Embed Size (px)
Citation preview
TEL382
Greene Chapter 12
Oct 20, 2009 2
Outline
• What is the Gramm-Leach-Bliley Act?
• Involving the Board
• Assessing Risk
• Managing Risk
• Adjusting the Program, Reporting to the Board, and Implementing the Standards
• What’s Different About the FTC Safeguards Act?
• Identity Theft and Regulatory Compliance
Oct 20, 2009 3
What is the Gramm-Leach-Bliley Act?
• Financial Modernization Act of 1999 - Security Regulations For Financial Sector
• Signed Nov 11, 1999 – allowed banks to engage in wide array of financial services
• Ended regulations prohibiting merger of banks, stock brokers, insurance companies
• Title 5 specifically addresses privacy and security of customer financial information
• Section 501(b) requires all financial institutions to implement and maintain safeguards to protect customer information (Nonpublic Personal Information – NPI)
Oct 20, 2009 4
GLBA
• Automobile Dealers• Check-Cashing• Consumer Reporting• Courier Services• Credit Card• Credit Counselors• Data Processors• Debt Collectors• Educational Institutions
• Financial Planners• Insurance Companies• Mortgage Brokers• Property Appraisers• Real Estate • Retail Stores That Use
CC• Securities Firms
Oct 20, 2009 5
GLBA
• February 1, 2001 - 12 CFR, Part 30, et al. Interagency Guidelines Establishing Standards for Safeguarding Customer Information Final Rule (effective July 1, 2001)– Comprehensive written information security
program including administrative, technical, and physical safeguards
• May 23, 2003 – FTC 16 CFR Part 314 Standards for Safeguarding Customer Information; Final Rule (effective May 23, 2003)
Oct 20, 2009 6
GLBA Information Security Program
• Ensuring Confidentiality of Customer Information
• Protecting Integrity of Information Against Threats
• Making information Available to customers and management in an accurate and timely manner
• Protecting Against Unauthorized Access• Protecting against loss• Establishing procedures for safeguarding of
assets
Oct 20, 2009 7
Involving the Board
• Interagency Guidelines require that Board of Directors must oversee development, implementation, maintenance and approve the written information security program
• Financial institutions that fail to comply face civil penalties of $100K per violation and Officers/Directors can be personally liable with penalties of $10K per violation
Oct 20, 2009 8
Assessing Risk• Risk Management program is critical component• Interagency Guidelines:
– Identify foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information
– Assess likelihood and potential damage of these threats, taking into consideration the sensitivity of customer information
– Assess sufficiency of policies, procedures, customer information systems, and other arrangements in place to control risks
• Information and Information Systems Inventory• Identifying and Assessing Threats• Mitigating Controls
– Classify System Criticality– Classify Threats– Sort by Criticality/Threat– Identify Mitigating Control (Safeguard)
Oct 20, 2009 9
Managing Risk
• Control Identified Risks According to Sensitivity of Information and Activity Complexity– Access Controls on Customer Information Systems– Access Restrictions at Physical Locations Containing
Customer Information– Encryption of Electronic Customer Information– System Modification Procedures– Dual Control, Segregation of Duties, Employee
Background Checks– Monitoring Systems and Attack Detection Procedures– Response Systems including Reports to Regulatory and
Law Enforcement– Measures to Protect Against Destruction, Loss, or Damage
Due to Environmental Hazards or Technological Failures
Oct 20, 2009 10
Adjusting the Program, Reporting to the Board, and Implementing the Standards
• Must Monitor, Evaluate and Adjust Effectiveness of Security Program
• Report to Board of Directors At Least Annually– Risk Assessment, Risk Management and Control,
Service Provider Arrangements, Test Results, Security Breaches or Violations and Management Responses, Recommendations for Change
Oct 20, 2009 11
What’s Different About the FTC Safeguards Act?
