. Purpose of SOX is “To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws, and for other purposes.” Two sections of SOX have impact on information security: Section 302 and Section 404.
  35. 35. Sarbanes-Oxley Sections 302 and 404 Section 302 states that CEO and CFO must personally certify that financial reports are accurate and complete. Must also assess and report on effectiveness of internal controls around financial reporting. Section 404 states that corporation must assess effectiveness of internal controls and report assessment to SEC. Assessment must also be reviewed by outside auditing firm.
  36. 36. Godzilla Size Take AwayNo assessment of internal controls is complete without an understanding of information security. Insecure systems cannot be considered a source of reliable financial information.
  37. 37. What do you have to do to comply with SOX? Comply with requirements of ITGI Framework Topics:  Security Policy  Security Standards  Access and Authentication  User Account Management  Network Security  Monitoring  Segregation of Duties  Physical Security
  38. 38. SOX Audit Auditors will look for:  Whether policies exist for appropriate information security topics  Whether policies have been approved at appropriate management levels  Whether policies are communicated effectively to personnel
  39. 39. Take Away A core goal of SOX is to protect investors by providing assurance that financial data is truthful and has maintained its integrity Without technical controls, you have no way to verify financial data truthfulness and integrity Hardly begins to explain why we just gave 700 billion to the banks!
  40. 40. California has been leading the wayRequires notification to California-resident data owners if a security breach discloses (or might have disclosed) certain information that could lead to identity theft.
  41. 41. Covered InformationName (full name or first initialand last name)Social security numberDriver’s license numberCalifornia Identification CarenumberAccount number or credit or debitcard number along with any requiredsecurity code, access code, or
  42. 42. SB 1386 (cont) Companies are not required to notify customers if the information was stored in encrypted form.  Some speculation that even something as simple as ROT13 would satisfy this requirement, but don’t bank on it.
  43. 43. AB 1950 On Sept. 29, California enacted AB 1950, which requires a business that  Stores personal information about a California resident MUST implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, modification, use or disclosure.  Discloses personal information about a California resident to a third party as part of a contract will require the third party to implement and maintain the same reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, modification, use or disclosure.
  44. 44. My organization isn’t in California, why should I care? Because SB 1386 applies to any person or organization that conducts business in California and stores personal information about California residents on a computer system. Many states are implementing their own regulations, similar to California
  45. 45. FTC has started enforcing security “promises”FTC Actions Regarding Security: Eli Lilly Disclosure of email addresses of Prozac prescription holders Microsoft Overpromising regarding security of MS Passport service Guess, Inc. Promising security of information while remaining vulnerable to common attacks
  46. 46. You’ve been cracked… And now you’re sued. US law requires people to behave “reasonably”. If you don’t behave reasonably and someone is harmed because of it, you may be liable for negligence. So…If your systems get cracked, and the cracker uses your boxes to launch an attack on someone else, that victim may try to sue you for negligently configuring your systems so that the cracker could get
  47. 47. You’ve been sued… And you might lose. If you cannot show that you were “reasonable” - which may be defined as having complied with industry regulations, a court may decide that you were negligent and your company is liable for the damages of the downstream victim(s). This hasn’t happened, yet, but many people think it’s coming.
  48. 48. LECTURE TAKE AWAYS Knowing regulations is impressive to employers, I’m not sure why… GLB, SOX and HIPAA all require similar things Authentication Auditing Protection Data Integrity Proof 80% 20% rule!!!

×