Transcript DuPont Presentation

USENIX:LISA 2004
GOOD
POINT
GOOD
POINT
Information Security
Laws & What They
Mean For You
GOOD
POINT
John Nicholson
[email protected]
What are we going to talk about?
 Legal Basics - Laws, Regulations and Other
Similar Things
 Federal Information Security Rules
 State Information Security Rules
 Enforcement Actions
 Your Questions and Comments
-1-
GLOBAL SOURCING
Part I
Legal Basics:
Laws, Regulations
and Other Things
-2-
GLOBAL SOURCING
Why does any discussion of the law
have to be so complicated?
Oh, it’s stinky?
It makes you cry?
Okay, um, the law is like an onion.
Yes! No!
No! The law has layers! Onions
have layers and the law has layers!
Oh, layers. They both
have layers. You know, not everybody likes onions.
-3-
GLOBAL SOURCING
“7-Layer Model” of Legal Controls
State Regulations
State Constitution
Executive Orders
Federal Regulations
Federal Laws/International Treaties
US Supreme Court
US Federal Courts
State Courts
State Laws
US Constitution
-4-
GLOBAL SOURCING
What’s the difference between
Federal laws and State laws?
 Under the US Constitution, the Federal
government has limited powers.
 Powers not reserved to Congress are retained
by the States.
 When passing laws, Congress may “preempt”
States from acting in a particular area.
– States may be prohibited from passing any laws in the
preempted area OR
– The Federal law may be the minimum/maximum standard
and States are permitted to be more/less stringent.
-5-
GLOBAL SOURCING
Why is preemption important to IT?
 Preemption enables Congress to ensure
similarity of laws across the States
 When dealing with a service (i.e., the Internet)
that crosses State lines, Federal
laws/regulations ensure that everyone is treated
the same (or at least understands the minimum
standard)
-6-
GLOBAL SOURCING
Why does preemption matter to you?
 Multiple layers of laws and regulations.
Depending on where you are in the US, you may
be subject to different regulatory schemes.
 For example, California has been very active in
passing data privacy and security laws. If your
organization operates in California (or you
gather information about Californians) you may
be subject to California’s laws.
-7-
GLOBAL SOURCING
What’s the difference between
Federal laws and regulations?
Federal laws are bills that
are passed by Congress and
signed into law by
the President.
 Laws generally specify what is required, but not how it
should be done.
 Laws generally specify which entity within the Executive
Branch is responsible for drafting regulations to
implement the law.
 Laws are frequently vague and can be ambiguous.
-8-
GLOBAL SOURCING
Information Security-Related
Federal Laws
 Federal Information Security Management Act of 2002
(“FISMA”)
 Gramm-Leach-Bliley Act (“GLBA”)
 Health Insurance Portability and Accountability Act of
1996 (“HIPAA”)
 Sarbanes-Oxley Act
 USA PATRIOT Act
 Counterfeit Access Devices and Computer Fraud and
Abuse Act of 1984 (“CFAA”)
 Electronic Communications Privacy Act (“ECPA”)
-9-
GLOBAL SOURCING
What are Regulations?
Regulations implement laws.
• Regulations are promulgated by agencies like
Office of Management and Budget, Dept. of
Health and Human Services, etc.
• Frequently written with assistance from
industry.
• Subject to public comment before taking
effect.
• Published in the Federal Register.
- 10 -
GLOBAL SOURCING
What are Executive Orders?
Executive Orders are directions from the
President to the Executive Branch.
 An order having the force of law issued by the
President to the army, navy, or other part of the
executive branch of the government.
 Generally in areas where Congress has
delegated authority to the President or where
Congress hasn’t acted.
- 11 -
GLOBAL SOURCING
How do State laws and regulations
differ?
 Generally only apply to activities in that state
(but California is changing this).
 Are subject to preemption by Federal laws.
 Must also comply with the relevant State
constitution, which may be stricter than the US
Constitution.
- 12 -
GLOBAL SOURCING
What is the role of the courts?
 Courts interpret the law.
– Where laws are unclear or ambiguous, courts decide what
the law really means.
 Courts work in a hierarchy.
– US Supreme Court decides US Constitutional issues.
– Federal courts decide issues related to Federal laws and
interstate issues.
– State courts generally decide State constitutional issues
and intra-state issues.
– Federal and State courts must defer to US Supreme Court.
- 13 -
GLOBAL SOURCING
Part II
Federal Information Security
“Rules”
(Laws, Regulations and Executive Orders)
- 14 -
GLOBAL SOURCING
Federal Activities Related to
Information Security
 Major Federal responsibility is securing
Federally owned/operated systems.
 Federal government does not generally regulate
security of non-government systems.
 HOWEVER, Federal government does requires
that certain types of information be protected.
