The document discusses and compares three compliance standards - PCI, GLBA, and HIPAA. It categorizes them based on whether they use a checklist model, risk management framework, or a hybrid of both. PCI is described as an industry standard checklist aimed at protecting card data. GLBA uses a risk-based approach giving financial institutions autonomy in compliance. HIPAA takes a hybrid approach with both checklist and risk-based elements, suited to the varied healthcare industry. The intent behind each is also discussed - with PCI providing a standardized baseline, GLBA enabling flexible risk management, and HIPAA's hybrid nature accommodating different entity types. Examples are given of entities that would need to comply with each standard.
Cyber-attacks destroy the trusted relationship with customers and partners, the lifeblood of financial services. The industry is also behind the curve when it comes to adapting to the changes in working practices and consumer behaviour, driven by rapidly evolving smart devices.
Dear Delegates,
Corporate fraud costs businesses hundreds of millions of dollars each year. It affects livelihoods and is a common
cause of corporate failure. It is the responsibility of the board of directors to prevent fraud by putting in places the
appropriate controls and review procedures. This program shows you why Accounting Information System (AIS)
Threats are ever increasing. Control risks have also increased in the last few years because there are computers
and servers everywhere, and information is available to an unprecedented number of workers. Distributed
computer networks make data available to many users, and these networks are harder to control than centralized
mainframe systems. With the introduction of 3 levels of COSO and value driven ERM, things should be under
control. Recent events at SATYAM proves that in reality things are getting out of control. So, what went wrong ?
Is it time to train the auditors ?
Recognising the challenges that organisations are facing in combating Fraud, CSI In Practice is pleased to present
this 2-days Workshop on Enterprise Fraud Risk Management. This will serve as an excellent opportunity to learn how
best to conduct an internal investigation to protect your organization and step up on controls to deter fraud.
The FBI is the lead federal agency for investigating malicious cyber activity by criminals, nation-state adversaries, and terrorists. To fulfill this mission, the FBI often develops resources to enhance operations and collaboration. One such resource is the FBI’s Internet Crime Complaint Center (IC3) which provides the public with a trustworthy and convenient mechanism for reporting information concerning suspected Internet-facilitated criminal activity. At the end of every year, the IC3 collates information collected into an annual report.
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)PwC France
http://bit.ly/Cybersecurite-sept14
Etude mondiale de PwC, CIO et CSO réalisée en ligne du 27 mars 2014 au 25 mai 2014. Les résultats présentés ici sont fondés sur les réponses de plus de 9700 CEO, CFO, CIO, RSSI, les OSC, les vice-présidents et des directeurs de l'information et des pratiques de sécurité de plus de 154 pays.
35 % des répondants sont d'Amérique du Nord, 34 % d'Europe, 14 % d'Asie-Pacifique, 13 % en Amérique du Sud, et 4 % du Moyen-Orient et d’Afrique.
IBM X-Force Threat Intelligence Report 2016thinkASG
Download the latest IBM X-Force Threat Intelligence Report
High-value breaches stole headlines as lackluster security fundamentals left organizations open to attack in 2015.
* The globalization of security incidents is shifting to targets like health-related PII and sensitive personal data
* The growing sophistication and organization of cybercrime rings are helping expand their reach
* New attack techniques like mobile overlay malware are evolving, while classics like DDoS and POS malware remain effective
Global Cyber Market Overview June 2017Graeme Cross
Highly publicized attacks on blue chip companies, announcements of alliances formed between insurers, reports of partnerships established with cyber security firms and hiring of renowned experts have all contributed to making cyber one of the hottest topics in the insurance industry. However, behind the hype of the media and the marketing battles fought by insurers and brokers to position themselves as leaders in the market, there is the reality of a genuine opportunity. In this paper, we explore how the cyber insurance market has evolved in recent year
Riesgo Risk Management\'s Fraud Management solution is a cost effective means of implementing a Fraud management system that detects, prevents and mitigates fraud. It has adaptors that may sit on servers and trigger alerts to the Fraud Management dashboard.
