Legal Departments' Security Responsibility - Dynamic Log Analysis™

415 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
415
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Several Laws base are based on the premise to mitigate Operational Risk: Many financial services firms in the United States are obligated to reduce ‘operational risk’, the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, by monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems by the following laws: 1. Section 216 of the Fair and Accurate Credit Transactions Act (2003) (FACT Act) - must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. Within banks, this requirement can only be sufficiently met through monitoring. 2. Section 501(b) of the Gramm-Leach-Bliley Act (1999) states that a bank should manage and control risk by “monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems” both internally and with service providers and is the all encompassing successor to the following: a. Section 39 of the Federal Deposit Insurance Act b. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 30, Appendix B c. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 208, Appendix D-2 d. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 225, Subpart J, Appendix F e. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 263, Subpart I, Appendix D-1 f. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 364, Appendix B g. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 570, Appendix h. Code of Federal Regulations Title 12 (Banks and Banking) 3. USA Patriot Act (2001). Although this Act does not directly ask an organization to monitor, it increases the ability of law enforcement agencies to search telephone, email communications, medical, financial, and other records. As a result, log management is necessary for compliance. 4. Sarbanes-Oxley Act (2002). The formal name of this act is the Public Company Accounting Reform and Investor Protection Act of 2002. This act requires the boards, accounting firms, and management of publicly traded firms to adhere to a higher set of financial recording and reporting standards. The reporting requirements can only be sufficiently met through monitoring. 5. California Senate Bill 1386. California Senate Bill 1386 was introduced in July 2003. The bill was the first attempt by a state legislature to address the problem of identity theft by introducing stiff disclosure requirements for businesses and government agencies that experience security breaches that might contain the personal information of California residents. Implied in the bill is that in order to be to assess compliance, an organization should monitor their devices and applications regularly to adhere to the following, "Notice must be given to any resident of California whose PI is or is reasonably believed to have been acquired by an unauthorized person." Notice must be given in "most expedient time possible" and "without unreasonable delay" subject to certain provisions that define what reasonable is for your organization. Also: Basel II. Basel II improved on Basel I, first enacted in the 1980s, by offering more complex models for calculating regulatory capital in order to make risky investments, such as the subprime mortgage market in which higher risks assets are moved to unregulated parts of holding companies. In addition to safeguarding bank solvency while protecting the international financial system, Basel II also strives to reduce operational risks. However, the Basel Committee on Banking Supervision recognizes that operational risk is a term that has a variety of meanings and therefore, for internal purposes, banks are permitted to adopt their own definitions of operational risk, provided the minimum elements in the Committee's definition are included. Through compliance, banks are assured that they hold sufficient capital reserves for the risk they expose the bank to through its lending and investment practices.
  • Several Laws base are based on the premise to mitigate Operational Risk: Many financial services firms in the United States are obligated to reduce ‘operational risk’, the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, by monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems by the following laws: 1. Section 216 of the Fair and Accurate Credit Transactions Act (2003) (FACT Act) - must provide for the identification, detection, and response to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft. Within banks, this requirement can only be sufficiently met through monitoring. 2. Section 501(b) of the Gramm-Leach-Bliley Act (1999) states that a bank should manage and control risk by “monitoring systems and procedures to detect actual and attempted attacks on or intrusions into customer information systems” both internally and with service providers and is the all encompassing successor to the following: a. Section 39 of the Federal Deposit Insurance Act b. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 30, Appendix B c. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 208, Appendix D-2 d. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 225, Subpart J, Appendix F e. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 263, Subpart I, Appendix D-1 f. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 364, Appendix B g. Code of Federal Regulations: Title 12: Banks and Banking - Code of Federal Regulations, Part 570, Appendix h. Code of Federal Regulations Title 12 (Banks and Banking) 3. USA Patriot Act (2001). Although this Act does not directly ask an organization to monitor, it increases the ability of law enforcement agencies to search telephone, email communications, medical, financial, and other records. As a result, log management is necessary for compliance. 4. Sarbanes-Oxley Act (2002). The formal name of this act is the Public Company Accounting Reform and Investor Protection Act of 2002. This act requires the boards, accounting firms, and management of publicly traded firms to adhere to a higher set of financial recording and reporting standards. The reporting requirements can only be sufficiently met through monitoring. 5. California Senate Bill 1386. California Senate Bill 1386 was introduced in July 2003. The bill was the first attempt by a state legislature to address the problem of identity theft by introducing stiff disclosure requirements for businesses and government agencies that experience security breaches that might contain the personal information of California residents. Implied in the bill is that in order to be to assess compliance, an organization should monitor their devices and applications regularly to adhere to the following, "Notice must be given to any resident of California whose PI is or is reasonably believed to have been acquired by an unauthorized person." Notice must be given in "most expedient time possible" and "without unreasonable delay" subject to certain provisions that define what reasonable is for your organization. Also: Basel II. Basel II improved on Basel I, first enacted in the 1980s, by offering more complex models for calculating regulatory capital in order to make risky investments, such as the subprime mortgage market in which higher risks assets are moved to unregulated parts of holding companies. In addition to safeguarding bank solvency while protecting the international financial system, Basel II also strives to reduce operational risks. However, the Basel Committee on Banking Supervision recognizes that operational risk is a term that has a variety of meanings and therefore, for internal purposes, banks are permitted to adopt their own definitions of operational risk, provided the minimum elements in the Committee's definition are included. Through compliance, banks are assured that they hold sufficient capital reserves for the risk they expose the bank to through its lending and investment practices.
