Transcript IT Legislation & Regulation
IT Legislation & Regulation
CS5493
Information has become a valued asset for commerce and governments.
… as a result of its value, information is a target for malicious attackers.
Early legislation was designed to create punitive measures against those who – gained unauthorized access to data and systems – caused damage to data and systems. (etc) Later legislation was designed to target the custodians of information systems and their data.
Computer Fraud & Abuse Act (1984)
Establishes punishment for unauthorized or fraudulent access to government computers and electronic data.
Amended 1994 and 1996 Patriot Act amended it in 2001 http://www.panix.com/~eck/computer-fraud-act.html
Search document for “protected computer” and “financial institution”
Computer Security Act (1987)
Governs the security and privacy of sensitive information in Federal computer systems and to establish the minimum acceptable security practices for such systems.
Requires the creation of computer security plans, and the appropriate training of system users and owners.
http://epic.org/crypto/csa/ http://epic.org/crypto/csa/csa.html
http://csrc.nist.gov/groups/SMA/ispab/documents/csa_87.txt
(Read the Background)
SOX
Sarbanes – Oxley (2002) – Public Company Accounting Reform and Investor Protection Act (senate) – Corporate and Auditing Accountability and Responsibility Act (house) SOX contains 11 articles covering regulations for publicly traded companies and private financial companies.
SOX
There is nothing specific in the original SOX concerning IT policies, procedure, best practices, etc. Article 8 addresses criminal penalties for manipulation, destruction, or alteration of financial records (IT professionals should be aware).
SOX Section 404
• It is the responsibility of management to establish and maintain adequate internal security controls for financial information and reporting.
SOX Section 404
• The compliance costs of SOX represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems (an efficient IT infrastructure for maintaining financial records)
PCAOB
Public Accounting Oversight Board established by SOX.
The PCAOB (created by SOX) emphasizes the need for IT security controls, but provides no details as to what the controls should be.
SOX Efficacy
FEI study shows that for companies with revenues above 4 billion, the % cost attributed to SOX is below .04% of revenue Borrowing costs were lower for companies in compliance with SOX (Iliev 2007) Compliance led to faster rise in share price (Lord & Benoit 2006)
SOX
Companies with less than $100 million in revenues experienced a higher % of cost due to SOX – 2.55% of revenues. Fewer new companies are registering as publicly traded due to the cost of compliance.
Only 22% of surveyed companies believed SOX was of any benefit to them (maybe the larger firms?)
SOX
The following has a link to the actual bill: http://uscode.house.gov/download/pls/15C98.txt
The following has a synopsis of penalties in section 802: http://www.soxlaw.com/
Penalties Section 802 Up to 20 years of imprisonment for
SOX
Altering Destroying Mutilating Concealing Falsifying Of records or tangible objects
SOX
Penalties Section 802 Fines and imprisonment for up to 10 year if one knowingly and willfully violates the requirements of maintenance of all audit or review records for a period of 5 yeears. Fines are up to 1million for filing incorrect information, 5-million if misleading information is filed willfully.
SOX
SOX applies to all publicly traded companies and international companies with SEC registered equities Accounting firms doing business with the above.
SOX Conclusion
http://www.youtube.com/watch?v=n2ylBKOURtw
HIPAA
Health Insurance Portability and Accountability Act (1996, amended 2006) Governs how doctors, hospitals, insurance companies, and other health care providers handle personal medical information All patient information must be handled to maintain patient privacy Patients are empowered to access their own medical records and petition to correct errors or omissions.
HIPAA
Requires privacy procedures whenever medical information is collected or distributed.
Procedures must document instructions for addressing and responding to security breaches that are identified either during an audit or the normal course of operations.
HIPAA
Controls must govern the introduction and removal of hardware and software from the network. When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.
Access to equipment containing health information should be carefully controlled and monitored
HIPAA
Access to hardware and software must be limited to properly authorized individuals Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public
HIPAA and your Employer
HIPAA privacy rule includes protection from disclosure of your health records between your health care provider and your employer. In other words, managers and supervisors can only have access to your health records if you give them permission. HIPAA does not prevent your employer for requesting health care information from you.
http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/penalties.html
HIPAA Penalties and Fines
noncompliance fines range from $100 - $50,000 per violation, or per record.
Non-compliance violations fall into these categories: Willful Neglect - caries fines in the $10,000-$50,000 range.
Reasonable Cause errors start at the bottom of the scale.
