Information Systems 365 Lecture 10 Industry Regulations
Today’s Chocolate Bar 3 Musketeers When introduced in 1932, 3 Musketeers had three pieces of candy in one package, flavored vanilla, chocolate and strawberry, hence the name. In 1945, the product was changed to a single bar with the aforementioned chocolate filling.
Some Of This Stuff Is TediousSo, after each section we will have “take away slides”, PAY ATTENTION TO THOSE!
Industry Regulations Why Bother Learning Them? Ability to impress interviewers It all relies on TECHNOLOGY Learn: Policies Procedures Legislation Guidance
Today Regulation, legislation and guidance definitions. Provide a common understanding of the different types of requirements. Commercial Guidance: Industry must be concerned with compliance, legislation and guidance. Federal, State, International and Industry Regulations
Information Security Related Laws Federal Information Security Management Act of 2002 (“FISMA”) Gramm-Leach-Bliley Act (“GLBA”) Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Sarbanes-Oxley Act USA PATRIOT Act Counterfeit Access Devices and Computer Fraud and Abuse Act of 1984 (“CFAA”) Electronic Communications Privacy Act (“ECPA”)
Take Away There are 5 or 6 major information security laws They all pretty much say the same things with about 20% special differences related to the specific industries they cover The 80% 20% rule
What’s the difference betweenFederal laws and regulations? Laws generally specify what is required, but not how it should be done. Laws are frequently vague and can be ambiguous.
What Are Regulations? Regulations stipulate requirements to be compliant with laws Regulations may contain specific steps or procedures for compliance Frequently composed with help from industry experts
Take Away Laws are general Regulations are more specific
Federal Activities Related to Information Security Major Federal responsibility is securing Federally owned/operated systems. Federal government does not generally regulate security of non-government systems. HOWEVER, Federal government does require that certain types of information be protected. Federal government working with industry regarding security of critical infrastructure.
Federal Laws We’re Going to Cover Today Federal Information Security Management Act Gramm-Leach-Bliley Act (GLBA) Health Insurance Portability and Accountability Act (HIPAA) Sarbanes-Oxley Act (SOX)
Federal Information Security Management Act Builds on requirements of: Computer Security Act of 1987 Paperwork Reduction Act of 1995 Information Technology Management Reform Act of 1996 Provides basic statutory framework for securing Federally owned/operated computer systems.
FISMA Requires each agency to Inventory computer systems, Identify and provide appropriate security protections, and Develop, document and implement agency- wide information security program Authorizes National Institute of Standards & Technology (NIST) to develop security standards and guidelines for systems used by federal government.
Take Away FISMA covers Federal Government systems Encrypted information Defense information National Security information Inventory computer systems, Identify and provide appropriate security protections, and Develop, document and implement agency- wide information security program
Gramm-Leach-Bliley Act Requires “financial institutions” to protect security and confidentiality of customers’ non-public financial information. Authorizes various agencies to coordinate development of regulations: Comptroller of the Currency, SEC, FDIC, FTC, etc. FTC announced final rule implementing GLBA in May 2002.
GLBA (cont)FTC GLBA regulations: Published at 16 CFR 314 Require “financial institutions” to develop, implement and maintain comprehensive information security program with appropriate administrative, technical and physical safeguards, including: Designating employee to coordinate program Performing risk assessments Performing regular testing and monitoring Process for making changes in light of test results or changes in circumstances.
So what is a “financial institution” under GLBA? Under GLBA rule, “financial institutions” generally includes anyone who extends credit to consumers, but also includes debt collection agencies, mortgage lenders, real estate settlement services, and entities that process consumers non-public personal financial information.
GLBA Continued FTCs GLBA rule also regulates non-affiliated third parties (parties that are not financial institutions) by limiting the transfer of non-public personal information they receive from financial institutions. What’s tricky about GLBA? Broad definition of “financial institution” could potentially include array of companies that may not consider themselves as such (e.g., department store that offers lay-away services or manufacturers that offer equipment financing). Multiple agencies with authority to issue regulations. Could conflict.
What do you need to do under GLBA?If GLBA applies to your company: Create, implement and maintain an information security program. The information security program should have the regular involvement of the Board of Directors (this may be beyond your scope). Regularly assess risks.
GLBA, What You Need To Do Create, document, implement and maintain policies and procedures to manage and control risk, including training, testing and managing/monitoring third party service providers. Adjust information security program as necessary based on testing or other changes.
Take AwayRequires “financial institutions” to protect security and confidentiality of customers’ non-public financial information.
Health Insurance Portability and Accountability Act Authorizes Secretary of Health and Human Services to adopt standards that require “health plans”, “health care providers” and “health care clearinghouses” to take reasonable and appropriate administrative, technical and physical safeguards to: Ensure integrity and confidentiality of individually identifiable health information held or transferred by them; Protect against any reasonably anticipated threats, unauthorized use or disclosure; and
HIPAA Continued HIPAA security regulations are much more substantive than GLBA security regulations. GLBA is vague, HIPAA is more specific!