As we enter the digital economy, companies will quickly realize that the differentiator in the digital economy is information and information being a valuable resource is subject to theft, hacking, phishing and a host of other issues which compromise a company’s ability to participate in the digital economy. Cybersecurity misfires compromise the trust of buyers and partners necessary to participate in the digital economy. It is up to every company to ensure that the information shared with them is protected to the best of their ability and proactively notify persons and organizations who entrust their information necessary to transact business (any personal identity information including but not limited to addresses, credit card information, social security numbers, account information, credit information, medical records, etc.) with any potential compromises which can yield harm to them by that information either being used maliciously or shared with others.
This purpose of this writing is to cover some of the core requirements for implementing cybersecurity, the accountabilities for cybersecurity risks and the information used to manage a viable cybersecurity program.
Over the last several years, financial institutions have spent billions of dollars and resources securing a perimeter defense system consisting of intrusion detection, intrusion prevention, firewalls, user authentication, and other layers of security all built to secure their financial systems. Due to the exponential increase in internal and external information security incidents, these investments are necessary to protect an institution’s reputation and revenue. In addition, the federal government is using regulatory means to ensure the banks
take responsibility for potential losses.
Of equal or even greater threat, however, are the social aspects of the Internet that cannot
be controlled. For example, financial institutions need to be aware of the reputational risk that is inherent on the Internet. Each institution needs to do more than reactively protect its data; it must also proactively safeguard its reputation online, where references to its corporate name alone can number in the millions. An institution must also guard against infringements against its logo, its trademarks or other graphic representations. This risk, outside the firewall, is the other side of the coin.
Cyber-attacks destroy the trusted relationship with customers and partners, the lifeblood of financial services. The industry is also behind the curve when it comes to adapting to the changes in working practices and consumer behaviour, driven by rapidly evolving smart devices.
Dear Delegates,
Corporate fraud costs businesses hundreds of millions of dollars each year. It affects livelihoods and is a common
cause of corporate failure. It is the responsibility of the board of directors to prevent fraud by putting in places the
appropriate controls and review procedures. This program shows you why Accounting Information System (AIS)
Threats are ever increasing. Control risks have also increased in the last few years because there are computers
and servers everywhere, and information is available to an unprecedented number of workers. Distributed
computer networks make data available to many users, and these networks are harder to control than centralized
mainframe systems. With the introduction of 3 levels of COSO and value driven ERM, things should be under
control. Recent events at SATYAM proves that in reality things are getting out of control. So, what went wrong ?
Is it time to train the auditors ?
Recognising the challenges that organisations are facing in combating Fraud, CSI In Practice is pleased to present
this 2-days Workshop on Enterprise Fraud Risk Management. This will serve as an excellent opportunity to learn how
best to conduct an internal investigation to protect your organization and step up on controls to deter fraud.
The FBI is the lead federal agency for investigating malicious cyber activity by criminals, nation-state adversaries, and terrorists. To fulfill this mission, the FBI often develops resources to enhance operations and collaboration. One such resource is the FBI’s Internet Crime Complaint Center (IC3) which provides the public with a trustworthy and convenient mechanism for reporting information concerning suspected Internet-facilitated criminal activity. At the end of every year, the IC3 collates information collected into an annual report.
Credit is due to all original authors and no financial gain was made from the blog, Simply sharing an interesting story for educational purposes,
Etude PwC/CIO/CSO sur la sécurité de l'information (2014)PwC France
http://bit.ly/Cybersecurite-sept14
Etude mondiale de PwC, CIO et CSO réalisée en ligne du 27 mars 2014 au 25 mai 2014. Les résultats présentés ici sont fondés sur les réponses de plus de 9700 CEO, CFO, CIO, RSSI, les OSC, les vice-présidents et des directeurs de l'information et des pratiques de sécurité de plus de 154 pays.
35 % des répondants sont d'Amérique du Nord, 34 % d'Europe, 14 % d'Asie-Pacifique, 13 % en Amérique du Sud, et 4 % du Moyen-Orient et d’Afrique.
IBM X-Force Threat Intelligence Report 2016thinkASG
Download the latest IBM X-Force Threat Intelligence Report
High-value breaches stole headlines as lackluster security fundamentals left organizations open to attack in 2015.