• Applies to Individuals or Organizations in Providing Financial Products or Services
• Not As Comprehensive as Interagency Guidelines
• Organizations Subject to Safeguards are not audited for compliance unless complaint filed
• Objectives:– Ensure security and confidentiality of customer
records– Protect Against Threats or Hazards– Protect Against Unauthorized Access or Use
Oct 20, 2009 12
FTC Safeguards Act Elements
• Designate Employee(s) to Coordinate Information Security Program
• Identify Risks to CIA of Customer Information– Employee Training and Management– Information Systems– Detecting, Preventing and Responding to Attacks,
Intrusions or Other System Failures
• Design and Implement Information Safeguards, Test and Monitor Effectiveness
• Oversee Service Providers• Evaluate and Adjust as a Result of Testing and
Monitoring or Changes to Business
Oct 20, 2009 13
Identity Theft and Regulatory Compliance
• 2005 Supplement A – Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice
• Additional Security Controls:– Access Controls, Background Checks, Response
Programs
• Response Program:– Assess Incident and What Has Been Compromised,
Notify Federal Regulator, Notify Law Enforcement, Contain and Control Incident, Notify Customers
• Notification
TEL382
Greene Chapter 13
Oct 20, 2009 15
Outline
• HIPAA
• Understanding the Security Rule
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards
• Organization Safeguards
• Policies and Procedures
Oct 20, 2009 16
HIPAA
• Health Insurance Portability and Accountability Act of 1996
• Simplify and Standardize Healthcare Administration– Enable Better Access to Health Insurance, Reduce Fraud
and Abuse, Lower Overall Cost of Healthcare
• Title II Addresses How Healthcare Transactions Are Processed and Stored
• HHS Published 5 Rules:– Code Set, Transaction Identifiers, Electronic Data
Interchange, Privacy, Security
• August 20, 2003 Security Rule Published
Oct 20, 2009 17
Understanding the Security Rule
• Focus on Safeguarding Electronic Protected Health Information (ePHI)– Individually Identifiable Health Information (IIHI)– Stored, Processed, or Transmitted Digitally or
Electronically
• Main Goal is to Protect CIA• Entities not Complying Subject to Civil Penalties
($100 per Violation) and Criminal Penalties ($50K in fines plus 1 Year to $250K plus 10 Years)
• Five Categories:– Administrative Safeguards, Physical Safeguards,
Technical Safeguards, Organizational Requirements, Documentation Requirements
Oct 20, 2009 18
Administrative Safeguards• Formal Management Process
– Risk Analysis, Risk Management Program, Development and Implementation of Sanction Policy, Development of Information System Activity Review
• Designation of Security Officer• Workforce Security
– Supervision, Clearance, Termination Procedures• Information Access Management• Security Awareness and Training• Security Incident Procedures• Contingency Plans• Evaluation• Business Associate Contracts and Other
Arrangements
Oct 20, 2009 19
Physical Safeguards
• Facility Access Controls– Facility Security Plan, Access Control and
Validation Procedures, Maintenance Records, Contingency Operation
• Workstation Use
• Workstation Security
• Device and Media Controls– Disposal Policies and Procedures, Reuse
Policies and Procedures, Hardware and Media Accountability, Data Backup and Storage Procedures
Oct 20, 2009 20
Technical Safeguards• Access Control
– Unique User Ids, Emergency Access Procedures, Auto Logoff Procedures, Encryption of Information at Rest
• Audit Control– Failed Logons, Account Lockouts, Initial Logon Times, Which
System Users Normally Logon, Possible Security Log Tampering, Failed Object Access Events, User Account Mods, Software Mods, Attempted Privilege Escalation
• Integrity Control– Patch Management, AV Software, Antispyware, Internal Port
Scanning, File Integrity Checkers, Database Integrity Utilities, Email Filtering, Firewalls and IDS
• Person or Entity Authentication– Single or Multi-factor
• Transmission Security– Integrity Controls, Encryption
Oct 20, 2009 21
Organization Safeguards
• Business Associates Contracts– Must Adequately Protect ePHI, Must Report
Incidents, Must Comply or Risk Termination, Provide for Government Entity Exceptions, Cover Other Arrangements for Covered Entities and Business Associates
• Standard Requirements for Group Health Plans
Oct 20, 2009 22
Policies and Procedures
• Policies and Procedures
