Divya Kothari

IMT 553 - Assignment 1

SECURITY COMPLIANCE MODELS: CHECKLISTS VERSUS RISK INTRODUCTION

Technology is pacing forward at a speed that is forcing everything else to play catch up, especially law &

regulations. This has resulted in highly convoluted threat landscapes. The government, industry regulators,

small/large businesses and individuals are almost on the same page (if you forget the NSA for a moment)

when it comes to protection of privacy and security for all stakeholders of a society. This has led to

numerous compliance regimes in the hope of getting better sleep at night. This paper highlights three such

compliance standards: 1) Payment Card Industry Data Security Standard (“PCI”), 2) Gramm–Leach–Bliley

Act1 (“GLBA”) & 3) The Health Insurance Portability and Accountability Act, 1996 (“HIPAA”)

categorizing them into different kinds of models, their applicability and the intent behind the same.

CATEGORIZATION: CHECKLIST, RISK MANAGEMENT FRAMEWORK OR BOTH?

1) PCI DSS

PCI, an industry standard checklist, came into existence in 2004 when five major financial institutions

decided to align their schemes2 to up the level of protection for card issuers and increase safeguards for

card users by making sure that all entities comply with a certain baseline of security controls. Thus

compliance of this ‘one size fits all’ approach is mandated by the industry regulators. For cut and dry

issues such as firewalls, vulnerability patches, encryption, etc. there can be no exceptions made for

different environments. Thus questions such as - (i) Your Company is employing new workers with

remote access to a system which processes card payment, is their identity authenticated? (ii) New

patches have been released for the latest vulnerabilities, have you updated to the latest patch? (iii) Is

the outsourced vendor following secure practices?3 – in the form of a checklist, make it easy for a

organizations without a dedicated security team and a limited budget, as this ‘security checklist’

provides for much leeway when it comes to self-regulation & ease of audit with appropriate guidance

at each step.4

As Bob Russo, General Manager of the PCI Council puts it:

“PCI is a structured "blend...[of] specificity and high-level concepts" that allows "stakeholders the

opportunity and flexibility to work with Qualified Security Assessors (QSAs) to determine

appropriate security controls within their environment that meet the intent of the PCI standards."

It may be noted that since PCI is an industry standard, it is not compulsory by law to adopt it. However

if an organization chooses to do so, it must comply with all its requirements.

2) GLBA Protecting the privacy of consumer’s personally identifiable financial information held by "financial

institutions" is at the heart of the financial privacy provisions of this Act. It requires companies to give

consumers - privacy notices explaining the institutions' information-sharing practices. In turn,

1 Also known as the Financial Services Modernization Act, 1999 2Visa's Cardholder Information Security Program, MasterCard's Site Data Protection, American Express' Data Security Operating

Policy, Discover's Information Security and Compliance, and the JCB's Data Security Program 3Herbig J, 2011 “Security as a Checklist? Think Again” PCI Compliance Guide website. Retrieved from:

https://www.pcicomplianceguide.org/security-as-a-checklist-think-again/ 4 Refer to Appendix 1 for an illustration

consumers have the right to limit some (not all) sharing of their information.5 GLBA aims to achieve

its underlying principles of security and compliance by laying down a risk-based approach. This

approach allows the ‘financial institutions’ (as defined by the act) certain autonomy is how to conduct

various internal processes, for instance prioritization of assets, identification of risks, etc. to achieve an

end result. For instance, the Safeguards Rule clause in the Act6 stipulates the development of a written

security plan and subsequently conducting a thorough risk analysis so as to evolve/build safeguards

needed to comply with GLBA.7 While a checklist as seen above, provides for a baseline of controls,

for a more comprehensive risk mitigation/avoidance/transference strategy, a risk-based model can be

adopted, eg. By establishing an internal team for such an assessment or having a third-party audit. This

helps an organization to customize the framework according to its unique needs and resources.

GLBA being a federal statue is compulsorily applicable to whether a financial discloses nonpublic

information or not. Furthermore, the Federal Trade Commission has authority to enforce the law with

respect to "financial institutions" that are not covered by the federal banking agencies, the Securities

and Exchange Commission, the Commodity Futures Trading Commission, and state insurance

authorities.8

3) HIPAA Initially an industry based standard, HIPAA was enacted into law in 1996. In brief it aims to protect

‘patient health information’ (“PHI”) by putting safeguards in place, limiting the use, share and access

to the ‘minimum necessary’, have appropriate agreements with related parties that use/disclose

sensitive information & implement sufficient training programs. The way HIPAA is structured is a

hybrid of a checklist and risk based model. “Essentially, a ‘covered entity’ (as defined by the act) is

given a broad power to disclose protected PHI. However from then on, the limitations on disclosure

begin to stack up. With the exception of disclosures for treatment activities, most other disclosures are

subject to the “minimum necessary” limitation embodied in HIPAA – the protected health information

disclosed should be the minimum necessary to accomplish the purpose of the disclosure.”9

As Michael Whaley (2015) puts it:

“Regulators chose a hybrid framework for HIPAA because healthcare data transverses a broad

spectrum of health care providers, insurance companies, law firms, and clearinghouses.”10