  • From Basel II definition: Basel II. Basel II improved on Basel I, first enacted in the 1980s, by offering more complex models for calculating regulatory capital in order to make risky investments, such as the subprime mortgage market in which higher risks assets are moved to unregulated parts of holding companies. In addition to safeguarding bank solvency while protecting the international financial system, Basel II also strives to reduce operational risks. However, the Basel Committee on Banking Supervision recognizes that operational risk is a term that has a variety of meanings and therefore, for internal purposes, banks are permitted to adopt their own definitions of operational risk, provided the minimum elements in the Committee's definition are included. Through compliance, banks are assured that they hold sufficient capital reserves for the risk they expose the bank to through its lending and investment practices.
  • From Basel II definition: Basel II. Basel II improved on Basel I, first enacted in the 1980s, by offering more complex models for calculating regulatory capital in order to make risky investments, such as the subprime mortgage market in which higher risks assets are moved to unregulated parts of holding companies. In addition to safeguarding bank solvency while protecting the international financial system, Basel II also strives to reduce operational risks. However, the Basel Committee on Banking Supervision recognizes that operational risk is a term that has a variety of meanings and therefore, for internal purposes, banks are permitted to adopt their own definitions of operational risk, provided the minimum elements in the Committee's definition are included. Through compliance, banks are assured that they hold sufficient capital reserves for the risk they expose the bank to through its lending and investment practices.
  • My verbiage idea: In house legal teams must have a complete understanding of the types systems, vulnerabilities In addition, in house legal teams must have a complete understanding of the types of documents stored, the location of the documents, the duration of storage, whether copies exist, and the document’s accessibility. In addition, To fulfill this obligation, in house legal teams must meet with information technology personnel in order to fully understand external fraud vulnerabilities and how the company’s computer system stores, retrieves and dispositions/deletes data. As a result, in house legal teams must have a complete understanding current laws, regulations, standards relating to external fraud as well as know the levels of sensitive information. In addition, in house legal teams must have a complete understanding of the company’s data retention architecture/data map and policies, including system wide backup procedures and recycling policies. Lastly, in house legal teams must also meet with records management personnel in order to understand the methods and policies under which the company stores, retrieves and disposes of hard copies of documents.While in house legal teams' duties in this respect may be unconventional, they are necessary in order to effectively implement a preservation notice and associated litigation holds.
