480 likes | 618 Views
TEL382. Greene Chapter 12. Outline. What is the Gramm-Leach-Bliley Act? Involving the Board Assessing Risk Managing Risk Adjusting the Program, Reporting to the Board, and Implementing the Standards What’s Different About the FTC Safeguards Act? Identity Theft and Regulatory Compliance.
E N D
TEL382 Greene Chapter 12
Outline • What is the Gramm-Leach-Bliley Act? • Involving the Board • Assessing Risk • Managing Risk • Adjusting the Program, Reporting to the Board, and Implementing the Standards • What’s Different About the FTC Safeguards Act? • Identity Theft and Regulatory Compliance
What is the Gramm-Leach-Bliley Act? • Financial Modernization Act of 1999 - Security Regulations For Financial Sector • Signed Nov 11, 1999 – allowed banks to engage in wide array of financial services • Ended regulations prohibiting merger of banks, stock brokers, insurance companies • Title 5 specifically addresses privacy and security of customer financial information • Section 501(b) requires all financial institutions to implement and maintain safeguards to protect customer information (Nonpublic Personal Information – NPI)
Automobile Dealers Check-Cashing Consumer Reporting Courier Services Credit Card Credit Counselors Data Processors Debt Collectors Educational Institutions Financial Planners Insurance Companies Mortgage Brokers Property Appraisers Real Estate Retail Stores That Use CC Securities Firms GLBA
GLBA • February 1, 2001 - 12 CFR, Part 30, et al. Interagency Guidelines Establishing Standards for Safeguarding Customer Information Final Rule (effective July 1, 2001) • Comprehensive written information security program including administrative, technical, and physical safeguards • May 23, 2003 – FTC 16 CFR Part 314 Standards for Safeguarding Customer Information; Final Rule (effective May 23, 2003)
GLBA Information Security Program • Ensuring Confidentiality of Customer Information • Protecting Integrity of Information Against Threats • Making information Available to customers and management in an accurate and timely manner • Protecting Against Unauthorized Access • Protecting against loss • Establishing procedures for safeguarding of assets
Involving the Board • Interagency Guidelines require that Board of Directors must oversee development, implementation, maintenance and approve the written information security program • Financial institutions that fail to comply face civil penalties of $100K per violation and Officers/Directors can be personally liable with penalties of $10K per violation
Assessing Risk • Risk Management program is critical component • Interagency Guidelines: • Identify foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information • Assess likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information • Assess sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks • Information and Information Systems Inventory • Identifying and Assessing Threats • Mitigating Controls • Classify System Criticality • Classify Threats • Sort by Criticality/Threat • Identify Mitigating Control (Safeguard)
Managing Risk • Control Identified Risks According to Sensitivity of Information and Activity Complexity • Access Controls on Customer Information Systems • Access Restrictions at Physical Locations Containing Customer Information • Encryption of Electronic Customer Information • System Modification Procedures • Dual Control, Segregation of Duties, Employee Background Checks • Monitoring Systems and Attack Detection Procedures • Response Systems including Reports to Regulatory and Law Enforcement • Measures to Protect Against Destruction, Loss, or Damage Due to Environmental Hazards or Technological Failures
Adjusting the Program, Reporting to the Board, and Implementing the Standards • Must Monitor, Evaluate and Adjust Effectiveness of Security Program • Report to Board of Directors At Least Annually • Risk Assessment, Risk Management and Control, Service Provider Arrangements, Test Results, Security Breaches or Violations and Management Responses, Recommendations for Change
What’s Different About the FTC Safeguards Act? • Applies to Individuals or Organizations in Providing Financial Products or Services • Not As Comprehensive as Interagency Guidelines • Organizations Subject to Safeguards are not audited for compliance unless complaint filed • Objectives: • Ensure security and confidentiality of customer records • Protect Against Threats or Hazards • Protect Against Unauthorized Access or Use
FTC Safeguards Act Elements • Designate Employee(s) to Coordinate Information Security Program • Identify Risks to CIA of Customer Information • Employee Training and Management • Information Systems • Detecting, Preventing and Responding to Attacks, Intrusions or Other System Failures • Design and Implement Information Safeguards, Test and Monitor Effectiveness • Oversee Service Providers • Evaluate and Adjust as a Result of Testing and Monitoring or Changes to Business
Identity Theft and Regulatory Compliance • 2005 Supplement A – Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice • Additional Security Controls: • Access Controls, Background Checks, Response Programs • Response Program: • Assess Incident and What Has Been Compromised, Notify Federal Regulator, Notify Law Enforcement, Contain and Control Incident, Notify Customers • Notification
