Upload
divya-kothari
View
184
Download
1
Embed Size (px)
Citation preview
Divya Kothari
IMT 553 - Assignment 1
SECURITY COMPLIANCE MODELS: CHECKLISTS VERSUS RISK INTRODUCTION
Technology is pacing forward at a speed that is forcing everything else to play catch up, especially law &
regulations. This has resulted in highly convoluted threat landscapes. The government, industry regulators,
small/large businesses and individuals are almost on the same page (if you forget the NSA for a moment)
when it comes to protection of privacy and security for all stakeholders of a society. This has led to
numerous compliance regimes in the hope of getting better sleep at night. This paper highlights three such
compliance standards: 1) Payment Card Industry Data Security Standard (“PCI”), 2) Gramm–Leach–Bliley
Act1 (“GLBA”) & 3) The Health Insurance Portability and Accountability Act, 1996 (“HIPAA”)
categorizing them into different kinds of models, their applicability and the intent behind the same.
CATEGORIZATION: CHECKLIST, RISK MANAGEMENT FRAMEWORK OR BOTH?
1) PCI DSS
PCI, an industry standard checklist, came into existence in 2004 when five major financial institutions
decided to align their schemes2 to up the level of protection for card issuers and increase safeguards for
card users by making sure that all entities comply with a certain baseline of security controls. Thus
compliance of this ‘one size fits all’ approach is mandated by the industry regulators. For cut and dry
issues such as firewalls, vulnerability patches, encryption, etc. there can be no exceptions made for
different environments. Thus questions such as - (i) Your Company is employing new workers with
remote access to a system which processes card payment, is their identity authenticated? (ii) New
patches have been released for the latest vulnerabilities, have you updated to the latest patch? (iii) Is
the outsourced vendor following secure practices?3 – in the form of a checklist, make it easy for a
organizations without a dedicated security team and a limited budget, as this ‘security checklist’
provides for much leeway when it comes to self-regulation & ease of audit with appropriate guidance
at each step.4
As Bob Russo, General Manager of the PCI Council puts it:
“PCI is a structured "blend...[of] specificity and high-level concepts" that allows "stakeholders the
opportunity and flexibility to work with Qualified Security Assessors (QSAs) to determine
appropriate security controls within their environment that meet the intent of the PCI standards."
It may be noted that since PCI is an industry standard, it is not compulsory by law to adopt it. However
if an organization chooses to do so, it must comply with all its requirements.
2) GLBA Protecting the privacy of consumer’s personally identifiable financial information held by "financial
institutions" is at the heart of the financial privacy provisions of this Act. It requires companies to give
consumers - privacy notices explaining the institutions' information-sharing practices. In turn,
1 Also known as the Financial Services Modernization Act, 1999 2Visa's Cardholder Information Security Program, MasterCard's Site Data Protection, American Express' Data Security Operating
Policy, Discover's Information Security and Compliance, and the JCB's Data Security Program 3Herbig J, 2011 “Security as a Checklist? Think Again” PCI Compliance Guide website. Retrieved from:
https://www.pcicomplianceguide.org/security-as-a-checklist-think-again/ 4 Refer to Appendix 1 for an illustration
consumers have the right to limit some (not all) sharing of their information.5 GLBA aims to achieve
its underlying principles of security and compliance by laying down a risk-based approach. This
approach allows the ‘financial institutions’ (as defined by the act) certain autonomy is how to conduct
various internal processes, for instance prioritization of assets, identification of risks, etc. to achieve an
end result. For instance, the Safeguards Rule clause in the Act6 stipulates the development of a written
security plan and subsequently conducting a thorough risk analysis so as to evolve/build safeguards
needed to comply with GLBA.7 While a checklist as seen above, provides for a baseline of controls,
for a more comprehensive risk mitigation/avoidance/transference strategy, a risk-based model can be
adopted, eg. By establishing an internal team for such an assessment or having a third-party audit. This
helps an organization to customize the framework according to its unique needs and resources.