* The globalization of security incidents is shifting to targets like health-related PII and sensitive personal data
* The growing sophistication and organization of cybercrime rings are helping expand their reach
* New attack techniques like mobile overlay malware are evolving, while classics like DDoS and POS malware remain effective
Global Cyber Market Overview June 2017Graeme Cross
Highly publicized attacks on blue chip companies, announcements of alliances formed between insurers, reports of partnerships established with cyber security firms and hiring of renowned experts have all contributed to making cyber one of the hottest topics in the insurance industry. However, behind the hype of the media and the marketing battles fought by insurers and brokers to position themselves as leaders in the market, there is the reality of a genuine opportunity. In this paper, we explore how the cyber insurance market has evolved in recent year
Riesgo Risk Management\'s Fraud Management solution is a cost effective means of implementing a Fraud management system that detects, prevents and mitigates fraud. It has adaptors that may sit on servers and trigger alerts to the Fraud Management dashboard.
As we enter the digital economy, companies will quickly realize that the differentiator in the digital economy is information and information being a valuable resource is subject to theft, hacking, phishing and a host of other issues which compromise a company’s ability to participate in the digital economy. Cybersecurity misfires compromise the trust of buyers and partners necessary to participate in the digital economy. It is up to every company to ensure that the information shared with them is protected to the best of their ability and proactively notify persons and organizations who entrust their information necessary to transact business (any personal identity information including but not limited to addresses, credit card information, social security numbers, account information, credit information, medical records, etc.) with any potential compromises which can yield harm to them by that information either being used maliciously or shared with others.
This purpose of this writing is to cover some of the core requirements for implementing cybersecurity, the accountabilities for cybersecurity risks and the information used to manage a viable cybersecurity program.
Over the last several years, financial institutions have spent billions of dollars and resources securing a perimeter defense system consisting of intrusion detection, intrusion prevention, firewalls, user authentication, and other layers of security all built to secure their financial systems. Due to the exponential increase in internal and external information security incidents, these investments are necessary to protect an institution’s reputation and revenue. In addition, the federal government is using regulatory means to ensure the banks
take responsibility for potential losses.
Of equal or even greater threat, however, are the social aspects of the Internet that cannot
be controlled. For example, financial institutions need to be aware of the reputational risk that is inherent on the Internet. Each institution needs to do more than reactively protect its data; it must also proactively safeguard its reputation online, where references to its corporate name alone can number in the millions. An institution must also guard against infringements against its logo, its trademarks or other graphic representations. This risk, outside the firewall, is the other side of the coin.
Data breach events result in significant losses each year. Our partners at Bonahoom & Bobilya, LLC, created a presentation about understanding the hidden regulatory risks of a data breach so you can keep your company from going out of business.
This presentation has been shared with permission.
Does your organization take credit card information? Do you store personal information on your staff, clients or donors. Raffa can help you avoid the pitfalls and penalties that can come from storing these privacy related items in unsecured ways.
PCI DSS, the Payment Card Industry Data Security Standard is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. This applies to essentially any merchant that has a Merchant ID (MID).
HIPAA, the Health Insurance Portability and Accountability Act, sets the standard for protecting sensitive patient data. Any company that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. This includes anyone who provides treatment, payment and operations in healthcare, and anyone with access to patient information and provides support in treatment, payment or operations.
Come learn the basics of these industry regulations, including:
-Who it applies to
-Requirements for compliance
-Penalties for noncompliance
Join us and learn where your organization may have security gaps or be out of state or federal compliance. In this seminar, we will discover how a combination of good policies and the implementation of good, solid solutions can help you meet compliance requirements, and protect and secure your organization or business.
CHAPTER 3 Security Policies and Regulations In this chapEstelaJeffery653
CHAPTER 3
Security Policies and Regulations
In this chapter you will
• Explore the different types of regulations associated with secure software
development
• Learn how security policies impact secure development practices
• Explore legal issues associated with intellectual property protection
• Examine the role of privacy and secure software
• Explore the standards associated with secure software development
• Examine security frameworks that impact secure development
• Learn the role of securing the acquisition lifecycle and its impact on secure
development
Regulations and Compliance
Regulations and compliance drive many activities in an enterprise. The primary
reason behind this is the simple fact that failure to comply with rules and
regulations can lead to direct, and in some cases substantial, financial penalties.
