1 / 48

Challenges of Recent Legislation and the Need for IT Policy

Challenges of Recent Legislation and the Need for IT Policy. Jacqueline Craig University of California Office of the President Secure IT 2004 April 28, 2004. Challenges of Recent Legislation. Examine laws Policy formulation processes Steps to achieve policy compliance.

patience-leblanc
Download Presentation

Challenges of Recent Legislation and the Need for IT Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Challenges of Recent Legislation and the Need for IT Policy Jacqueline Craig University of California Office of the President Secure IT2004 April 28, 2004

  2. Challenges of Recent Legislation • Examine laws • Policy formulation processes • Steps to achieve policy compliance

  3. Challenges of Recent Legislation • Common Themes • Transparency • Review and evaluation to ensure compliance • Accountability

  4. Challenges of Recent Legislation • Information Security • Program • Risk assessment • Business Continuity • Incident Response • Information Security Plans • Education and awareness training • Audit processes

  5. Challenges of Recent Legislation • Family and Educational Rights • and Privacy Act of 1974 • (known as the Buckley Amendment) • an early model • a high bar for the privacy and protection of student records • set of principles reflected in subsequent laws

  6. Challenges of Recent Legislation • FERPA Principles • Transparency - open records • ability to inspect - to know what is happening to ones records • ability to correct the record • institutional obligation to maintain a record of disclosure and provide notice • requirement to secure all records

  7. Challenges of Recent Legislation • Sectoral Privacy Law • Health Insurance Portability and Accountability Act (HIPAA) • Gramm-Leach-Bliley (G-L-B)

  8. Challenges of Recent Legislation • HIPAA Establishes national standards for electronic health care transactions and national identifiers for providers, health plans, and employers Privacy Regulations - effective April 14, 2003 Security Regulations - due April 21, 2005

  9. Challenges of Recent Legislation • G-L-BObjectives • ensure security and confidentiality of customer records and information • protect against any anticipated threats or hazards to the security or integrity of such records • protect against any authorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer

  10. Challenges of Recent Legislation • California:Social Security Numbers • SB 25 - Personal Information: Security • AB 763 – Privacy: Social Security Numbers • Intent is to prevent identity theft and to protect social security numbers from being stolen electronically or from paper documents • Effective: January 1, 2004

  11. Challenges of Recent Legislation • California legislation prohibits • public posting of SSNs • printing SSNs on access cards • requiring individuals to transmit SSN over unsecured Internet • requiring use of SSN to access internet web sites • printing of SSN on materials mailed to individuals • encoding SSN on a card or document using bar code, chip, magnetic strip

  12. Challenges of Recent Legislation • Identity Theft • California Civil code section 1798.29 (SB 1386) • effective July 1, 2003 • Requires notification to any California resident • whose unencrypted personal information is reasonably believed to have been acquired as a result of a security breach

  13. Challenges of Recent Legislation • Intellectual Property Laws • DMCA and the Teach Act • DMCA • Do we monitor our networks to identify illegal file sharing? • How does that practice comport with your network management practice?

  14. Challenges of Recent Legislation • Teach Act – requires institutions to apply technological protection measures to reasonably prevent • Retention for longer than is necessary • Prevent downstream copying or dissemination

  15. Challenges of Recent Legislation • USA PATRIOT ACT • Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act • 2001 • impacts or modifies more than 15 existing statutes • enhances government’s ability to engage in surveillance activities

  16. Challenges of Recent Legislation • USA PATRIOT ACT • Establishes lower threshold for obtaining records than required by FERPA • Reduces requirements for requests for information (subpoenas, search warrants, pen/trap or wiretap order) • Accelerates and expands foreign student visa monitoring program - SEVIS

  17. Challenges of Recent Legislation • USA PATRIOT ACT • be sure you have a protocol for any “information” requests • establish a single point of entry for all information or surveillance requests • maintain a confidential log of these requests • establish procedures for requests • establish emergency and computer trespasser procedures • involve legal counsel if requests are received

  18. Challenges of Recent Legislation • Common themes • Establish policy and procedures • Identify roles and assign responsibility • Conduct education and awareness programs

  19. Challenges of Recent Legislation • Risk Assessment • Conduct classification of data/records • Identify vulnerabilities and threats

  20. Challenges of Recent Legislation • Workforce Issues • Education and training • Background checks • Identify individuals authorized to access data • Establish access controls relative to need to know • Establish procedures for noncompliance

  21. Challenges of Recent Legislation • Implement Risk Controls • Physical security • Technical (logical) security • Evaluate: test and monitor controls

  22. Challenges of Recent Legislation • Business Continuity Planning • recovery • back up • work in emergency mode • test plans and procedures