GLBA being a federal statue is compulsorily applicable to whether a financial discloses nonpublic
information or not. Furthermore, the Federal Trade Commission has authority to enforce the law with
respect to "financial institutions" that are not covered by the federal banking agencies, the Securities
and Exchange Commission, the Commodity Futures Trading Commission, and state insurance
authorities.8
3) HIPAA Initially an industry based standard, HIPAA was enacted into law in 1996. In brief it aims to protect
‘patient health information’ (“PHI”) by putting safeguards in place, limiting the use, share and access
to the ‘minimum necessary’, have appropriate agreements with related parties that use/disclose
sensitive information & implement sufficient training programs. The way HIPAA is structured is a
hybrid of a checklist and risk based model. “Essentially, a ‘covered entity’ (as defined by the act) is
given a broad power to disclose protected PHI. However from then on, the limitations on disclosure
begin to stack up. With the exception of disclosures for treatment activities, most other disclosures are
subject to the “minimum necessary” limitation embodied in HIPAA – the protected health information
disclosed should be the minimum necessary to accomplish the purpose of the disclosure.”9
As Michael Whaley (2015) puts it:
“Regulators chose a hybrid framework for HIPAA because healthcare data transverses a broad
spectrum of health care providers, insurance companies, law firms, and clearinghouses.”10
APPLICATION OF FRAMEWORK
PCI GLBA HIPAA
PCI applies to all entities
irrespective of size that store,
process and transmit cardholder
This law applies to financial institutions
such as banks, security firms, insurance
companies, etc. that sell financial products
and services to consumers. They are
An individual or organization that falls under
the definition of ‘covered entity’ under HIPAA
must comply with the necessary rules (for
Privacy, Security, Enforcement and Breach
5Federal Trade Commission, “In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act” Retrieved from:
https://www.ftc.gov/tips-advice/business-center/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act 6 Refer to Appendix 3 7 Miller M. 2014, “ Compliance versus Risk: A look at checklist versus risk based models” Retrieved from: https://accelerite.com/blog/entry/compliance-versus-risk-a-look-at-checklist-versus-risk-based-models 8 Federal Trade Commission, “In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act” Retrieved from:
https://www.ftc.gov/tips-advice/business-center/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act
9 Anderson S. 2013 “Does HIPAA apply to employers” Lexis Nexis. Retrieved from: https://www.lexisnexis.com/legalnewsroom/labor-
employment/b/labor-employment-top-blogs/archive/2013/10/03/does-hipaa-apply-to-employers.aspx?Redirected=true 10 Whaley M. 2015, “PCI Checklists versus HIPAA Risk Management Framework” Retrieved from: https://www.linkedin.com/pulse/pci-checklists-
versus-hipaa-risk-management-framework-michael-whaley
data.11 Thus the smallest physical
point-of-sale interaction for any of
the above-stated five credit/debit
card brands to the biggest online
retailer is subject to PCI.
required to ensure the security and
confidentiality of consumer financial
information against “reasonably
foreseeable” internal or external threats.12
Notification). This includes health care
providers, health plan providers and clearing
houses. Additionally if any of these engages
with a ‘business associate’ to help carry out its
functions, the latter shall also have to comply
with HIPAA.
For purposes of our paper, let us
take the example of Braintree
(Level 1 PCI DSS compliant)13.
Now acquired by Paypal, but still
run independently, Braintree14
provides payment processing
options across a plethora of devices
and on a global scale for thousands
of online and mobile companies
including Uber, Airbnb, Fab, etc.15
which indirectly means that it has
access to a lot of cardholder data.
On the other hand, an entity like
Thai Tom, a Thai restaurant in
Seattle that only accepts cash and
does not take online orders does not
need to be PCI compliant.
The Banking industry by virtue of being an
information-intensive sector, comes under
the purview of GLBA. Despite its primary
intention to integrate a variety of financial
services offered by one institution, the act
also attempts to upgrade and modernize the
financial industry. With the end user being
constantly apprehensive of ‘Big Brother’
issues, this Act marks a distinction between
affiliated and non-affiliated third parties, in
terms of customer financial information
disclosure and the consumer’s consent to
such disclosure with the latter. Thus apart
from functional regulation, the Act aims to
protect confidential information via its
‘Financial Privacy Rule’, ‘Safeguards Rule’
and ‘Pretexting Protection’.
One such ‘business associate’ is Maximus.
“For 40 years, MAXIMUS has partnered with
federal, state and local governments to make
public health insurance programs run
effectively for the individuals and families they
serve.”16 For all its projects pertaining to
healthcare, Maximus has written contracts with
the party at the other end which is a covered
entity establishing specifically what is
contracted to be performed and comply with
the Rules mandated to protect PHI. In addition
to the contractual obligations, Maximus is
directly liable for certain provisions of the
HIPAA rules.
INTENT BEHIND ADOPTION OF FRAMEWORKS
PCI gives organizations of different scale the opportunity to cookie cut their relations and accordingly meet
compliance needs of their clients. Resorting to PCI also gives the company/institution a stamp of approval
which is a good strategy to build and maintain their customer share. A company like Braintree by
advertising their compliance with PCI shows that they take have secure security controls in place, which
though do not guarantee complete protection, still help give them a competitive edge by bagging votes for
consumer trust.
Being compliant with GLBA is synonymous to a pre-emptive and adaptive risk management approach. It
also provides the banking industry a substantial degree of freedom for the ‘hows’ of implementing systemic
and people processes within a risk model. GLBA as a risk management framework is often viewed as a less
expensive and efficient guide to navigate within the company affairs.
An entity’s risk tolerance changes over time and eventually compliance becomes just one factor in the entire
risk profile. In such cases a hybrid model often stands out. Thus in our example, the hybrid approach allows
Maximus to follow a checklist for certain provisions of the Act only when it acts in the capacity of a business
associate as per HIPAA.
11 PCI DSS Applicability Information, page 7. Retrieved from: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf 12Airmagnet GLBA Compliance Report. Retrieved from: http://airmagnet.flukenetworks.com/assets/reports/Reports_GLBA_Report.pdf 13 Refer to Appendix 2 14 Braintree website <https://www.braintreepayments.com/> 15 VB|Profiles catalog website https://www.vbprofiles.com/companies/521983e1843bac676e0003a2 16 Maximus website < http://www.maximus.com/health >
APPENDIX 1
APPENDIX 217
17 Braintree’s website <https://www.braintreepayments.com/developers/security>