Transcript IT Legislation & Regulation

IT Legislation & Regulation
CS5493


Early legislation was designed create punitive
measures against those who
–
gained unauthorized access to data and
systems
–
caused damage to data and systems. (etc)
Later legislation was designed to target the
custodians of information systems and their
data.
Computer Fraud & Abuse Act
(1984)
Establishes punishment for unauthorized or
fraudulent access to government computers and
electronic data.

Amended 1994 and 1996

Patriot Act amended it in 2001
http://www.panix.com/~eck/computer-fraud-act.html

Search document for “protected computer” and “financial
institution”
Computer Security Act (1987)


Governs the security and privacy of sensitive
information in Federal computer systems and to
establish the minimum acceptable security
practices for such systems.
Requires the creation of computer security
plans, and the appropriate training of system
users and owners.
http://epic.org/crypto/csa/
http://epic.org/crypto/csa/csa.html
http://csrc.nist.gov/groups/SMA/ispab/documents/csa_87.txt
(Read the Background)
SOX

Sarbanes – Oxley (2002)
–
Public Company Accounting Reform and
Investor Protection Act (senate)
–
Corporate and Auditing Accountability and
Responsibility Act (house)

SOX contains 11 articles covering regulations
for publicly traded companies and private
financial companies.
SOX


There is nothing specific in the original SOX
concerning IT policies, procedure, best
practices, etc.
Article 8 addresses criminal penalties for
manipulation, destruction, or alteration of
financial records (IT professionals should be
aware).
SOX Section 404
• It is the responsibility of management to
establish and maintain adequate internal control
structures for financial information and reporting.
SOX Section 404
• The compliance costs of SOX represent a tax
on inefficiency, encouraging companies to
centralize and automate their financial reporting
systems
(an efficient IT infrastructure for maintaining financial
records)
PCAOB

Public Accounting Oversight Board established
by SOX.

The PCAOB (created by SOX) emphasizes the
need for IT controls, but provides no details as to
what the controls should be.
SOX



Companies with less than $100 million in
revenues experienced a higher % of cost due to
SOX – 2.55% of revenues.
Fewer new companies are registering as
publicly traded due to the cost of compliance.
Only 22% of surveyed companies believed SOX
was of any benefit to them (maybe the larger
firms?)
SOX
The following has a link to the actual bill:
http://uscode.house.gov/download/pls/15C98.txt
The following has a synopsis of penalties in section 802:
http://www.soxlaw.com/
SOX Conclusion
http://www.youtube.com/watch?v=n2ylBKOURtw
HIPAA

Health Insurance Portability and Accountability
Act (1996, amended 2006)




Governs how doctors, hospitals, insurance
companies, and other health care providers handle
personal medical information
All patient information be handled to maintain
patient privacy
Patients are empowered to access their own
medical records and petition to correct errors or
omissions.
Informed consent of how their personal medical
information is used.
HIPAA


Requires notification of privacy procedures
whenever medical information is collected or
distributed.
Procedures should document instructions for
addressing and responding to security breaches
that are identified either during an audit or the
normal course of operations.
HIPAA



Controls must govern the introduction and
removal of hardware and software from the
network.
When equipment is retired it must be disposed
of properly to ensure that PHI is not
compromised.
Access to equipment containing health
information should be carefully controlled and
monitored
HIPAA



Access to hardware and software must be
limited to properly authorized individuals
Required access controls consist of facility
security plans, maintenance records, and visitor
sign-in and escorts
Policies are required to address proper
workstation use. Workstations should be
removed from high traffic areas and monitor
screens should not be in direct view of the
public
HIPAA Penalties
http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/penalties.html
HIPAA
https://www.cms.gov/EducationMaterials/02_HIPAAMaterials.asp#TopOfPage
http://www.youtube.com/watch?v=Czpa6rw16Yw&feature=related
http://www.youtube.com/watch?v=MWK9DmmenIQ&feature=related
http://www.youtube.com/watch?v=6wRDorQ73Ng&feature=related
GLBA (1999)

Gramm-Leach-Bliley Act





Banks and financial institutions must protect the
confidentiality and security of information
Must disclose how private information is gathered
on clients and how it is shared.
Must disclose how private client information is
protected.
Must disclose privacy policies and procedures upon
entering into a contract
Pre-texting provision.
GLBA
•
http://en.wikipedia.org/wiki/Gramm–Leach–Bliley_Act
(read the section on pre-texting)
GLBA non-Compliance
GLBA noncompliance can mean severe fines and
even class-action lawsuits. Noncompliance can
result in:
• Institutions can be subject to civil penalties of up
to $100,000 for each violation.
• The officers and directors of the financial
institution can be subject to, and personally
liable for, a civil penalty of up to $10,000.
• Imprisonment for up to five years is possible
GISRA