  • The laws identified that form the legal basis of the federal financial regulatory system are as follows (Various other laws govern the regulation of U.S. financial markets and institutions—such as those affecting trusts and pension plans):
  • Legal Departments' Security Responsibility - Dynamic Log Analysis™

    1. 1. Proactive Legal Departments: Mitigate Operational Risks August 16, 2010
    2. 2. What is Operational Risk? <ul><li>“The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.”* </li></ul>* Basel II Definition
    3. 3. US Laws pertaining to Operational Risk <ul><li>Section 216 of the Fair and Accurate Credit Transactions Act (2003) (FACT Act) </li></ul><ul><li>Section 501(b) of the Gramm-Leach-Bliley Act (1999) </li></ul><ul><li>USA Patriot Act (2001) </li></ul><ul><li>Sarbanes-Oxley Act (2002) </li></ul><ul><li>California Senate Bill 1386 </li></ul><ul><li>Basel II </li></ul><ul><li>Solvency II </li></ul>
    4. 4. What is IT Security Operational Risk? <ul><li>External Fraud - theft of information, hacking damage, third-party theft, and forgery </li></ul><ul><li>Business Disruption & Systems Failures - utility disruptions, software failures, and hardware failures </li></ul>
    5. 5. What’s the cost? <ul><li>Regulatory fines </li></ul><ul><ul><li>State </li></ul></ul><ul><ul><li>Federal </li></ul></ul><ul><li>Liability costs </li></ul><ul><ul><li>Credit Monitoring Services </li></ul></ul><ul><ul><li>Litigation Support Services Costs </li></ul></ul>
    6. 6. Mitigate IT Security Operational Risk <ul><li>Meet w/ IT members </li></ul><ul><li>Understand systems </li></ul><ul><li>Assess exposure </li></ul><ul><li>Minimize gaps w/technology </li></ul><ul><li>Monitor </li></ul>
    7. 7. Thank you <ul><li>Phil Godwin </li></ul><ul><li>VP of Sales </li></ul><ul><li>Clear Technologies </li></ul><ul><li>469-360-4061 </li></ul><ul><li>[email_address] </li></ul>
    8. 8. Back Up Slides
    9. 9. Banking: Originating Case Law The Bank Merger Act of 1966 divided the authority to approve bank mergers among the banking agencies and DOJ, making the banking industry the only industry to have its merger activity independently reviewed outside the DOJ or the FTC. The Savings and Loan Holding Company Act Amendments of 1967 provided for the regulation of savings and loan holding companies by the FSLIC. The Federal Credit Union Act Amendments of 1970 established the National Credit Union Administration as an independent agency to regulate federal credit unions; it also established federal credit union insurance under the National Credit Union Share Insurance Fund. The Currency and Foreign Transactions Reporting Act and the Bank Secrecy Act of 1970 brought the Treasury into the picture, allowing it to monitor large cash and foreign-currency transactions. The Consumer Credit Protection Act of 1968, which included the Truth in Lending Act (TLA), gave the Federal Reserve rulemaking authority for truth-in-lending, although enforcement of TLA is the responsibility of all the federal financial regulators for depository institutions and the FTC for non-depository lending institutions, such as mortgage and finance companies. The Fair Housing Act of 1968, which is administered by HUD and enforced by the federal financial regulators. In 1970 the Fair Credit Reporting Act was passed, which the FTC administers; the federal financial regulators examine depository institutions for compliance under the act. The Financial Institutions Reform, Recovery and Enforcement Act (FIRREA) of 1989 abolished FSLIC and the FHLBB and created, in their place, the OTS to regulate and supervise thrifts. FIRREA also established the Federal Housing Finance Board to regulate the FHLBs. Federal Housing Enterprises Financial Safety and Soundness Act of 1992 the created OFHEO to oversee Fannie Mae and Freddie Mac, which had previously been regulated by HUD and the FHLBB.11 National Currency Act 1863, creating the OCC to establish a system of national banks. Federal Reserve Act of 1913, which created the Federal Reserve System. Congress passed the Federal Home Loan Bank Act of 1932, which established the Federal Home Loan Bank System. Securities Act of 1933, addressed the need for disclosure regarding debt and equity securities sold in interstate commerce or through the mail The Home Owners’ Loan Act of 1933, established the federal chartering of S&Ls; it also gave the Federal Home Loan Bank Board (FHLBB) responsibility for regulating, examining and supervising S&Ls The Banking Act of 1933 among other things, created the FDIC, which was given not only the role of providing a federal system of deposit insurance, but also the role of regulator of insured state banks that were not Federal Reserve members. Congress passed the Securities Exchange Act of 1934 extended the disclosure principles of the Securities Act of 1933 to debt and equity securities already outstanding if listed on national exchanges, and created the SEC. Federal Credit Union Act and the National Housing Act of 1934 provided for the establishment of federal credit unions. The National Housing Act of 1934 created the Federal Savings and Loan Insurance Corporation (FSLIC) and provided for the chartering of national mortgage associations as entities within the federal government. The Banking Act of 1935, which among other provisions, expanded the FDIC’s supervisory powers. The Investment Company Act and the Investment Adviser Act of 1940 brought investment companies and investment advisers under SEC regulation. The Bank Holding Company Act of 1956 brought multibank holding companies under Federal Reserve regulation. I The Bank Holding Company Act of 1970 Amendments brought one-bank holding companies under Federal Reserve regulation.

    ×