Fundamentals of Information Systems Security Chapter 15

© 2018 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Fundamentals of Information
Systems Security
Lesson 15
U.S. Compliance Laws

Fundamentals of Information Systems Security
www.jblearning.com
Page 2Fundamentals of Information Systems Security
www.jblearning.com
Learning Objective(s)
 Apply information security standards and
U.S. compliance laws to real-world
applications in both the private and public
sector.

www.jblearning.com
www.jblearning.com
Key Concepts
 What compliance is and how it’s related to
information security
 Overview of U.S. compliance laws
 NIST Risk Management Framework (RMF)
 Making sense of laws for information security
compliance

www.jblearning.com
www.jblearning.com
U.S. Compliance Laws
 Organizations entrusted with sensitive data
should take steps to protect data
 U.S. doesn’t have one comprehensive data
protection law
 Many federal data protection laws focus on
specific types of data
• Require organizations to use security controls to
protect the different kinds of data that they collect
 Laws are not optional

www.jblearning.com
www.jblearning.com
Compliance Is the Law
Organizations collect sensitive data called personally
identifiable information (PII), which includes:
• First, middle, and last name
• Home mailing address
• Social Security number
• Driver’s license number
• Financial account data
• Health data and biometric data
• Authentication credentials

www.jblearning.com
www.jblearning.com
Compliance Is the Law (cont.)
Organizations must:
• Follow laws and regulations
• Interpret them so that policies and procedures
can be defined
• Document:
• Policies
• Standards
• Procedures
• Guidelines

www.jblearning.com
www.jblearning.com
How Are Privacy and Information
Security Related?
Privacy A person’s right to control the use and disclosure of
his or her own personal information
Control A person can decide how his or her data can be
collected, used, and shared with third parties
Information
security
The process used to keep data private
Security is the process; privacy is a result

www.jblearning.com
www.jblearning.com
Federal Information Security
Federal government is the largest creator
and user of information in the United States
Government IT systems hold:
• Data that are critical for government
operations
• Data that are important for running the
business of the federal government
• Sensitive military data

www.jblearning.com
www.jblearning.com
Management Act (FISMA) of 2002
Applies to federal agencies and their IT
systems
Federal agencies fall under the executive
branch of the U.S. government
The Office of Management and Budget
(OMB) is responsible for FISMA
compliance

www.jblearning.com
www.jblearning.com
FISMA: Purpose and Main
Requirements
Risk assessments
Annual inventory
Policies and procedures
Subordinate plans
Security awareness training
Testing and evaluation
Remedial actions
Incident response
Continuity of operations

www.jblearning.com
www.jblearning.com
FISMA: Purpose and Main
Requirements (cont.)
An agency must:
• Protect the IT systems that support its
operations
• Test its IT systems at least yearly
• Review the information security controls on IT
systems
• Apply some types of controls and make sure
they work
• Monitor its security risk

www.jblearning.com
www.jblearning.com
Modernization Act (FISMA) of 2014
Clearly defines the
roles, responsibilities,
accountabilities,
requirements, and
practices needed to
fully implement
FISMA security
controls and
requirements

www.jblearning.com
www.jblearning.com
Role of the National Institute of
Standards and Technology (NIST)
 Creates guidance that all federal agencies use
for their information security programs
 Creates standards that agencies use to
classify their data and IT systems
 Creates guidelines and minimum information
security controls for IT systems
 Creates Federal Information Processing
Standards (FIPSs) and Special Publications
(SPs)

www.jblearning.com
www.jblearning.com
Risk
Management
Framework
(RMF) Process

www.jblearning.com
www.jblearning.com
National Security Systems (NSSs)
 Secure using a risk-based approach
 Include systems used for:
• Intelligence activities
• National defense
• Foreign policy
• Military activities
 Committee on National Security Systems (CNSS)
oversees FISMA activities
 Use the same six-step process as the NIST RMF