APPLICATION OF FRAMEWORK

PCI GLBA HIPAA

PCI applies to all entities

irrespective of size that store,

process and transmit cardholder

This law applies to financial institutions

such as banks, security firms, insurance

companies, etc. that sell financial products

and services to consumers. They are

An individual or organization that falls under

the definition of ‘covered entity’ under HIPAA

must comply with the necessary rules (for

Privacy, Security, Enforcement and Breach

5Federal Trade Commission, “In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act” Retrieved from:

https://www.ftc.gov/tips-advice/business-center/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act 6 Refer to Appendix 3 7 Miller M. 2014, “ Compliance versus Risk: A look at checklist versus risk based models” Retrieved from: https://accelerite.com/blog/entry/compliance-versus-risk-a-look-at-checklist-versus-risk-based-models 8 Federal Trade Commission, “In Brief: The Financial Privacy Requirements of the Gramm-Leach-Bliley Act” Retrieved from:

https://www.ftc.gov/tips-advice/business-center/guidance/brief-financial-privacy-requirements-gramm-leach-bliley-act

9 Anderson S. 2013 “Does HIPAA apply to employers” Lexis Nexis. Retrieved from: https://www.lexisnexis.com/legalnewsroom/labor-

employment/b/labor-employment-top-blogs/archive/2013/10/03/does-hipaa-apply-to-employers.aspx?Redirected=true 10 Whaley M. 2015, “PCI Checklists versus HIPAA Risk Management Framework” Retrieved from: https://www.linkedin.com/pulse/pci-checklists-

versus-hipaa-risk-management-framework-michael-whaley

data.11 Thus the smallest physical

point-of-sale interaction for any of

the above-stated five credit/debit

card brands to the biggest online

retailer is subject to PCI.

required to ensure the security and

confidentiality of consumer financial

information against “reasonably

foreseeable” internal or external threats.12

Notification). This includes health care

providers, health plan providers and clearing

houses. Additionally if any of these engages

with a ‘business associate’ to help carry out its

functions, the latter shall also have to comply

with HIPAA.

For purposes of our paper, let us

take the example of Braintree

(Level 1 PCI DSS compliant)13.

Now acquired by Paypal, but still

run independently, Braintree14

provides payment processing

options across a plethora of devices

and on a global scale for thousands

of online and mobile companies

including Uber, Airbnb, Fab, etc.15

which indirectly means that it has

access to a lot of cardholder data.

On the other hand, an entity like

Thai Tom, a Thai restaurant in

Seattle that only accepts cash and

does not take online orders does not

need to be PCI compliant.

The Banking industry by virtue of being an

information-intensive sector, comes under

the purview of GLBA. Despite its primary

intention to integrate a variety of financial

services offered by one institution, the act

also attempts to upgrade and modernize the

financial industry. With the end user being

constantly apprehensive of ‘Big Brother’

issues, this Act marks a distinction between

affiliated and non-affiliated third parties, in

terms of customer financial information

disclosure and the consumer’s consent to

such disclosure with the latter. Thus apart

from functional regulation, the Act aims to

protect confidential information via its

‘Financial Privacy Rule’, ‘Safeguards Rule’

and ‘Pretexting Protection’.

One such ‘business associate’ is Maximus.

“For 40 years, MAXIMUS has partnered with

federal, state and local governments to make

public health insurance programs run

effectively for the individuals and families they

serve.”16 For all its projects pertaining to

healthcare, Maximus has written contracts with

the party at the other end which is a covered

entity establishing specifically what is

contracted to be performed and comply with

the Rules mandated to protect PHI. In addition

to the contractual obligations, Maximus is

directly liable for certain provisions of the

HIPAA rules.

INTENT BEHIND ADOPTION OF FRAMEWORKS

PCI gives organizations of different scale the opportunity to cookie cut their relations and accordingly meet

compliance needs of their clients. Resorting to PCI also gives the company/institution a stamp of approval

which is a good strategy to build and maintain their customer share. A company like Braintree by

advertising their compliance with PCI shows that they take have secure security controls in place, which

though do not guarantee complete protection, still help give them a competitive edge by bagging votes for

consumer trust.

Being compliant with GLBA is synonymous to a pre-emptive and adaptive risk management approach. It

also provides the banking industry a substantial degree of freedom for the ‘hows’ of implementing systemic

and people processes within a risk model. GLBA as a risk management framework is often viewed as a less

expensive and efficient guide to navigate within the company affairs.

An entity’s risk tolerance changes over time and eventually compliance becomes just one factor in the entire

risk profile. In such cases a hybrid model often stands out. Thus in our example, the hybrid approach allows

Maximus to follow a checklist for certain provisions of the Act only when it acts in the capacity of a business

associate as per HIPAA.

11 PCI DSS Applicability Information, page 7. Retrieved from: https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf 12Airmagnet GLBA Compliance Report. Retrieved from: http://airmagnet.flukenetworks.com/assets/reports/Reports_GLBA_Report.pdf 13 Refer to Appendix 2 14 Braintree website <https://www.braintreepayments.com/> 15 VB|Profiles catalog website https://www.vbprofiles.com/companies/521983e1843bac676e0003a2 16 Maximus website < http://www.maximus.com/health >

APPENDIX 1

APPENDIX 217

17 Braintree’s website <https://www.braintreepayments.com/developers/security>

APPENDIX 3