TEL382 Greene Chapter 13
Outline • HIPAA • Understanding the Security Rule • Administrative Safeguards • Physical Safeguards • Technical Safeguards • Organization Safeguards • Policies and Procedures
HIPAA • Health Insurance Portability and Accountability Act of 1996 • Simplify and Standardize Healthcare Administration • Enable Better Access to Health Insurance, Reduce Fraud and Abuse, Lower Overall Cost of Healthcare • Title II Addresses How Healthcare Transactions Are Processed and Stored • HHS Published 5 Rules: • Code Set, Transaction Identifiers, Electronic Data Interchange, Privacy, Security • August 20, 2003 Security Rule Published
Understanding the Security Rule • Focus on Safeguarding Electronic Protected Health Information (ePHI) • Individually Identifiable Health Information (IIHI) • Stored, Processed, or Transmitted Digitally or Electronically • Main Goal is to Protect CIA • Entities not Complying Subject to Civil Penalties ($100 per Violation) and Criminal Penalties ($50K in fines plus 1 Year to $250K plus 10 Years) • Five Categories: • Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, Documentation Requirements
Administrative Safeguards • Formal Management Process • Risk Analysis, Risk Management Program, Development and Implementation of Sanction Policy, Development of Information System Activity Review • Designation of Security Officer • Workforce Security • Supervision, Clearance, Termination Procedures • Information Access Management • Security Awareness and Training • Security Incident Procedures • Contingency Plans • Evaluation • Business Associate Contracts and Other Arrangements
Physical Safeguards • Facility Access Controls • Facility Security Plan, Access Control and Validation Procedures, Maintenance Records, Contingency Operation • Workstation Use • Workstation Security • Device and Media Controls • Disposal Policies and Procedures, Reuse Policies and Procedures, Hardware and Media Accountability, Data Backup and Storage Procedures
Technical Safeguards • Access Control • Unique User Ids, Emergency Access Procedures, Auto Logoff Procedures, Encryption of Information at Rest • Audit Control • Failed Logons, Account Lockouts, Initial Logon Times, Which System Users Normally Logon, Possible Security Log Tampering, Failed Object Access Events, User Account Mods, Software Mods, Attempted Privilege Escalation • Integrity Control • Patch Management, AV Software, Antispyware, Internal Port Scanning, File Integrity Checkers, Database Integrity Utilities, Email Filtering, Firewalls and IDS • Person or Entity Authentication • Single or Multi-factor • Transmission Security • Integrity Controls, Encryption
Organization Safeguards • Business Associates Contracts • Must Adequately Protect ePHI, Must Report Incidents, Must Comply or Risk Termination, Provide for Government Entity Exceptions, Cover Other Arrangements for Covered Entities and Business Associates • Standard Requirements for Group Health Plans
Policies and Procedures • Policies and Procedures • Documentation • Retention, Making Available, Updating
TEL382 Greene Chapter 14
Outline • Introduction • E-Government is Becoming a Reality • FISMA • NIST • Protecting the Privacy of Student Records • It all Started with a Corporate Scandal
Introduction • GLBA – Banking and Finance • HIPAA – Health Care • Federal Information Security Management Act (FISMA) • Federal Educational Rights and Privacy Act (FERPA) • Sarbanes-Oxley (SOX)
E-Government is Becoming a Reality • 2002 E-Government Act (Public Law 107-347) provides better efficiency, effectiveness and responsiveness • Established Federal Chief Information Officer within OMB • Title III (Federal Information Security Management Act – FISMA) requires every agency to develop, document, and implement an agency-wide risk-based information security program
FISMA • Focuses on CIA of information and information systems as well as assurance and accountability • 3 Federal Agencies have related roles: • National Institute of Standards and Technology (NIST) to develop technical security standards and guidelines for unclassified federal systems • Office of Management and Budget (OMB) to develop and oversee implementation of government-wide policies, principles, guidance, and standards • US House Committee on Government Reform to oversee variety of subject areas, including issuing the Federal Computer Security Report Card
NIST • Standards used to categorize all information and information systems for objective of providing appropriate levels of information security according to risk level • Guidelines recommending types of information and information systems to be included • Minimal information security requirements for information and information systems in each category
NIST • Developed resources for FISMA • Security standards and guidelines • Program to accredit public and private sector organizations to conduct security certification • Program to validate commercial off-the-shelf (COTS) and Government off-the-shelf (GOTS) security tools
Protecting the Privacy of Student Records • Financial Aid/Counseling – GLBA • Healthcare Services – HIPAA • Schools receiving Federal Aid subject to FERPA • Primarily Privacy (“C” of CIA) • Right to access record kept by school • Right to demand records be disclosed only with student consent • Right to amend records • Right to file complaints against school for disclosure