Compliance failures can carry additional costs, as in increased scrutiny, greater
regulation in the future, and bad publicity. Since software is a major driver of
many business processes, a CSSLP needs to understand the basis behind various
rules and regulations and how they affect the enterprise in the context of their
own development efforts. This enables decision making as part of the software
development process that is in concert with these issues and enables the
enterprise to remain compliant.
Much has been said about how compliance is not the same as security. In a
sense, this is true, for one can be compliant and still be insecure. When viewed
from a risk management point of view, security is an exercise in risk
management, and so are compliance and other hazards. Add it all together, and
you get an “all hazards” approach, which is popular in many industries, as senior
management is responsible for all hazards and the residual risk from all risk
sources.
Regulations can come from several sources, including industry and trade
groups and government agencies. The penalties for noncompliance can vary as
well, sometimes based on the severity of the violation and other times based on
political factors. The factors determining which systems are included in
regulation and the level of regulation also vary based on situational factors.
Typically, these factors and rules are published significantly in advance of
instantiation to allow firms time to plan enterprise controls and optimize risk
management options. Although not all firms will be affected by all sets of
regulations, it is also not uncommon for a firm to have multiple sets of
regulations across different aspects of an enterprise, even overlapping on some
elements. This can add to the difficulty of managing compliance, as different
regulations can have different levels of protection requirements.
Many development efforts may have multiple regulatory impacts, and
mapping the different requirements to the individual data flows that they each
affect is important. For instance, if an application invo ...
Affirmative Defense Response System (ADRS)guest95afa8
Mitigating damages and reducing risk before, during and after a data breach occurs is what ADRS is all about. A system that shows "every good faith effort" at protecting the NonPublic Personal Information (NPI) of your customers, employees, and vendors as mandated by the FTC.
Security Compliance Models- Checklist v. Framework
1. Divya Kothari
IMT 553 - Assignment 1
SECURITY COMPLIANCE MODELS: CHECKLISTS VERSUS RISK
INTRODUCTION
Technology is pacing forward at a speed that is forcing everything else to play catch up, especially law &
regulations. This has resulted in highly convoluted threat landscapes. The government, industry regulators,
small/large businesses and individuals are almost on the same page (if you forget the NSA for a moment)
when it comes to protection of privacy and security for all stakeholders of a society. This has led to
numerous compliance regimes in the hope of getting better sleep at night. This paper highlights three such
compliance standards: 1) Payment Card Industry Data Security Standard (“PCI”), 2) Gramm–Leach–Bliley
Act1
(“GLBA”) & 3) The Health Insurance Portability and Accountability Act, 1996 (“HIPAA”)
categorizing them into different kinds of models, their applicability and the intent behind the same.
CATEGORIZATION: CHECKLIST, RISK MANAGEMENT FRAMEWORK OR BOTH?
1) PCI DSS
PCI, an industry standard checklist, came into existence in 2004 when five major financial institutions
decided to align their schemes2
to up the level of protection for card issuers and increase safeguards for
card users by making sure that all entities comply with a certain baseline of security controls. Thus
compliance of this ‘one size fits all’ approach is mandated by the industry regulators. For cut and dry
issues such as firewalls, vulnerability patches, encryption, etc. there can be no exceptions made for
different environments. Thus questions such as - (i) Your Company is employing new workers with
remote access to a system which processes card payment, is their identity authenticated? (ii) New
patches have been released for the latest vulnerabilities, have you updated to the latest patch? (iii) Is
the outsourced vendor following secure practices?3
– in the form of a checklist, make it easy for a
organizations without a dedicated security team and a limited budget, as this ‘security checklist’
provides for much leeway when it comes to self-regulation & ease of audit with appropriate guidance
at each step.4
As Bob Russo, General Manager of the PCI Council puts it:
“PCI is a structured "blend...[of] specificity and high-level concepts" that allows "stakeholders the
opportunity and flexibility to work with Qualified Security Assessors (QSAs) to determine
appropriate security controls within their environment that meet the intent of the PCI standards."