• Documentation– Retention, Making Available, Updating
TEL382
Greene Chapter 14
Oct 20, 2009 24
Outline
• Introduction
• E-Government is Becoming a Reality
• FISMA
• NIST
• Protecting the Privacy of Student Records
• It all Started with a Corporate Scandal
Oct 20, 2009 25
Introduction
• GLBA – Banking and Finance
• HIPAA – Health Care
• Federal Information Security Management Act (FISMA)
• Federal Educational Rights and Privacy Act (FERPA)
• Sarbanes-Oxley (SOX)
Oct 20, 2009 26
E-Government is Becoming a Reality
• 2002 E-Government Act (Public Law 107-347) provides better efficiency, effectiveness and responsiveness
• Established Federal Chief Information Officer within OMB
• Title III (Federal Information Security Management Act – FISMA) requires every agency to develop, document, and implement an agency-wide risk-based information security program
Oct 20, 2009 27
FISMA
• Focuses on CIA of information and information systems as well as assurance and accountability
• 3 Federal Agencies have related roles:– National Institute of Standards and Technology (NIST) to
develop technical security standards and guidelines for unclassified federal systems
– Office of Management and Budget (OMB) to develop and oversee implementation of government-wide policies, principles, guidance, and standards
– US House Committee on Government Reform to oversee variety of subject areas, including issuing the Federal Computer Security Report Card
Oct 20, 2009 28
NIST
• Standards used to categorize all information and information systems for objective of providing appropriate levels of information security according to risk level
• Guidelines recommending types of information and information systems to be included
• Minimal information security requirements for information and information systems in each category
Oct 20, 2009 29
NIST
• Developed resources for FISMA– Security standards and guidelines– Program to accredit public and private sector
organizations to conduct security certification– Program to validate commercial off-the-shelf
(COTS) and Government off-the-shelf (GOTS) security tools
Oct 20, 2009 30
Protecting the Privacy of Student Records
• Financial Aid/Counseling – GLBA• Healthcare Services – HIPAA• Schools receiving Federal Aid subject to
FERPA– Primarily Privacy (“C” of CIA)– Right to access record kept by school– Right to demand records be disclosed only with
student consent– Right to amend records– Right to file complaints against school for
disclosure
Oct 20, 2009 31
Protecting the Privacy of Student Records
• 2 Types of Educational Records– Directory Information may be disclosed without
consent (name, address, phone, date/place of birth, honors and awards, dates of attendance)
– Nondirectory Information may not be disclosed (even to parents) without consent (SSN, race, ethnicity, gender, transcripts, grade reports)
Oct 20, 2009 32
It all Started with a Corporate Scandal
• Late 1990s Scandals with WorldCom, Enron, etc.• Sarbanes-Oxley (SOX) improves transparency and
accountability– Section 404: identify control framework used by
management to evaluate effectiveness of internal controls and requires management to attest to effectiveness
– Section 302: requires management to attest to accuracy of quarterly and annual reports, certify that they reflect financial position, note weaknesses in controls exposed by audit and describe how controls are integrated into operations
Oct 20, 2009 33
SOX
• Establish infrastructure to protect and preserve records and data from destruction, loss, unauthorized alteration, or other misuse
• Steps:– Map information systems that process, store, and
transmit financial data– Identify risks – Design and implement controls – Document and test applications and controls– Ensure that controls apply to all systems, services and
personnel– Ensure that controls are updated and changed– Monitor controls for effective operation
Oct 20, 2009 34
SOX
• Section 404:– Identify control framework – Collection of
controls that covers all internal controls – COSO and CobiT
TEL382
Greene Chapter 15
Oct 20, 2009 36
Outline• What is a Small Business?• Why Have a Confidentiality Policy?• What is Acceptable Behavior?• Internet Use—Where to Draw the Line• Keeping Corporate Email Secure• Reporting and Responding to Incidents• Managing Passwords• Protecting Information• Protecting From Malware• Securing Remote Access• Controlling Change• Data Backup and Recovery
Oct 20, 2009 37
What is a Small Business?
