Upload
olivia-jordan
View
216
Download
1
Tags:
Embed Size (px)
Citation preview
Challenges of Recent Legislation and the Need for IT Policy
Jacqueline CraigUniversity of CaliforniaOffice of the President
Secure IT 2004April 28, 2004
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Examine laws
Policy formulation processes
Steps to achieve policy compliance
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Common Themes
Transparency Review and evaluation to
ensure compliance Accountability
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Information SecurityProgram
Risk assessment Business Continuity Incident Response Information Security Plans Education and awareness training Audit processes
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Family and Educational Rightsand Privacy Act of 1974
(known as the Buckley Amendment)
an early model a high bar for the privacy and
protection of student records set of principles reflected in
subsequent laws
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
FERPA PrinciplesTransparency - open records ability to inspect - to know what is
happening to ones records ability to correct the record institutional obligation to maintain
a record of disclosure and provide notice
requirement to secure all records
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Sectoral Privacy Law
Health Insurance Portability and Accountability Act (HIPAA)
Gramm-Leach-Bliley (G-L-B)
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
HIPAA Establishes national standards for
electronic health care transactions and national identifiers for providers, health plans, and employers
Privacy Regulations - effective April 14, 2003
Security Regulations - due April 21, 2005
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
G-L-B Objectives ensure security and confidentiality
of customer records and information protect against any anticipated
threats or hazards to the security or integrity of such records
protect against any authorized access to or use of such records or information that could result in substantial harm or inconvenience to any customer
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
California: Social Security Numbers
SB 25 - Personal Information: SecurityAB 763 – Privacy: Social Security
Numbers Intent is to prevent identity theft and to
protect social security numbers from being stolen electronically or from paper documents
Effective: January 1, 2004
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
California legislation prohibits
public posting of SSNs printing SSNs on access cards requiring individuals to transmit SSN over
unsecured Internet requiring use of SSN to access internet web
sites printing of SSN on materials mailed to
individuals encoding SSN on a card or document using
bar code, chip, magnetic strip
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Identity Theft
California Civil code section 1798.29 (SB 1386)
effective July 1, 2003
Requires notification to any California resident
whose unencrypted personal information isreasonably believedto have been acquiredas a result of a security breach
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Intellectual Property LawsDMCA and the Teach Act
DMCADo we monitor our networks to
identify illegal file sharing?How does that practice comport with
your network management practice?
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Teach Act – requires institutions to apply technological protection measures to reasonably prevent
Retention for longer than is necessary
Prevent downstream copying or dissemination
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
USA PATRIOT ACT
Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism
Act2001
impacts or modifies more than 15 existing statutes
enhances government’s ability to engage in surveillance activities
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
USA PATRIOT ACT
Establishes lower threshold for obtaining records than required by FERPA
Reduces requirements for requests for information (subpoenas, search warrants, pen/trap or wiretap order)
Accelerates and expands foreign student visa monitoring program - SEVIS
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
USA PATRIOT ACT be sure you have a protocol for any
“information” requests establish a single point of entry for all
information or surveillance requests maintain a confidential log of these requests establish procedures for requests establish emergency and computer
trespasser procedures involve legal counsel if requests are
received
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Common themes
Establish policy and procedures Identify roles and assign
responsibility Conduct education and awareness
programs
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Risk Assessment
Conduct classification of data/records
Identify vulnerabilities and threats
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Workforce Issues Education and training Background checks Identify individuals authorized to
access data Establish access controls relative to
need to know Establish procedures for
noncompliance
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Implement Risk Controls
Physical security Technical (logical) security Evaluate: test and monitor
controls
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Business Continuity Planning
recovery back up work in emergency mode test plans and procedures
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Outsourcing
Select and retain capable vendors
Update/create contracts containing safeguard requirements
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Why common themes?
International Information Security Standard
ISO/IEC 17799
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
SANS Institute
See Sheldon Borkin, The HIPAA Final Security Standards and ISO/IEC 17799, July 15, 2003
http://www.sans.org/rr/papers/53/1193.pdf
HIPAA security standards contain some requirements not covered by ISO 17799
ISO 17799 has some controls not required by HIPAA
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Creating Policy
must take into account the culture of your organization
must engage the entire campus community
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Look to your localgovernance structure
defines the principles of the institution
establishes the “risk appetite” of the institution
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
InstitutionalGovernance Structure
defines the academic and business values of the institution
establishes priorities and allocation of resources
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
InstitutionalGovernance Structure
Is IT at the table?
Is IT a partner in the institutional decisions?
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Policy
a broad statement
describes “what” and “why”
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
“How” includes:
Standards and Guidelines: Specify technologies and methodologies to be used to secure systems
Procedures: detailed steps to accomplish particular security-related tasks
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Flavors of policy
Program policy
Issue-specific policy
System-specific policy
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Flavors of policy
Program policy: high-level policy that determines your IT security program
has a longer life-span defines scope within the institution, assigns responsibilities establishes strategic direction may assigns resources for
implementation
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Issue-specific Policy
must periodically revisit and modify in response to current environment
addresses such elements as contingency planning risk assessment methodology implementation of laws
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
System-specific policies
Configuration of systems - setting business rules to ensure compliance with policy, such as permission sets or access control measures
System specific - terms and conditions of use of email systems, mailing lists policies, or web-use policies
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Security Policycommon elements
designate authority conduct risk assessments establish security plans conduct education/awareness training communicate review and evaluate
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Policy must be known and understood to be effective
websites handbooks procedures meetings
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
National Institute ofStandards and Technology
Guide to Information Technology Security Services
http://csrc.nist.gov/publications/nistpubs/800-35/NIST-SP800-35.pdf
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
IT Security Program
A set of security controls grouped under the terms
management operational technical
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
May need multiple security programs to address different business sectors
Broad - institutional view orSectoral views healthcare services financial services
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Information Security Program
guided by institutional policy provides supporting guidelines,
standards, procedures offers clarity converts policy to reality
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Information SecurityProgram
risk assessment classification of assets determination of level of security
appropriate to protect operations and assets
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Information SecurityProgram
identifies security controls and techniques
incorporates capital planning to ensure future security needs
defines metrics to effectively assess the adequacy of current controls, policies, procedures, and that justify security control investments
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Security Plans
separate security plans for individual systems supporting operations and assets
security incident response processes for sharing information
regarding vulnerabilities
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Risk Assessment
“information” is an asset a broad campus issue information no longer controlled
by the central campus must identify where information is
held on the campus
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Risk Assessment
must undergo a culture change to achieve better levels of protection
failures often lie at the interface traditional risk assessment
isolates a problem to a traditional view
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
More than 85% have experienced one or more of the following IT incidents in past 12 months
Major system disruption due to virus Denial of services attack Altered/vandalized website Unauthorized access to sensitive
institutional data Threats or abuse behavior via email or
other digital communication
Chronicle of Higher Education/Gartner survey of selected subscribers December 2003
Secure IT 2004 April 28, 2004
Challenges of Recent Legislation
Sarbanes-Oxley Applicable for companies registered
with SEC, but raises the bar for corporate accountability
Established new standards - requires improved internal controls to protect information assets from abuse, loss or fraud
Focuses upper management’s attention on data safeguards