HIPAA Scope & Key DefinitionsRequires health care entities to implement new privacy policies, comply with technical security requirements, provide notice/secure authorizations for a range of uses and disclosures of health information, and enter into written agreements with business partners regarding the ability to share such information
Definitions You Will Forget HIPAA Key Definitions Protected health information (“PHI”) includes all individually identifiable health information (“IIHI”) in the hands of “covered entities.” “Covered Entity” includes the following types : 1) health care plans; 2) health care clearinghouses; and 3) health care providers who electronically transmit health information in connection with certain specified transactions. “Business Associates” are any people or entities that perform certain activities or functions on behalf of a Covered Entity that involves the use or disclosure of protected health information (i.e., claims processing, benefit management, etc.).
HIPAA Security Rule - General Requires CEs to implement unified security approach based on “defense in depth.” Is technology neutral. CEs select appropriate technology to protect information. Requires CEs to protect information from both internal and external threats. Requires CEs to conduct regular, thorough and accurate risk assessments. See http://www.hipaadvisory.com/alert/vol4/number 2.htm#four for a detailed discussion of how to conduct a risk analysis.
HIPAA Security Regulations HIPAA security requirements fall into three categories: Administrative Safeguards Physical Safeguards Technical Safeguards Each category includes: “standards”: WHAT the organization must do; and “implementation specifications”: HOW it must be done.
HIPAA Administrative Safeguards Administrative safeguards require documented policies and procedures for managing: Day-to-day operations; Conduct and access of workforce members to protected information; Selection, development and use of security controls.
HIPAA Physical Safeguards Physical safeguards are intended to protect information systems and protected information from unauthorized physical access. CE must limit physical access while still permitting authorized physical access.
HIPAA Technical Safeguards Technical Safeguards are requirements for using technology to control access to protected information Access Controls Audit Controls Information Integrity Controls Person or entity authentication Transmission security
HIPAA Documentation Requirements CE must maintain documentation (e.g., policies and procedures) required by HIPAA Security Rule until LATER OF 6 years from date of creation; OR 6 years from date policy/procedure was last in effect. CE must regularly review and update documentation.
Take Away HIPAA covers healthcare related institutions, both public and private Technical Controls Physical Controls Administrative Controls
Sarbanes-Oxley After Enron, Adelphia Communications, MCI/Worldcom (among others) showed there were flaws in current financial reporting requirements, Congress passed SOX. Purpose of SOX is “To protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the security laws, and for other purposes.” Two sections of SOX have impact on information security: Section 302 and Section 404.
Sarbanes-Oxley Sections 302 and 404 Section 302 states that CEO and CFO must personally certify that financial reports are accurate and complete. Must also assess and report on effectiveness of internal controls around financial reporting. Section 404 states that corporation must assess effectiveness of internal controls and report assessment to SEC. Assessment must also be reviewed by outside auditing firm.
Godzilla Size Take AwayNo assessment of internal controls is complete without an understanding of information security. Insecure systems cannot be considered a source of reliable financial information.
What do you have to do to comply with SOX? Comply with requirements of ITGI Framework Topics: Security Policy Security Standards Access and Authentication User Account Management Network Security Monitoring Segregation of Duties Physical Security
SOX Audit Auditors will look for: Whether policies exist for appropriate information security topics Whether policies have been approved at appropriate management levels Whether policies are communicated effectively to personnel
Take Away A core goal of SOX is to protect investors by providing assurance that financial data is truthful and has maintained its integrity Without technical controls, you have no way to verify financial data truthfulness and integrity Hardly begins to explain why we just gave 700 billion to the banks!
California has been leading the wayRequires notification to California-resident data owners if a security breach discloses (or might have disclosed) certain information that could lead to identity theft.
Covered InformationName (full name or first initialand last name)Social security numberDriver’s license numberCalifornia Identification CarenumberAccount number or credit or debitcard number along with any requiredsecurity code, access code, or
SB 1386 (cont) Companies are not required to notify customers if the information was stored in encrypted form. Some speculation that even something as simple as ROT13 would satisfy this requirement, but don’t bank on it.
AB 1950 On Sept. 29, California enacted AB 1950, which requires a business that Stores personal information about a California resident MUST implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, modification, use or disclosure. Discloses personal information about a California resident to a third party as part of a contract will require the third party to implement and maintain the same reasonable security procedures and practices appropriate to the nature of the information to protect it from unauthorized access, destruction, modification, use or disclosure.
My organization isn’t in California, why should I care? Because SB 1386 applies to any person or organization that conducts business in California and stores personal information about California residents on a computer system. Many states are implementing their own regulations, similar to California
FTC has started enforcing security “promises”FTC Actions Regarding Security: Eli Lilly Disclosure of email addresses of Prozac prescription holders Microsoft Overpromising regarding security of MS Passport service Guess, Inc. Promising security of information while remaining vulnerable to common attacks
You’ve been cracked… And now you’re sued. US law requires people to behave “reasonably”. If you don’t behave reasonably and someone is harmed because of it, you may be liable for negligence. So…If your systems get cracked, and the cracker uses your boxes to launch an attack on someone else, that victim may try to sue you for negligently configuring your systems so that the cracker could get
You’ve been sued… And you might lose. If you cannot show that you were “reasonable” - which may be defined as having complied with industry regulations, a court may decide that you were negligent and your company is liable for the damages of the downstream victim(s). This hasn’t happened, yet, but many people think it’s coming.
LECTURE TAKE AWAYS Knowing regulations is impressive to employers, I’m not sure why… GLB, SOX and HIPAA all require similar things Authentication Auditing Protection Data Integrity Proof 80% 20% rule!!!