The document provides an overview of various industry regulations discussed in an Information Systems lecture. It summarizes key points about regulations including the Federal Information Security Management Act, Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Sarbanes-Oxley Act, and California data privacy laws. The lecture emphasizes that major regulations require organizations to implement security controls around authentication, auditing, data protection, and integrity. It also notes an 80/20 rule, where regulations share about 80% of requirements but have 20% industry-specific differences.

1. Information Systems 365
Lecture 10
Industry Regulations

2. Today’s Chocolate Bar 3
Musketeers
 When introduced in
1932, 3 Musketeers
had three pieces of
candy in one
package, flavored
vanilla, chocolate and
strawberry, hence the
name. In 1945, the
product was changed
to a single bar with
the aforementioned
chocolate filling.

3. Some Of This Stuff Is Tedious
So, after each section we will have
“take away slides”, PAY ATTENTION
TO THOSE!

4. Industry Regulations
Why Bother Learning Them?
 Ability to impress interviewers
 It all relies on TECHNOLOGY
 Learn:
 Policies
 Procedures
 Legislation
 Guidance

5. Today
 Regulation, legislation and guidance
definitions. Provide a common
understanding of the different types of
requirements.
 Commercial Guidance:
 Industry must be concerned with
compliance, legislation and guidance.
 Federal, State, International and Industry
Regulations

6. Information Security Related Laws
 Federal Information Security Management Act of
2002 (“FISMA”)
 Gramm-Leach-Bliley Act (“GLBA”)
 Health Insurance Portability and Accountability
Act of 1996 (“HIPAA”)
 Sarbanes-Oxley Act
 USA PATRIOT Act
 Counterfeit Access Devices and Computer Fraud
and Abuse Act of 1984 (“CFAA”)
 Electronic Communications Privacy Act (“ECPA”)

7. Take Away
 There are 5 or 6 major information
security laws
 They all pretty much say the same things
with about 20% special differences related
to the specific industries they cover
 The 80% 20% rule

8. What’s the difference between
Federal laws and regulations?
 Laws generally specify what is required,
but not how it should be done.
 Laws are frequently vague and can be
ambiguous.

9. What Are Regulations?
 Regulations stipulate requirements to be
compliant with laws
 Regulations may contain specific steps or
procedures for compliance
 Frequently composed with help from
industry experts

10. Take Away
 Laws are general
 Regulations are more specific

11. Federal Activities Related to
Information Security
 Major Federal responsibility is securing Federally
owned/operated systems.
 Federal government does not generally regulate
security of non-government systems.
 HOWEVER, Federal government does require
that certain types of information be protected.
 Federal government working with industry
regarding security of critical infrastructure.

12. Federal Laws We’re Going
to Cover Today
 Federal Information Security Management
Act
 Gramm-Leach-Bliley Act (GLBA)
 Health Insurance Portability and
Accountability Act (HIPAA)
 Sarbanes-Oxley Act (SOX)

13. Federal Information Security
Management Act
 Builds on requirements of:
 Computer Security Act of 1987
 Paperwork Reduction Act of 1995
 Information Technology Management Reform
Act of 1996
 Provides basic statutory framework for
securing Federally owned/operated
computer systems.

14. FISMA
 Requires each agency to
 Inventory computer systems,
 Identify and provide appropriate security
protections, and
 Develop, document and implement agency-
wide information security program
 Authorizes National Institute of Standards
& Technology (NIST) to develop security
standards and guidelines for systems used
by federal government.

15. Take Away
 FISMA covers Federal Government
systems
 Encrypted information
 Defense information
 National Security information
 Inventory computer systems,
 Identify and provide appropriate security
protections, and
 Develop, document and implement agency-
wide information security program

16. Gramm-Leach-Bliley Act
 Requires “financial institutions” to protect
security and confidentiality of customers’
non-public financial information.
 Authorizes various agencies to coordinate
development of regulations: Comptroller
of the Currency, SEC, FDIC, FTC, etc.
 FTC announced final rule implementing
GLBA in May 2002.

17. GLBA (cont)
FTC GLBA regulations:
 Published at 16 CFR 314
 Require “financial institutions” to develop,
implement and maintain comprehensive
information security program with appropriate
administrative, technical and physical
safeguards, including:
 Designating employee to coordinate program
 Performing risk assessments
 Performing regular testing and monitoring
 Process for making changes in light of test results
or changes in circumstances.