www.jblearning.com
www.jblearning.com
Health Insurance Portability and
Accountability Act (HIPAA): Purpose
and Scope
Contains data protection rules that address security and
privacy of personally identifiable health information
Department of Health and Human Services (HHS)
responsible for rules and compliance
Protected health information (PHI) is any individually
identifiable information about a person’s health
Covers health care providers and business associates

www.jblearning.com
www.jblearning.com
Main Requirements of the HIPAA
Privacy Rule
Determines how covered entities must protect the
privacy of PHI
Covered entities may not use or disclose a person’s PHI
without his or her written consent
Exceptions allow a covered entity to share a person’s
PHI without a person’s written consent
A covered entity must inform people about how it uses
and discloses PHI

www.jblearning.com
www.jblearning.com
Main Requirements of the HIPAA
Security Rule
Require covered entities to use security
safeguards to protect electronic protected
health information (EPHI)
Require covered entities to create an
information security program
Require covered entities to use information
security principles to protect EPHI
Use required and addressable safeguards

www.jblearning.com
www.jblearning.com
Security Rule
Administrative
Safeguards

www.jblearning.com
www.jblearning.com
Security Rule Physical Safeguards

www.jblearning.com
www.jblearning.com
Security Rule Technical Safeguards

www.jblearning.com
www.jblearning.com
HIPAA Oversight
HHS oversees compliance with the HIPAA
Privacy and Security Rules
HHS delegated this function to Office for
Civil Rights (OCR)
OCR enforces HIPAA compliance
HITECH Act defined a tiered system for
assessing the level of each HIPAA
violation: Tiers A-D

www.jblearning.com
www.jblearning.com
HIPAA Omnibus Regulations
Omnibus Rule
provides a
catchall update to
HIPAA and
HITECH Act
rulings
Tightens the
requirements of
covered entities
and business
associates

www.jblearning.com
www.jblearning.com
Gramm-Leach-Bliley Act (GLBA)
 Addresses privacy and security of consumer financial
information
 Federal Financial Institutions Examination Council
(FFIEC) regulatory committee services the U.S. banking
community
 FFIEC Council developed a Cybersecurity Assessment
Tool used to identify bank or financial institution’s
cybersecurity maturity
 FFIEC complements a banking or financial organization’s
ongoing risk management program and cybersecurity
implementations

www.jblearning.com
www.jblearning.com
GLBA: Purpose and Scope
Financial institutions must follow GLBA
privacy and security rules to help mitigate
data breaches and identity theft
GLBA requires financial institutions to
protect consumers’ nonpublic financial
information (NPI)
• NPI is personally identifiable financial
information that a consumer gives to a
financial institution

www.jblearning.com
www.jblearning.com
Agencies with GLBA Oversight
Responsibilities
Securities and Exchange Commission (SEC)
Federal Reserve System (the Fed)
Federal Deposit Insurance Corporation (FDIC)
National Credit Union Administration (NCUA)
Office of the Comptroller of the Currency (OCC)
Office of Thrift Supervision (OTS)
Federal Trade Commission (FTC)

www.jblearning.com
www.jblearning.com
Main Requirements of the GLBA
Privacy Rule
 A financial institution may not share a consumer’s NPI
with nonaffiliated third parties
 Can share this information only when it first provides the
consumer with notice of its privacy practices. Notice must:
• Tell consumers about the types of data that the
institution collects
• State how the institution uses the collected information
• Describe how the institution protects a consumer’s NPI
 Privacy Rule requires that consumers have a chance to
opt out of certain types of data sharing with nonaffiliated
third parties

www.jblearning.com
www.jblearning.com
Main Requirements of the GLBA
Safeguards Rule
Protect the security and confidentiality of customer data
Protect against threats to the security or integrity of
customer data
Protect against unauthorized access to or use of
customer data that could result in harm to a customer
Require a financial institution to create a written
information security program

