2. Sarbanes Oxley Financial reporting accuracy Health Insurance Portability & Accountability Act (HIPAA) Medical information for employee benefits Privacy European Union Data Protection Directive Canada Japan California Senate Bill 1386 (plus 25 other states) FDA 21 CFR Part 11 and Good Manufacturing Practice (GMP) Some Compliance Requirements…
3. Federal Trade Commission Consumer protection Credit Card regulations Payment Card Industry (PCI) required by VISA CISP, MasterCard SDP, and Amex Data Security Requirement Trade Compliance Custom Trade Partnership Against Terrorism (C-TPAT) Export of materials and technology to restricted companies Environmental Health and Safety (EH&S) Hazardous materials handling and transportation DEA OSHA Continued…
4. Litigation eDiscovery Intellectual Property (IP) Patents and Patent infringement litigation Certifications ISO 9001 ISO 17799 / ISO 27001 BS 15000 / ISO 20000 Continued…
5. Emerging legal standard for security* T.J. Hooper case, 60 F.2d 737 (2d Cir. 1932)** In 1928, the tug boat T.J. Hooper sank in a storm. The cargo owners sued, saying the tugboat captain should have known a storm was coming. Tug owner said only way to know was to have a radio on board, which was not common practice, and not required by any law. However, Judge agreed with cargo owners – the tug owners should have had a radio on board, even though it was not required. The lack of a radio made the tug unseaworthy. Legal Strategy for Compliance * See http://www.bakerinfo.com/ecommerce/newlawis.pdf and http://www.bakerinfo.com/ecommerce/ISLEGAL.PDF ** From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104
6. Identify the assets to be protected Conduct risk assessment See http://en.wikipedia.org/wiki/United_States_v._Carroll_Towing_Co. Develop and implement a security program That is responsive to the risk assessment Must be in writing Reasonable, appropriate, suitable, necessary, adequate Addressthird parties Contractors, customers, suppliers, business partners, and providers of outsourced services Due diligence, contractual obligation, monitoring and auditing Continually monitor, reassess, and adjust the program Compliance Strategy* * From Tom Smedinghoff, Baker & McKenzie, at RSA 2006 presentation LAW-104
7. There is considerable overlap (~ 80%) for all security and privacy related compliance requirements These and other requirements typically need documented and implemented good processes “Say what you do, do what you say” Follow compliance strategy Identify information assets to be protected Follow a risk management process For example, NIST SP 800-30 http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf How do we handle all of these compliance requirements?
8. Following industry standards is a good start Provides a defensible position against regulation and litigation Best practices are beneficial and defensible Recent revisions of standards include risk management COSO ERM COSO + Risk Management CobiT 4.0 ISO 17799:2005 Create Defensible Position
9. Adopt current industry standards But get ahead of the curve where possible Document and follow process Include risk management as a best practice Make sure processes are: Effective Efficient Auditable Good Practice, Good Process
10. Three levels of frameworks, each operating at different degree of detail and scope, that together provide a set of controls and governance for IT Regulatory Compliance Each level down provides more detail and greater scope Level 1: COSO Enterprise Risk Management (ERM) Organization wide controls Endorsed by the SEC for Sarbanes-Oxley Level 2: CobiT® 4.x IT wide controls relating to COSO ERM PO9 and DS5.2 Level 3: Subject matter specific controls and best practices, e.g. ITIL SM (for AI6, DS9, DS10) IT Service Delivery ISO 17799:2005 (for DS5) IT Security ISO 15288:2002 (for AI2, AI3, AI7) System Development Life Cycle PMI PMBOK (for PO10) Project Management Six Sigma (for PO8) Integrated Compliance Framework
11. ITIL (Information Technology Infrastructure Library) Republished in 2002 as British Standard 15000, IT Service Management Part 1 is specification for certification Part 2 is code of practice Republished in 2005 as ISO 20000, Information Technology Service Management Part 1 is specification for certification Part 2 is code of practice Compliance Standards Harmonization
12. ISO 17799 Originally British Standard 7799 Part 1 is code of practice Part 2 is specification for certification Satisfies CobiT® DS5 - Ensure Systems Security ISO 17799:2005 is the code of practice Required for BS15000:2 and ISO 20000:2 Part 2 of BS 7799 (specification for certification) republished as ISO 27001:2005 Required for BS15000:1 and ISO 20001:1 Compliance Standards Harmonization
13. ISO 9001 Quality Management Systems -Requirements ISO 27001 satisfies ISO 9001 for Systems Security BS15000:1, ISO 20000:1, and ISO 20000:2 satisfy ISO 9001 for service management CobiT® 4.0 (2005) Harmonized with ITIL, ISO 9001, ISO 17799, and CMM Six Sigma ISO 27001, ISO 20000:1, and ISO 20000:2 use PDCA (Deming Cycle), a learning model used in Six Sigma and other Quality Programs Provides tools for Quality Management Systems Continuous improvement keeps us ahead of the curve and satisfies monitoring and assessment requirement for legal process. Compliance Standards Harmonization