Government Information Security Reform Act
(2000)
–
Establishes accountability
–
Gov. agency security policies must be
submitted to the Office of Management and
Budget (OMB). Failure could result in loss of
funding.
http://whatis.techtarget.com/definition/government-information-security-reformact.html
FISMA (2002)

Federal Information Security Management Act

All federal agencies must develop and maintain
formal information security programs.




Security awareness efforts
Secure access to computer resources
Strict AUP
Incident response and contingency planning
FISMA Compliance
• Poor FISMA compliance may result in a
requirement to report before Congress and
significant budget-related penalties may be
applied.
FERPA (1974)

Family Education Rights and Privacy Act


Covers the privacy of student education records
Applies to all schools receiving any funding from the
US Dept. of Education.
http://www.youtube.com/watch?v=_5XpRGd8O44
Patriot Act (2001)

Expands the authority of US law-enforcement
agencies to access information that pertains to
their investigations.
COPPA

Children's On-line Privacy Protection Act (1998)



Restricts how information is collected on children
under the age of 13.
Operators must disclose how to verify consent from
a parent or legal guardian
Outlines responsibilities for protecting children's
privacy and safety on-line.
http://www.youtube.com/watch?v=PFGhisN6he0&feature=related
CDSBA

California Database Security Breach Act (2003)



Companies must immediately notify their customer
if the customer's private information has been
compromised.
Also limits how financial institutions share personal
information of their clients.
Similar laws followed and have been enacted in 46
other states.
PCI DSS
Payment Card Industry Data Security Standards
• An information security standard for
organizations that handle cardholder information
• Debit cards
• Credit cards
• ATM cards
• Pre-pay cards
• etc
PCI DSS


Not a law, but guidelines for the payment card
industry.
Participants include the major card issuers:
Amex, Visa, MasterCard, Discover.
PCI-DSS: PCI-SSC
• Defined by the Payment Card Industry Security
Standards Council, the standard was created to
increase controls around cardholder data and
thereby reduce credit card fraud.
PCI DSS

Establishes standards for

Security management policies and procedures

Network architecture

Software design
PCI Compliance
• Validation of compliance is done annually —
• by an external Qualified Security Assessor (QSA)
for organisations handling large volumes of
transactions, or
• by Self-Assessment Questionnaire (SAQ) for
companies handling smaller volumes
PCI QSA
The Qualified Security Assessor is conferred by
the PCI SSC to those that meet specific
information security requirements including:
• The QSA must have completed a training
programming endorsed by the PCI SSC
• The QSA must be an employee of an approved
PCI security and auditing firm.
https://www.pcisecuritystandards.org/approved_companies_providers/become_qsa.php
PCI-DSS: 12-Requirements
Build and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect
cardholder data.
2. Do not use vendor-supplied defaults for system
passwords and other security parameters
PCI 12-Requirements
Protect Cardholder Data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open,
public networks
PCI 12-Requirements
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all
systems commonly affected by malware
6. Develop and maintain secure systems and applications
PCI 12-Requirements
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-toknow policy
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
PCI 12-Requirements
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and
cardholder data
11. Regularly test security systems and processes
PCI 12-Requirements
Maintain an Information Security Policy
12. Maintain a policy that addresses information security
http://www.youtube.com/watch?v=OceYWri86Ts&feature=related
PCI Merchant Levels
There are four compliance-categories based on
the volume of transactions by merchants.
PCI Merchant Levels
• L-1 : more than 6 million transactions per year.
• L-2 : 1 to 6 million transactions per year.
• L-3 : 20,000 to 1 million transactions per year
• L-4 : fewer than 20,000 transactions per year.
Transactions are base on Visa transactions.
PCI – Compliance Guide
http://www.pcicomplianceguide.org/pcifaqs.php
PCI - Compliance
• http://www.youtube.com/watch?v=7nF38aYBaTE&feature=related
• http://www.youtube.com/watch?v=JvxxYClGBtA&feature=related
Regulation Summary

If you are better at complying with these rules
and regulations you will achieve a higher level
of efficiency and effectiveness in your security
and privacy programs. (conclusion by Dr. L.
Ponemon)