The Maximum penalty it $1.5 million per year for violation of an identical provision. See example non-compliance events: https://www.truevault.com/blog/what-is-the-penalty-for-a-hipaa violation.html#.VM7f4SmprHg
http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/penalties.html
HIPAA Penalties and Fines
Reasonable cause: Under false pretenses: For personal gain or malicious reasons: up to one year up to 5 years up to 10 years.
http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/penalties.html
HIPAA Penalties
Unknowingly or with reasonable cause Up to one year Ulse pretenses Up to five years or malicious reasons Up to ten years http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/penalties.html
HIPAA
https://www.cms.gov/EducationMaterials/02_HIPAAMaterials.asp#TopOfPage http://www.youtube.com/watch?v=Czpa6rw16Yw&feature=related http://www.youtube.com/watch?v=MWK9DmmenIQ&feature=related http://www.youtube.com/watch?v=d2Cw0ARJV DM http://www.youtube.com/watch?v=6wRDorQ73Ng&feature=related
GLBA (1999)
Gramm-Leach-Bliley Act Banks and financial institutions must protect the confidentiality and security of information Must disclose how private information is gathered on clients and how it is shared.
Must disclose how private client information is protected.
Must disclose privacy policies and procedures upon entering into a contract.
GLBA
• http://en.wikipedia.org/wiki/Gramm –Leach–Bliley_Act
GLBA non-Compliance
GLBA noncompliance can mean severe fines and even class-action lawsuits. Noncompliance can result in: • Institutions can be subject to civil penalties of up to $100,000 for each violation. • The officers and directors of the financial institution can be subject to, and personally liable for, a civil penalty of up to $10,000. • Imprisonment for up to five years is possible
GISRA
Government Information Security Reform Act (2000) – – Establishes accountability Gov. agency security policies must be submitted to the Office of Management and Budget (OMB). Failure could result in loss of funding.
http://whatis.techtarget.com/definition/government-information-security-reform act.html
FISMA (2002)
Federal Information Security Management Act All federal agencies must develop and maintain formal information security programs.
Security awareness efforts Secure access to computer resources Strict AUP Incident response and contingency planning
FISMA Compliance
• Poor FISMA compliance may result in a requirement to report before Congress and significant budget-related penalties may be applied.
FERPA (1974)
Family Education Rights and Privacy Act Covers the privacy of student education records Applies to all schools receiving any funding from the US Dept. of Education.
http://www.youtube.com/watch?v=_5XpRGd8O44
Patriot Act (2001)
Expands the authority of US law-enforcement agencies to access information that pertains to their investigations.
COPPA
Children's On-line Privacy Protection Act (1998) Restricts how information is collected on children under the age of 13.
Operators must disclose how to verify consent from a parent or legal guardian Outlines responsibilities for protecting children's privacy and safety on-line.
http://www.youtube.com/watch?v=PFGhisN6he0&feature=related
CDSBA
California Database Security Breach Act (2003) Companies must immediately notify their customer if the customer's private information has been compromised.
Also limits how financial institutions share personal information of their clients.
Similar laws followed and have been enacted in 46 other states.
PCI DSS
Payment Card Industry Data Security Standards • An information security standard for organizations that handle cardholder information • Debit cards • Credit cards • ATM cards • Pre-pay cards • etc
PCI DSS
Not a law, but guidelines for the payment card industry.
Participants include the major card issuers: Amex, Visa, MasterCard, Discover.
PCI-DSS: PCI-SSC
• Defined by the
Payment Card Industry Security Standards Council
, the standard was created to increase controls around cardholder data and thereby reduce credit card fraud.
PCI DSS
Establishes standards for Security management policies and procedures Network architecture Software design
PCI Compliance
• Validation of compliance is done annually — • by an external Qualified Security Assessor (QSA) for organizations handling large volumes of transactions, or • by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes
PCI QSA
The Qualified Security Assessor is conferred by the PCI SSC to those that meet specific information security requirements including: • The QSA must have completed a training programming endorsed by the PCI SSC • The QSA must be an employee of an approved PCI security and auditing firm.
https://www.pcisecuritystandards.org/approved_companies_providers/become_qsa.php
PCI-DSS: 12-Requirements
Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
PCI 12-Requirements
Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
PCI 12-Requirements
Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications
PCI 12-Requirements
Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know policy 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
PCI 12-Requirements
Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
PCI 12-Requirements
Maintain an Information Security Policy 12. Maintain a policy that addresses information security http://www.youtube.com/watch?v=OceYWri86Ts&feature=relate d
PCI Merchant Levels
There are four compliance-categories based on the volume of transactions by merchants.
PCI Merchant Levels
.
• L-1 : more than 6 million transactions per year.
• L-2 : 1 to 6 million transactions per year.
• L-3 : 20,000 to 1 million transactions per year • L-4 : fewer than 20,000 transactions per year.
PCI – Compliance Guide
http://www.pcicomplianceguide.org/pcifaqs.php
PCI - Compliance
• https://protect.iu.edu/sites/default/files/pci_saq_a.pdf
https://protect.iu.edu/sites/default/files/pci_saq_ • http://www.youtube.com/watch?v=7nF38aYBaTE&feature=related • http://www.youtube.com/watch?v=JvxxYClGBtA&feature=related
Regulation Summary
If you are better at complying with these rules and regulations you will achieve a higher level of efficiency and effectiveness in your security and privacy programs. (conclusion by Dr. L. Ponemon)