• Independently owned and operated• Employs < 500 people• Has < $6.5M in annual revenue• Depend upon information systems for:
– Financial, Management, Marketing, Production– Email, Internet, E-commerce
• Cannot afford IT Departments or Information Security Officers– Should have a Security Policy and follow
applicable regulations (HIPAA, GLBA, etc.)
Oct 20, 2009 38
Why Have a Confidentiality Policy?• Company information belongs to the company• Obtain injunctive relief in case of a violation• Confidentiality Agreements:
– Specify types of information that can and cannot be disclosed
– Provide legal remedy in case of disclosure– Define how information is to be handled and for what
length of time– Explain what happens to information when there is no
longer a “need to know”• Policy Structure:
– Recognition of company’s right to nondisclosure of information
– Acknowledgement of the obligations of confidentiality– Understanding that all company information must be
returned at the termination of employment
Oct 20, 2009 39
What is Acceptable Behavior?
• Generally, policy statements outline unacceptable behavior
• Should contain:– Ownership, hardware and software, resource
misuse, etc.
Oct 20, 2009 40
Internet Use—Where to Draw the Line
• Trade-offs: Company is tyrannical!! Vs. Time Waster
• Should contain:– Monitoring and logging, data transmission (FTP,
IM, P2P)
Oct 20, 2009 41
Keeping Corporate Email Secure
• Should contain:– Business Use only, Clear text (unprotected),
misuse of resources (spam, hoaxes, chain letters)
Oct 20, 2009 42
Reporting and Responding to Incidents
• Policy to deal with incidents• Define framework to clearly identify:
– What needs to be done, By Whom, Who is in charge of the situation
• All users responsible for recognizing unusual or suspicious activity– Network slowdown, Bouncing emails, Unexpected repair person,
Papers on desk rearranged, new program on computer
• Key Questions:– Who should be notified, How will severity be determined, What
should happen when incident occurs
• Plan Requirements:– List of Potential Incidents, Checklist of Who is in charge, Their
Backups, Who should be notified, Prioritized Steps to Deal with Situation
Oct 20, 2009 43
Managing Passwords
• Trade-off between Security and Convenience
• Policy should address:– Length, Complexity, Age, Reuse, Monitoring and
Audits, Consequences
Oct 20, 2009 44
Protecting Information
• Use Information Classification Policy
• Instructions on who can access an asset, how the asset may be used, what security measures need to be in place, and way asset should ultimately be disposed of or destroyed
• May be uncomplicated:– Confidential, Restricted, Public
• Cover Access, Storage, Transmission, Disposal
Oct 20, 2009 45
Protecting From Malware
• Malware Policy
• AV Software on all Workstations, Email Servers
• Anti-spyware also on Workstations
• Education and training on avoiding websites, downloading music or programs, etc.
• Patch Management
Oct 20, 2009 46
Securing Remote Access
• Who will be allowed, under what conditions, with whose authorization
• How will connection be made
• Don’t forget wireless
Oct 20, 2009 47
Controlling Change
• Policy for Change Control to software, hardware, network, business processes
• Change Management Process:– Assessment, Logging, Communication
• Disciplinary Actions if Not Followed
Oct 20, 2009 48
Data Backup and Recovery
• Backup Policy
• Define Backup and Recovery Responsibilities
• Define Backup Characteristics
• Determine Restore Testing Requirements