 Federal government working with industry
regarding security of critical infrastructure.
- 15 -
GLOBAL SOURCING
Federal Laws We’re Going
to Cover Today
 Federal Information Security Management Act
 Gramm-Leach-Bliley Act (GLBA)
 Health Insurance Portability and Accountability
Act (HIPAA)
 Sarbanes-Oxley Act (SOX)
- 16 -
GLOBAL SOURCING
Federal Information Security
Management Act
 Builds on requirements of:
– Computer Security Act of 1987
– Paperwork Reduction Act of 1995
– Information Technology Management Reform Act of 1996
 Provides basic statutory framework for securing
Federally owned/operated computer systems.
 Covers “non-national security systems”
- 17 -
GLOBAL SOURCING
FISMA
 Requires each agency to
– Inventory computer systems,
– Identify and provide appropriate security protections, and
– Develop, document and implement agency-wide
information security program
 Authorizes National Institute of Standards &
Technology (NIST) to develop security standards
and guidelines for systems used by federal
government.
- 18 -
GLOBAL SOURCING
FISMA (cont.)
 Authorizes Secretary of Commerce to decide which
standards to promulgate.
 Authorizes Director of OMB to oversee development
and implementation of standards.
 Authorizes Director of OMB to require other
agencies to comply with the standards and review
each agency’s information security program.
 Useful NIST materials available at
http://csrc.nist.gov/sec-cert/index.html
- 19 -
GLOBAL SOURCING
What is a “National Security System”?
“Any computer system (including any telecommunications system)
used or operated by an agency …
(i) the function of which (I) involves intelligence activities;
(II) involves cryptologic activities related to national security;
(III) involves command and control of military forces;
(IV) involves equipment that is an integral part of a weapon or weapons
system;
(V) …is critical to the direct fulfillment of military or intelligence
missions; or
(ii) is protected at all times by procedures established by an
Executive Order or an Act of Congress to be kept classified in the
interest of national defense or foreign policy.”
- 20 -
GLOBAL SOURCING
What are the rules for National
Security Systems?
 Specified in National Security Directive (NSD) 42
issued by the President in 1990
 NSD 42 allocates various responsibilities to
different national security players
– CIA - some intelligence systems
– DOD - military/weapons systems
– NSA - some intelligence systems
- 21 -
GLOBAL SOURCING
Gramm-Leach-Bliley Act
 Requires “financial institutions” to protect
security and confidentiality of customers’ nonpublic financial information.
 Authorizes various agencies to coordinate
development of regulations: Comptroller of the
Currency, SEC, FDIC, FTC, etc.
 FTC announced final rule implementing GLBA in
May 2002.
- 22 -
GLOBAL SOURCING
GLBA (cont)
FTC GLBA regulations:
– Published at 16 CFR 314
– Require “financial institutions” to develop, implement and
maintain comprehensive information security program with
appropriate administrative, technical and physical
safeguards, including:
 Designating employee to coordinate program
 Performing risk assessments
 Performing regular testing and monitoring
 Process for making changes in light of test results or changes
in circumstances.
- 23 -
GLOBAL SOURCING
So what is a “financial institution”
under GLBA?
 Under GLBA rule, “financial institutions” generally includes anyone who
extends credit to consumers, but also includes debt collection
agencies, mortgage lenders, real estate settlement services, and
entities that process consumers' non-public personal financial
information.
 FTC's GLBA rule also regulates non-affiliated third parties (parties that are
not financial institutions) by limiting the transfer of non-public personal
information they receive from financial institutions.
 What’s tricky about GLBA?
– Broad definition of “financial institution” could potentially include array of
companies that may not consider themselves as such (e.g., department store
that offers lay-away services or manufacturers that offer equipment financing).
– Multiple agencies with authority to issue regulations. Could conflict.
- 24 -
GLOBAL SOURCING
What do you need to do under GLBA?
If GLBA applies to your company:
– Create, implement and maintain an information security program.
– The information security program should have the regular
involvement of the Board of Directors (this may be beyond your
scope).
– Regularly assess risks.
– Create, document, implement and maintain policies and
procedures to manage and control risk, including training,
testing and managing/monitoring third party service providers.
– Adjust information security program as necessary based on
testing or other changes.
- 25 -
GLOBAL SOURCING
Health Insurance Portability and
Accountability Act
 Authorizes Secretary of Health and Human Services to adopt
standards that require “health plans”, “health care providers” and
“health care clearinghouses” to take reasonable and appropriate
administrative, technical and physical safeguards to:
– Ensure integrity and confidentiality of individually identifiable health
information held or transferred by them;
– Protect against any reasonably anticipated threats, unauthorized use or
disclosure; and
– Ensure compliance by officers and employees.