18. So what is a “financial
institution” under GLBA?
 Under GLBA rule, “financial
institutions” generally includes
anyone who extends credit to consumers,
but also includes debt collection
agencies, mortgage lenders, real estate
settlement services, and entities that
process consumers' non-public personal
financial information.

19. GLBA Continued
 FTC's GLBA rule also regulates non-affiliated third
parties (parties that are not financial institutions)
by limiting the transfer of non-public personal
information they receive from financial
institutions.
 What’s tricky about GLBA?
 Broad definition of “financial institution” could
potentially include array of companies that may not
consider themselves as such (e.g., department
store that offers lay-away services or
manufacturers that offer equipment financing).
 Multiple agencies with authority to issue
regulations. Could conflict.

20. What do you need to do under
GLBA?
If GLBA applies to your company:
 Create, implement and maintain an
information security program.
 The information security program
should have the regular involvement of
the Board of Directors (this may be
beyond your scope).
 Regularly assess risks.

21. GLBA, What You Need To Do
 Create, document, implement and
maintain policies and procedures to
manage and control risk, including
training, testing and
managing/monitoring third party service
providers.
 Adjust information security program as
necessary based on testing or other
changes.

22. Take Away
Requires “financial institutions” to protect
security and confidentiality of customers’
non-public financial information.

23. Health Insurance Portability and
Accountability Act
 Authorizes Secretary of Health and Human
Services to adopt standards that require “health
plans”, “health care providers” and “health care
clearinghouses” to take reasonable and
appropriate administrative, technical and
physical safeguards to:
 Ensure integrity and confidentiality of
individually identifiable health information
held or transferred by them;
 Protect against any reasonably anticipated
threats, unauthorized use or disclosure; and


24. HIPAA Continued
 HIPAA security regulations are much
more substantive than GLBA security
regulations.
 GLBA is vague, HIPAA is more specific!

25. HIPAA Scope & Key Definitions
Requires health care entities to
implement new privacy policies,
comply with technical security
requirements, provide notice/secure
authorizations for a range of uses and
disclosures of health information, and
enter into written agreements with
business partners regarding the
ability to share such information

26. Definitions You Will Forget
 HIPAA Key Definitions
 Protected health information (“PHI”) includes
all individually identifiable health information
(“IIHI”) in the hands of “covered entities.”
 “Covered Entity” includes the following types :
1) health care plans; 2) health care
clearinghouses; and 3) health care providers
who electronically transmit health information
in connection with certain specified
transactions.
 “Business Associates” are any people or
entities that perform certain activities or
functions on behalf of a Covered Entity that
involves the use or disclosure of protected
health information (i.e., claims processing,
benefit management, etc.).

27. HIPAA Security Rule - General
 Requires CEs to implement unified security
approach based on “defense in depth.”
 Is technology neutral. CEs select appropriate
technology to protect information.
 Requires CEs to protect information from both
internal and external threats.
 Requires CEs to conduct regular, thorough and
accurate risk assessments. See
http://www.hipaadvisory.com/alert/vol4/number
2.htm#four for a detailed discussion of how to
conduct a risk analysis.

28. HIPAA Security Regulations
 HIPAA security requirements fall into three
categories:
 Administrative Safeguards
 Physical Safeguards
 Technical Safeguards
 Each category includes:
 “standards”: WHAT the organization must do;
and
 “implementation specifications”: HOW it must
be done.

29. HIPAA Administrative
Safeguards
 Administrative safeguards require
documented policies and procedures for
managing:
 Day-to-day operations;
 Conduct and access of workforce members to
protected information;
 Selection, development and use of security
controls.

30. HIPAA Physical Safeguards
 Physical safeguards are intended to
protect information systems and protected
information from unauthorized physical
access.
 CE must limit physical access while still
permitting authorized physical access.

31. HIPAA Technical Safeguards
 Technical Safeguards are requirements for
using technology to control access to
protected information
 Access Controls
 Audit Controls
 Information Integrity Controls
 Person or entity authentication
 Transmission security

32. HIPAA Documentation
Requirements
 CE must maintain documentation (e.g.,
policies and procedures) required by
HIPAA Security Rule until LATER OF
 6 years from date of creation; OR
 6 years from date policy/procedure was last in
effect.
 CE must regularly review and update
documentation.