www.jblearning.com
www.jblearning.com
GLBA: Oversight
Institutions that violate GLBA can be
subject to both criminal and civil penalties
• Monetary fines can be substantial
GLBA requires financial institutions to
follow privacy and security rules
Make sure that your organization’s IT
systems operate in a way that complies
with the law

www.jblearning.com
www.jblearning.com
Sarbanes-Oxley (SOX) Act:
Purpose and Scope
 Protects investors from financial fraud
 Applies to publicly traded companies that must
register with the Securities and Exchange
Commission (SEC)
 Requires companies to verify the accuracy of their
financial information
 Section 404 requires an organization’s executive
officers to establish, maintain, review, and report on
effectiveness of the company’s internal controls over
financial reporting (ICFR)

www.jblearning.com
www.jblearning.com
SOX Control Certification
Requirements
 A company must create, document, and test
its ICFR
 It must report on its ICFR every year
 After a company makes its yearly report,
outside auditors must review it to make sure
the ICFR work
 ICFR are processes that provide reasonable
assurance that an organization’s financial
reports are reliable

www.jblearning.com
www.jblearning.com
SOX Records Retention
Requirements
 SOX requires public companies to:
• Maintain their financial audit papers for seven years,
including, work papers, memoranda, correspondence,
electronic records; other records created, sent, or
received in connection with the audit
• Retain the records and documentation that it uses to
assess its internal controls over financial reporting
 It’s a crime for a person or company to knowingly
and willfully violate records retention provisions

www.jblearning.com
www.jblearning.com
SOX Oversight
SEC oversees and enforces most SOX
provisions
• Mission is to protect investors and maintain the integrity of
the securities industry
• Has five commissioners who serve 5-year terms
• Has 11 regional offices in the United States
SOX requires SEC to review a public company’s
yearly and quarterly reports at least once every
three years

www.jblearning.com
www.jblearning.com
Family Educational Rights and
Privacy Act (FERPA)
• Demographic information
• Address and contact information
• Parental demographic
information
• Parental address and contact
information
• Grade information
• Disciplinary information
Educational
institutions
can collect
and store
student data:

www.jblearning.com
www.jblearning.com
FERPA: Purpose and Scope
If school doesn’t receive federal funds, it doesn’t have
to comply with FERPA
• Written documents
• Computer media
• Video
• Film
• Photographs
Primary goal is to protect the privacy of student
records:
Includes any records maintained by an outside party
acting on a school’s behalf

www.jblearning.com
www.jblearning.com
FERPA: Main Requirements
 Students (or their parents, if the student is
under 18) have the following rights:
• To know what data are in the student’s student
record and the right to inspect and review that
record
• To request that a school correct errors in a
student record
• To consent to have certain kinds of student
data released

www.jblearning.com
www.jblearning.com
FERPA: Main Requirements
(cont.)
 A school must protect personally identifiable information
in student records (name, SSN, student number)
 A school can’t release a student’s records to a third
party without student’s written consent
 FERPA allows directory information to be disclosed
without student consent as long as the student is
notified; school can do this so long as it has given
notice to the student
 A student can choose to forbid the release of directory
information

www.jblearning.com
www.jblearning.com
FERPA: Oversight
FPCO oversees FERPA compliance
Has the authority to review and investigate FERPA
complaints
Schools that violate FERPA can lose federal funding
Only the FPCO is allowed to sanction schools that violate
FERPA

www.jblearning.com
www.jblearning.com
Children’s Internet Protection Act
(CIPA): Purpose and Scope
Requires
certain schools
and libraries to
filter offensive
Internet content
so that anyone
under 17 can’t
access it
Any school or
library
receiving
federal funding
from the E-
Rate program
must comply

www.jblearning.com
www.jblearning.com
CIPA: Main Requirements
Covered schools and libraries must filter offensive
Internet content so children can’t get to it
Technology protection measure (TPM) is any technology
that can block or filter the objectionable content
Schools and libraries must adopt and enforce an Internet
safety policy to comply with CIPA
A library or school must be able to disable the TPM for
any adult if that adult needs to use a computer