  23. Challenges of Recent Legislation • Outsourcing • Select and retain capable vendors • Update/create contracts containing safeguard requirements

  24. Challenges of Recent Legislation • Why common themes? • International Information Security Standard • ISO/IEC 17799

  25. Challenges of Recent Legislation • SANS Institute • See Sheldon Borkin, The HIPAA Final Security Standards and ISO/IEC 17799, July 15, 2003 • http://www.sans.org/rr/papers/53/1193.pdf • HIPAA security standards contain some requirements not covered by ISO 17799 • ISO 17799 has some controls not required by HIPAA

  26. Challenges of Recent Legislation • CreatingPolicy • must take into account the culture of your organization • must engage the entire campus community

  27. Challenges of Recent Legislation • Look to your local • governance structure • defines the principles of the institution • establishes the “risk appetite” of the institution

  28. Challenges of Recent Legislation • Institutional • Governance Structure • defines the academic and business values of the institution • establishes priorities and allocation of resources

  29. Challenges of Recent Legislation • Institutional • Governance Structure • Is IT at the table? • Is IT a partner in the institutional decisions?

  30. Challenges of Recent Legislation • Policy • a broad statement • describes “what” and “why”

  31. Challenges of Recent Legislation • “How” includes: • Standards and Guidelines: Specify technologies and methodologies to be used to secure systems • Procedures: detailed steps to accomplish particular security-related tasks

  32. Challenges of Recent Legislation • Flavors of policy • Program policy • Issue-specific policy • System-specific policy

  33. Challenges of Recent Legislation • Flavors of policy • Program policy: high-level policy that determines your IT security program • has a longer life-span • defines scope within the institution, • assigns responsibilities • establishes strategic direction • may assigns resources for implementation

  34. Challenges of Recent Legislation • Issue-specific Policy • must periodically revisit and modify in response to current environment • addresses such elements as • contingency planning • risk assessment methodology • implementation of laws

  35. Challenges of Recent Legislation • System-specific policies • Configuration of systems - setting business rules to ensure compliance with policy, such as permission sets or access control measures • System specific - terms and conditions of use of email systems, mailing lists policies, or web-use policies

  36. Challenges of Recent Legislation • Security Policy • common elements • designate authority • conduct risk assessments • establish security plans • conduct education/awareness training • communicate • review and evaluate

  37. Challenges of Recent Legislation • Policy must be known and understood to be effective • websites • handbooks • procedures • meetings

  38. Challenges of Recent Legislation • National Institute of • Standards and Technology • Guide to Information Technology Security Services • http://csrc.nist.gov/publications/nistpubs/800-35/NIST-SP800-35.pdf

  39. Challenges of Recent Legislation • IT Security Program • Aset of security controls grouped under the terms • management • operational • technical

  40. Challenges of Recent Legislation • May need multiple security programs to address different business sectors • Broad - institutional view or • Sectoral views • healthcare services • financial services

  41. Challenges of Recent Legislation • Information Security Program • guided by institutional policy • provides supporting guidelines, standards, procedures • offers clarity • converts policy to reality

  42. Challenges of Recent Legislation • Information Security • Program • risk assessment • classification of assets • determination of level of security appropriate to protect operations and assets

  43. Challenges of Recent Legislation • Information Security • Program • identifies security controls and techniques • incorporates capital planning to ensure future security needs • defines metrics to effectively assess the adequacy of current controls, policies, procedures, and that justify security control investments

  44. Challenges of Recent Legislation • Security Plans • separate security plans for individual systems supporting operations and assets • security incident response • processes for sharing information regarding vulnerabilities

  45. Challenges of Recent Legislation • Risk Assessment • “information” is an asset • a broad campus issue • information no longer controlled by the central campus • must identify where information is held on the campus

  46. Challenges of Recent Legislation • Risk Assessment • must undergo a culture change to achieve better levels of protection • failures often lie at the interface • traditional risk assessment isolates a problem to a traditional view

  47. Challenges of Recent Legislation • More than 85% have experienced one or more of the following IT incidents in past 12 months • Major system disruption due to virus • Denial of services attack • Altered/vandalized website • Unauthorized access to sensitive institutional data • Threats or abuse behavior via email or other digital communication • Chronicle of Higher Education/Gartner survey of selected subscribers December 2003

  48. Challenges of Recent Legislation • Sarbanes-Oxley • Applicable for companies registered with SEC, but raises the bar for corporate accountability • Established new standards - requires improved internal controls to protect information assets from abuse, loss or fraud • Focuses upper management’s attention on data safeguards

More Related