Protecting the Privacy of Student Records • 2 Types of Educational Records • Directory Information may be disclosed without consent (name, address, phone, date/place of birth, honors and awards, dates of attendance) • Nondirectory Information may not be disclosed (even to parents) without consent (SSN, race, ethnicity, gender, transcripts, grade reports)
It all Started with a Corporate Scandal • Late 1990s Scandals with WorldCom, Enron, etc. • Sarbanes-Oxley (SOX) improves transparency and accountability • Section 404: identify control framework used by management to evaluate effectiveness of internal controls and requires management to attest to effectiveness • Section 302: requires management to attest to accuracy of quarterly and annual reports, certify that they reflect financial position, note weaknesses in controls exposed by audit and describe how controls are integrated into operations
SOX • Establish infrastructure to protect and preserve records and data from destruction, loss, unauthorized alteration, or other misuse • Steps: • Map information systems that process, store, and transmit financial data • Identify risks • Design and implement controls • Document and test applications and controls • Ensure that controls apply to all systems, services and personnel • Ensure that controls are updated and changed • Monitor controls for effective operation
SOX • Section 404: • Identify control framework – Collection of controls that covers all internal controls • COSO and CobiT
TEL382 Greene Chapter 15
Outline • What is a Small Business? • Why Have a Confidentiality Policy? • What is Acceptable Behavior? • Internet Use—Where to Draw the Line • Keeping Corporate Email Secure • Reporting and Responding to Incidents • Managing Passwords • Protecting Information • Protecting From Malware • Securing Remote Access • Controlling Change • Data Backup and Recovery
What is a Small Business? • Independently owned and operated • Employs < 500 people • Has < $6.5M in annual revenue • Depend upon information systems for: • Financial, Management, Marketing, Production • Email, Internet, E-commerce • Cannot afford IT Departments or Information Security Officers • Should have a Security Policy and follow applicable regulations (HIPAA, GLBA, etc.)
Why Have a Confidentiality Policy? • Company information belongs to the company • Obtain injunctive relief in case of a violation • Confidentiality Agreements: • Specify types of information that can and cannot be disclosed • Provide legal remedy in case of disclosure • Define how information is to be handled and for what length of time • Explain what happens to information when there is no longer a “need to know” • Policy Structure: • Recognition of company’s right to nondisclosure of information • Acknowledgement of the obligations of confidentiality • Understanding that all company information must be returned at the termination of employment
What is Acceptable Behavior? • Generally, policy statements outline unacceptable behavior • Should contain: • Ownership, hardware and software, resource misuse, etc.
Internet Use—Where to Draw the Line • Trade-offs: Company is tyrannical!! Vs. Time Waster • Should contain: • Monitoring and logging, data transmission (FTP, IM, P2P)
Keeping Corporate Email Secure • Should contain: • Business Use only, Clear text (unprotected), misuse of resources (spam, hoaxes, chain letters)
Reporting and Responding to Incidents • Policy to deal with incidents • Define framework to clearly identify: • What needs to be done, By Whom, Who is in charge of the situation • All users responsible for recognizing unusual or suspicious activity • Network slowdown, Bouncing emails, Unexpected repair person, Papers on desk rearranged, new program on computer • Key Questions: • Who should be notified, How will severity be determined, What should happen when incident occurs • Plan Requirements: • List of Potential Incidents, Checklist of Who is in charge, Their Backups, Who should be notified, Prioritized Steps to Deal with Situation
Managing Passwords • Trade-off between Security and Convenience • Policy should address: • Length, Complexity, Age, Reuse, Monitoring and Audits, Consequences
Protecting Information • Use Information Classification Policy • Instructions on who can access an asset, how the asset may be used, what security measures need to be in place, and way asset should ultimately be disposed of or destroyed • May be uncomplicated: • Confidential, Restricted, Public • Cover Access, Storage, Transmission, Disposal
Protecting From Malware • Malware Policy • AV Software on all Workstations, Email Servers • Anti-spyware also on Workstations • Education and training on avoiding websites, downloading music or programs, etc. • Patch Management
Securing Remote Access • Who will be allowed, under what conditions, with whose authorization • How will connection be made • Don’t forget wireless
Controlling Change • Policy for Change Control to software, hardware, network, business processes • Change Management Process: • Assessment, Logging, Communication • Disciplinary Actions if Not Followed
Data Backup and Recovery • Backup Policy • Define Backup and Recovery Responsibilities • Define Backup Characteristics • Determine Restore Testing Requirements