 Security regulations published at 45 CFR 164, Subpart C
 HIPAA security regulations are much more substantive than
GLBA security regulations.
- 26 -
GLOBAL SOURCING
HIPAA Scope & Key Definitions
 HIPAA Scope
– Requires health care entities to implement new privacy policies, comply with
technical security requirements, provide notice/secure authorizations for a range
of uses and disclosures of health information, and enter into written agreements
with business partners regarding the ability to share such information
 HIPAA Key Definitions
– Protected health information (“PHI”) includes all individually identifiable health
information (“IIHI”) in the hands of “covered entities.”
– “Covered Entity” includes the following types : 1) health care plans; 2) health
care clearinghouses; and 3) health care providers who electronically transmit
health information in connection with certain specified transactions.
– “Business Associates” are any people or entities that perform certain activities or
functions on behalf of a Covered Entity that involves the use or disclosure of
protected health information (i.e., claims processing, benefit management, etc.).
- 27 -
GLOBAL SOURCING
HIPAA Security Rule - General
 Requires CEs to implement unified security approach
based on “defense in depth.”
 Is technology neutral. CEs select appropriate technology to
protect information.
 Requires CEs to protect information from both internal and
external threats.
 Requires CEs to conduct regular, thorough and accurate
risk assessments. See
http://www.hipaadvisory.com/alert/vol4/number2.htm#four
for a detailed discussion of how to conduct a risk analysis.
- 28 -
GLOBAL SOURCING
HIPAA Security Regulations
 HIPAA security requirements fall into three
categories:
– Administrative Safeguards
– Physical Safeguards
– Technical Safeguards
 Each category includes:
– “standards”: WHAT the organization must do; and
– “implementation specifications”: HOW it must be done.
- 29 -
GLOBAL SOURCING
HIPAA Administrative Safeguards
 Administrative safeguards require documented
policies and procedures for managing:
– Day-to-day operations;
– Conduct and access of workforce members to protected
information;
– Selection, development and use of security controls.
- 30 -
GLOBAL SOURCING
HIPAA Administrative Safeguards
Standards
Security
management
process
Assigned
security
responsibility
Workforce
security
Information
access
management
Security
awareness
and training
Overall requirement to implement policies and
procedures to prevent, detect, contain, and correct
security violations.
Single individual must be designated as having
overall responsibility for the security of CE's protected
information.
Policies, procedures, and processes must be
developed and implemented that ensure only
properly-authorized workforce members have access
to protected information.
Policies, procedures, and processes must be
developed and implemented for authorizing,
establishing, and modifying access to protected
information.
Security awareness and training program for a CE's
entire workforce must be developed and
implemented.
- 31 -
GLOBAL SOURCING
HIPAA Administrative Safeguards
Standards (cont)
Security
incident
procedures
Contingency
plan
Evaluation
Business
associate
contracts and
other
arrangements
Policies, procedures, and processes must be
developed and implemented for reporting, responding
to, and managing security incidents.
Policies, procedures, and processes must be
developed and implemented for responding to a
disaster or emergency that damages information
systems containing protected information.
CE must perform periodic technical and non-technical
evaluations that determine the extent to which CE's
security policies, procedures, and processes meet the
ongoing requirements of the Security Rule.
CE must, when dealing with business associates that
create, receive, maintain, or transmit protected
information on CE's behalf, develop and implement
contracts that ensure the business associate will
appropriately safeguard the information.
- 32 -
GLOBAL SOURCING
HIPAA Physical Safeguards
 Physical safeguards are intended to protect
information systems and protected information
from unauthorized physical access.
 CE must limit physical access while still
permitting authorized physical access.
- 33 -
GLOBAL SOURCING
HIPAA Physical Safeguards (cont)
Facility access Overall requirement to implement policies,
procedures, and processes that limit physical access
controls
Workstation
use
Workstation
security
Device and
media
controls
to electronic information systems while ensuring that
properly-authorized access is allowed.
Policies and procedures must be developed and
implemented that specify appropriate use of
workstations and the characteristics of the physical
environment of workstations that can access
protected information.
CE must implement physical safeguards for all
workstations that can access protected information to
limit access to only authorized users.
Policies, procedures, and processes must be
developed and implemented for the receipt and
removal of hardware and electronic media that
contain protected information into and out of a CE,
and the movement of those items within a CE.
- 34 -
GLOBAL SOURCING
HIPAA Technical Safeguards
 Technical Safeguards are requirements for using technology to control
access to protected information
Access control
Audit controls
Integrity
Policies, procedures, and processes must be
developed and implemented for electronic
information systems that contain protected
information to only allow access to persons or
software programs that have appropriate access
rights.
Mechanisms must be implemented to record and
examine activity in information systems that contain
or use protected information.
Policies, procedures, and processes must be
developed and implemented that protect information
from improper modification or destruction.