It may be noted that since PCI is an industry standard, it is not compulsory by law to adopt it. However
if an organization chooses to do so, it must comply with all its requirements.
2) GLBA
Protecting the privacy of consumer’s personally identifiable financial information held by "financial
institutions" is at the heart of the financial privacy provisions of this Act. It requires companies to give
consumers - privacy notices explaining the institutions' information-sharing practices. In turn,
1
Also known as the Financial Services Modernization Act, 1999
2Visa's Cardholder Information Security Program, MasterCard's Site Data Protection, American Express' Data Security Operating
Policy, Discover's Information Security and Compliance, and the JCB's Data Security Program
3Herbig J, 2011 “Security as a Checklist? Think Again” PCI Compliance Guide website. Retrieved from:
https://www.pcicomplianceguide.org/security-as-a-checklist-think-again/
4
Refer to Appendix 1 for an illustration
2. consumers have the right to limit some (not all) sharing of their information.5
GLBA aims to achieve
its underlying principles of security and compliance by laying down a risk-based approach. This
approach allows the ‘financial institutions’ (as defined by the act) certain autonomy is how to conduct
various internal processes, for instance prioritization of assets, identification of risks, etc. to achieve an
end result. For instance, the Safeguards Rule clause in the Act6
stipulates the development of a written
security plan and subsequently conducting a thorough risk analysis so as to evolve/build safeguards
needed to comply with GLBA.7
While a checklist as seen above, provides for a baseline of controls,
for a more comprehensive risk mitigation/avoidance/transference strategy, a risk-based model can be
adopted, eg. By establishing an internal team for such an assessment or having a third-party audit. This
helps an organization to customize the framework according to its unique needs and resources.
GLBA being a federal statue is compulsorily applicable to whether a financial discloses nonpublic
information or not. Furthermore, the Federal Trade Commission has authority to enforce the law with
respect to "financial institutions" that are not covered by the federal banking agencies, the Securities
and Exchange Commission, the Commodity Futures Trading Commission, and state insurance
authorities.8
3) HIPAA
Initially an industry based standard, HIPAA was enacted into law in 1996. In brief it aims to protect
‘patient health information’ (“PHI”) by putting safeguards in place, limiting the use, share and access
to the ‘minimum necessary’, have appropriate agreements with related parties that use/disclose
sensitive information & implement sufficient training programs. The way HIPAA is structured is a
hybrid of a checklist and risk based model. “Essentially, a ‘covered entity’ (as defined by the act) is
given a broad power to disclose protected PHI. However from then on, the limitations on disclosure
begin to stack up. With the exception of disclosures for treatment activities, most other disclosures are
subject to the “minimum necessary” limitation embodied in HIPAA – the protected health information
disclosed should be the minimum necessary to accomplish the purpose of the disclosure.”9
As Michael Whaley (2015) puts it:
“Regulators chose a hybrid framework for HIPAA because healthcare data transverses a broad
spectrum of health care providers, insurance companies, law firms, and clearinghouses.”10
APPLICATION OF FRAMEWORK
PCI GLBA HIPAA
PCI applies to all entities
irrespective of size that store,
process and transmit cardholder
This law applies to financial institutions
such as banks, security firms, insurance
companies, etc. that sell financial products
and services to consumers. They are
An individual or organization that falls under
the definition of ‘covered entity’ under HIPAA
must comply with the necessary rules (for
Privacy, Security, Enforcement and Breach
5Federal Trade Commission, “In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act” Retrieved from:
https://www.ftc.gov/tips-advice/business-center/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act
6 Refer to Appendix 3
7 Miller M. 2014, “ Compliance versus Risk: A look at checklist versus risk based models” Retrieved from:
https://accelerite.com/blog/entry/compliance-versus-risk-a-look-at-checklist-versus-risk-based-models
8
Federal Trade Commission, “In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act” Retrieved from:
https://www.ftc.gov/tips-advice/business-center/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act
9 Anderson S. 2013 “Does HIPAA apply to employers” Lexis Nexis. Retrieved from: https://www.lexisnexis.com/legalnewsroom/labor-
employment/b/labor-employment-top-blogs/archive/2013/10/03/does-hipaa-apply-to-employers.aspx?Redirected=true
10 Whaley M. 2015, “PCI Checklists versus HIPAA Risk Management Framework” Retrieved from: https://www.linkedin.com/pulse/pci-checklists-
versus-hipaa-risk-management-framework-michael-whaley
3. data.11
Thus the smallest physical
point-of-sale interaction for any of
the above-stated five credit/debit
card brands to the biggest online
retailer is subject to PCI.