www.jblearning.com
www.jblearning.com
CIPA: Oversight
The FCC has oversight for CIPA
Little oversight action is required
The FCC may require a library to refund the E-
Rate discount for the period of time it wasn’t in
compliance

www.jblearning.com
www.jblearning.com
Payment Card Industry Data Security
Standard (PCI DSS): Purpose and Scope
Assists merchants and financial institutions in
understanding and implementing standards for
security policies, technologies, and ongoing
processes that protect their payment systems from
reaches and theft of cardholder data
Helps vendors understand and implement PCI
standards and requirements for ensuring secure
payment solutions are properly implemented

www.jblearning.com
www.jblearning.com
PCI DSS: Purpose and Scope
(cont.)
To validate compliance:
• On-site PCI audit by a qualified security assessor (QSA)
• Quarterly vulnerability assessment scanning performed
by an approved scanning vendor (ASV)
• Complete an annual self-assessment questionnaire
(SAQ) with quarterly vulnerability assessment scanning
from an approved ASV scanning company
• SAQ lists all security control requirements that are
needed for various SAQ levels

www.jblearning.com
www.jblearning.com
PCI Data Security Standard
Requirements

www.jblearning.com
www.jblearning.com
PCI DSS: Main Requirements
 Requirement 3.3
• Updated requirement to clarify that any displays of the
primary access number (PAN) (e.g., a 16-digit credit
card number) greater than first six/last four digits of the
PAN requires a legitimate business need
• Added guidance on common masking scenarios
 Requirement 8.3
• Expanded Requirement 8.3 into subrequirements that
require multifactor authentication for personnel with
nonconsole administrative access and personnel with
remote access to cardholder data environment (CDE)

www.jblearning.com
www.jblearning.com
(cont.)
 Requirement 10.8.1(effective February 1, 2018)
• A new requirement for service providers to detect and
report on failures of critical security control systems
 Requirement 11.3.4.1 (effective February 1, 2018)
• A new requirement for service providers to perform
penetration testing on segmentation controls at least
every six months

www.jblearning.com
www.jblearning.com
(cont.)
 Requirement 12.4 (effective February 1, 2018)
• A new requirement for service providers’ executive
management to establish responsibilities for the
protection of cardholder data and a PCI DSS
compliance program
 Requirement 12.11.1 (effective February 1, 2018)
• A new requirement for service providers to perform
reviews at least quarterly, to confirm that personnel are
following security policies and operational procedures

www.jblearning.com
www.jblearning.com
Making Sense of Laws for
Information Security Compliance
 Organizations must comply with federal laws and
state laws
 As a systems security professional, you will:
• Possess the skills needed to make sense of these
compliance laws
• Understand how IT systems must be configured in
order to meet your organization’s compliance
requirements
• Be able to explain how these laws affect IT systems
• Be able to explain the steps that your organization took
to be compliant

www.jblearning.com
www.jblearning.com
Laws and Information Security
Concepts
Confidentiality Integrity Availability
FISMA FISMA FISMA
HIPAA HIPAA HIPAA
GLBA SOX GLBA
FERPA FERPA SOX
CIPA
PCI DSS v3.2 PCI DSS v3.2 PCI DSS v3.2

www.jblearning.com
www.jblearning.com
Summary
What compliance is and how it’s
related to information security
Overview of U.S. compliance laws
NIST Risk Management Framework
(RMF)
Making sense of laws for information
security compliance

Fundamentals of Information Systems Security Chapter 15

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Fundamentals of Information Systems Security Chapter 15

Similar to Fundamentals of Information Systems Security Chapter 15 (20)

More from Dr. Ahmed Al Zaidy

More from Dr. Ahmed Al Zaidy (20)

Recently uploaded

Recently uploaded (20)

Fundamentals of Information Systems Security Chapter 15