14. Committee of Sponsoring Organization (COSO) of the Treadway Commission (http://www.coso.org/), “Enterprise Risk Management – Integrated Framework” (http://www.coso.org/Publications/ERM/COSO_ERM.ppt) Enterprise risk management is: A process, ongoing and flowing through an organization Effected by people at every level of an organization Applied across the enterprise, at every level and unit, and includes taking an entity level portfolio view of risk Able to provide reasonable assurance to an entity’s management and board of directors Level 1: COSO ERM
15. Eight interrelated COSO components, derived from the way management runs a business Internal Environment – The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity’s people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting – Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that management has in place a process to set objectives and that the chosen objectives support and align with the entity’s mission and are consistent with its risk appetite. COSO ERM Components
16. Event Identification – Internal and external events affecting achievement of an entity’s objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management’s strategy or objective-setting processes. Risk Assessment – Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk Response – Management selects risk responses – avoiding, accepting, reducing, or sharing risk – developing a set of actions to align risks with the entity’s risk tolerances and risk appetite. COSO ERM Components
17. Control Activities – Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication – Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring – The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. COSO ERM Components
18. Control Objectives for Information and related Technology (CobiT) (http://www.isaca.org/cobit.html) Covers all controls within or relevant to IT organization Level 2: CobiT® 4.x
19. Level 2: CobiT® 4.x Plan and Organize (PO) PO1 Define a Strategic IT Plan PO2 Define the Information Architecture PO3 Determine Technological Direction PO4 Define the IT Processes, Organization and Relationships PO5 Manage the IT Investment PO6 Communicate Management Aims and Direction PO7 Manage IT Human Resources PO8 Manage Quality Six Sigma Standards Process PO9 Assess and Manage IT Risks PO10 Manage Projects PMBOK
20.
21. DS1 Define and Manage Service Levels* DS2 Manage Third-party Services* DS3 Manage Performance and Capacity DS4 Ensure Continuous Service DS5 Ensure Systems Security* ISO 17799:2005 / 27001:2005 DS6 Identify and Allocate Costs DS7 Educate and Train Users DS8 Manage Service Desk and Incidents DS9 Manage the Configuration* ITIL DS10 Manage Problems* ITIL DS11 Manage Data* DS12 Manage the Physical Environment DS13 Manage Operations* Level 2: CobiT® 4.x Deliver and Support (DS)
22. ME1 Monitor and Evaluate IT Performance ME2 Monitor and Evaluate Internal Control ME3 Ensure Regulatory Compliance ME4 Provide IT Governance Level 2: CobiT® 4.x Monitor and Evaluate (ME)
23. ITIL (IT Infrastructure Library) is the most widely accepted approach to IT Service Management in the world. (http://www.ogc.gov.uk/) provides a cohesive set of well defined best practices, drawn from the public and private sectors internationally. It is supported by a comprehensive qualification scheme, accredited training organizations, and implementation and assessment tools. Addresses and extends CobiT level of compliance framework: AI6 Manage Changes* DS9 Manage the Configuration* DS10 Manage Problems* AKA BS 15000, or ISO 20000 Level 3: ITIL
24. Guidelines and certification for IT Security Program “Information security is the protection of information from a wide range of threats in order to ensure business continuity, minimize business risk, and maximize return on investments and business opportunities.” Address and extends CobiT level of compliance framework: DS5 Ensure Systems Security* Required for BS 15000 and ISO 20000 security AKA BS 7799, or ISO 27001 Level 3: ISO 17799
25. Project Management Body of Knowledge from PMI http://www.pmibookstore.org/PMIBookStore/productDetails.aspx?itemID=358&varID=1 Describes best practices for Project Management Addresses and extends CobiT level of compliance framework: PO10 Manage projects IEEE 1490-2003, Adoption of PMI Standard: A Guide to the Project Management Body of Knowledge http://webstore.ansi.org/ansidocstore/product.asp?sku=IEEE+Std+1490%2D2003 Level 3: PMBOK
26. ISO 15288:2002 is a compendium of standards and best practices for systems and software development life cycle methodologies http://www.15288.com/ Addresses and extends CobiT level of Compliance Framework: AI2 Acquire and Maintain Application Software* AI3 Acquire and Maintain Technology Infrastructure* AI7 Install and Accredit Solutions and Changes Level 3: System Development Life Cycle
27. Six Sigma is a disciplined, data driven approach and methodology for eliminating defects and improving quality http://www.isixsigma.com/sixsigma/six_sigma.asp Addresses CobiT level of Compliance Framework PO8 Manage Quality Level 3: Six Sigma
28. The Compliance Framework consists of generally accepted industry standards and risk management practices at multiple levels, to meet requirements for a security program in an effective, efficient, and auditable manner. Summary