required to ensure the security and
confidentiality of consumer financial
information against “reasonably
foreseeable” internal or external threats.12
Notification). This includes health care
providers, health plan providers and clearing
houses. Additionally if any of these engages
with a ‘business associate’ to help carry out its
functions, the latter shall also have to comply
with HIPAA.
For purposes of our paper, let us
take the example of Braintree
(Level 1 PCI DSS compliant)13
.
Now acquired by Paypal, but still
run independently, Braintree14
provides payment processing
options across a plethora of devices
and on a global scale for thousands
of online and mobile companies
including Uber, Airbnb, Fab, etc.15
which indirectly means that it has
access to a lot of cardholder data.
On the other hand, an entity like
Thai Tom, a Thai restaurant in
Seattle that only accepts cash and
does not take online orders does not
need to be PCI compliant.
The Banking industry by virtue of being an
information-intensive sector, comes under
the purview of GLBA. Despite its primary
intention to integrate a variety of financial
services offered by one institution, the act
also attempts to upgrade and modernize the
financial industry. With the end user being
constantly apprehensive of ‘Big Brother’
issues, this Act marks a distinction between
affiliated and non-affiliated third parties, in
terms of customer financial information
disclosure and the consumer’s consent to
such disclosure with the latter. Thus apart
from functional regulation, the Act aims to
protect confidential information via its
‘Financial Privacy Rule’, ‘Safeguards Rule’
and ‘Pretexting Protection’.
One such ‘business associate’ is Maximus.
“For 40 years, MAXIMUS has partnered with
federal, state and local governments to make
public health insurance programs run
effectively for the individuals and families they
serve.”16
For all its projects pertaining to
healthcare, Maximus has written contracts with
the party at the other end which is a covered
entity establishing specifically what is
contracted to be performed and comply with
the Rules mandated to protect PHI. In addition
to the contractual obligations, Maximus is
directly liable for certain provisions of the
HIPAA rules.
INTENT BEHIND ADOPTION OF FRAMEWORKS
PCI gives organizations of different scale the opportunity to cookie cut their relations and accordingly meet
compliance needs of their clients. Resorting to PCI also gives the company/institution a stamp of approval
which is a good strategy to build and maintain their customer share. A company like Braintree by
advertising their compliance with PCI shows that they take have secure security controls in place, which
though do not guarantee complete protection, still help give them a competitive edge by bagging votes for
consumer trust.
Being compliant with GLBA is synonymous to a pre-emptive and adaptive risk management approach. It
also provides the banking industry a substantial degree of freedom for the ‘hows’ of implementing systemic
and people processes within a risk model. GLBA as a risk management framework is often viewed as a less
expensive and efficient guide to navigate within the company affairs.
An entity’s risk tolerance changes over time and eventually compliance becomes just one factor in the entire
risk profile. In such cases a hybrid model often stands out. Thus in our example, the hybrid approach allows
Maximus to follow a checklist for certain provisions of the Act only when it acts in the capacity of a business
associate as per HIPAA.
11
PCI DSS Applicability Information, page 7. Retrieved from: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
12Airmagnet GLBA Compliance Report. Retrieved from: http://airmagnet.flukenetworks.com/assets/reports/Reports_GLBA_Report.pdf
13 Refer to Appendix 2
14
Braintree website <https://www.braintreepayments.com/>
15 VB|Profiles catalog website https://www.vbprofiles.com/companies/521983e1843bac676e0003a2
16
Maximus website < http://www.maximus.com/health >