33. Take Away
 HIPAA covers healthcare related
institutions, both public and private
 Technical Controls
 Physical Controls
 Administrative Controls

34. Sarbanes-Oxley
 After Enron, Adelphia Communications,
MCI/Worldcom (among others) showed
there were flaws in current financial
reporting requirements, Congress passed
SOX.
 Purpose of SOX is “To protect investors by
improving the accuracy and reliability of
corporate disclosures made pursuant to
the security laws, and for other purposes.”
 Two sections of SOX have impact on
information security: Section 302 and
Section 404.

35. Sarbanes-Oxley
Sections 302 and 404
 Section 302 states that CEO and CFO must
personally certify that financial reports are
accurate and complete. Must also assess and
report on effectiveness of internal controls
around financial reporting.
 Section 404 states that corporation must assess
effectiveness of internal controls and report
assessment to SEC. Assessment must also be
reviewed by outside auditing firm.

36. Godzilla Size Take Away
No assessment of internal controls
is complete without an
understanding of information
security. Insecure systems cannot
be considered a source of reliable
financial information.

37. What do you have to do to
comply with SOX?
 Comply with requirements of ITGI
Framework Topics:
 Security Policy
 Security Standards
 Access and Authentication
 User Account Management
 Network Security
 Monitoring
 Segregation of Duties
 Physical Security

38. SOX Audit
 Auditors will look for:
 Whether policies exist for appropriate
information security topics
 Whether policies have been approved
at appropriate management levels
 Whether policies are communicated
effectively to personnel

39. Take Away
 A core goal of SOX is to protect investors
by providing assurance that financial data
is truthful and has maintained its integrity
 Without technical controls, you have no
way to verify financial data truthfulness
and integrity
 Hardly begins to explain why we just gave
700 billion to the banks!

40. California has been leading the
way
Requires notification to California-resident
data owners if a security breach discloses
(or might have disclosed) certain
information that could lead to identity
theft.

41. Covered Information
Name (full name or first initial
and last name)
Social security number
Driver’s license number
California Identification Care
number
Account number or credit or debit
card number along with any
required
security code, access code, or

42. SB 1386 (cont)
 Companies are not required to notify
customers if the information was stored in
encrypted form.
 Some speculation that even something as
simple as ROT13 would satisfy this
requirement, but don’t bank on it.

43. AB 1950
 On Sept. 29, California enacted AB 1950,
which requires a business that
 Stores personal information about a California resident
MUST implement and maintain reasonable security
procedures and practices appropriate to the nature of the
information to protect it from unauthorized access,
destruction, modification, use or disclosure.
 Discloses personal information about a California resident
to a third party as part of a contract will require the third
party to implement and maintain the same reasonable
security procedures and practices appropriate to the
nature of the information to protect it from unauthorized
access, destruction, modification, use or disclosure.

44. My organization isn’t in
California, why should I care?
 Because SB 1386 applies to any person or
organization that conducts business in
California and stores personal information
about California residents on a computer
system.
 Many states are implementing their own
regulations, similar to California

45. FTC has started enforcing
security “promises”
FTC Actions Regarding Security:
 Eli Lilly
Disclosure of email addresses of Prozac
prescription holders
 Microsoft
Overpromising regarding security of MS
Passport service
 Guess, Inc.
Promising security of information while
remaining vulnerable to common attacks

46. You’ve been cracked…
And now you’re sued.
 US law requires people to behave
“reasonably”.
 If you don’t behave reasonably and
someone is harmed because of it, you
may be liable for negligence.
 So…If your systems get cracked, and the
cracker uses your boxes to launch an
attack on someone else, that victim may
try to sue you for negligently configuring
your systems so that the cracker could get

47. You’ve been sued…
And you might lose.
 If you cannot show that you were
“reasonable” - which may be defined as
having complied with industry regulations,
a court may decide that you were
negligent and your company is liable for
the damages of the downstream victim(s).
 This hasn’t happened, yet, but many
people think it’s coming.

48. LECTURE TAKE AWAYS
 Knowing regulations is impressive to
employers, I’m not sure why…
 GLB, SOX and HIPAA all require similar
things
 Authentication
 Auditing
 Protection
 Data Integrity Proof
 80% 20% rule!!!