- 35 -
GLOBAL SOURCING
HIPAA Technical Safeguards (cont)
Policies, procedures, and processes must be
Person or
developed and implemented that verify persons or
entity
authentication entities seeking access to protected information are
Transmission
security
who or what they claim to be.
Policies, procedures, and processes must be
developed and implemented that prevent
unauthorized access to protected information that is
being transmitted over an electronic communications
network (e.g., the Internet).
- 36 -
GLOBAL SOURCING
HIPAA Documentation Requirements
 CE must maintain documentation (e.g., policies
and procedures) required by HIPAA Security
Rule until LATER OF
– 6 years from date of creation; OR
– 6 years from date policy/procedure was last in effect.
 CE must regularly review and update
documentation.
- 37 -
GLOBAL SOURCING
So what? I don’t work for a health
care company!
 You might be surprised – If your company self-insures, you might work for a health care
plan
– Your company could also be a Business Associate of a Covered
Entity
 Because people have given thought to the process
around protecting systems and information, other
regulatory frameworks may try to piggyback off of
the HIPAA model.
 Also, by understanding HIPAA model, you may have
a head start on the regulation you might be
subjected to in the future, like….
- 38 -
GLOBAL SOURCING
Sarbanes-Oxley
 After Enron, Adelphia Communications,
MCI/Worldcom (among others) showed there
were flaws in current financial reporting
requirements, Congress passed SOX.
 Purpose of SOX is “To protect investors by
improving the accuracy and reliability of
corporate disclosures made pursuant to the
security laws, and for other purposes.”
 Two sections of SOX have impact on information
security: Section 302 and Section 404.
- 39 -
GLOBAL SOURCING
Sarbanes-Oxley
Sections 302 and 404
 Section 302 states that CEO and CFO must personally
certify that financial reports are accurate and complete.
Must also assess and report on effectiveness of internal
controls around financial reporting.
 Section 404 states that corporation must assess
effectiveness of internal controls and report assessment
to SEC. Assessment must also be reviewed by outside
auditing firm.
No assessment of internal controls is complete without an
understanding of information security. Insecure systems
cannot be considered a source of reliable financial
information.
- 40 -
GLOBAL SOURCING
Information Security under SOX
 SOX created Public Company Accounting
Oversight Board (PCAOB) to oversee and guide
auditors in assessing SOX compliance.
 PCAOB tasked with creating Proposed Auditing
Standards.
 PCAOB selected control framework developed
by Committee of Sponsoring Organizations
(COSO) that provides structured guidelines for
implementing internal controls.
- 41 -
GLOBAL SOURCING
Information Security under SOX (cont)
 As supplement to COSO guidelines, PCAOB selected
Information Systems Audit and Control Association (ISACA)
Control Objectives for Information and related Technology
(COBIT) framework.
 IT Governance Institute has used COSO and COBIT
frameworks to create specific IT control objectives for SOX.
 Public companies with market capitalizations of $75 million or
more must be in compliance with Section 404 for their fiscal
year ending on or after June 15. Smaller companies have
until the fiscal year ending on or after April 15, 2005, to
comply.
- 42 -
GLOBAL SOURCING
What do you have to do to comply
with SOX?
 Comply with requirements of ITGI Framework
Topics:
– Security Policy
– Security Standards
– Access and Authentication
– User Account Management
– Network Security
– Monitoring
– Segregation of Duties
– Physical Security
- 43 -
GLOBAL SOURCING
ITGI Security Framework Topics:
Security Policy
 Security Policy
– For SOX compliance, policies are key to demonstrating
compliance.
– Auditors will look for:
 Whether policies exist for appropriate information security
topics
 Whether policies have been approved at appropriate
management levels
 Whether policies are communicated effectively to personnel
– See ISO 17799 and SANS Security Policy Project
http://www.sans.org.resources/policy
- 44 -
GLOBAL SOURCING
ITGI Security Framework Topics:
Security Standards
 Security Standards
– Existence of appropriate security standards is necessary for SOX
compliance
– Example of a “security standard” is Windows 2000 benchmark
provided by Center for Internet Security, which provides specific
guidance for configuring security on a Windows 2000 box.
– Areas for which standards should be specified:
 Workstation/Server configuration
 Physical security
 Network infrastructure administration
 System access controls
 Data classification and management
 ADM
- 45 -
GLOBAL SOURCING
ITGI Security Framework Topics:
Security Standards (cont)
 Auditors will look for:
 Whether standards exist for appropriate technology
areas given the nature of your business and your
environment
 Whether standards have been approved at appropriate
management levels
 Whether standards are communicated effectively to
personnel
 Whether standards are followed
 Process for exception handling
 Process for modification of standards
- 46 -
GLOBAL SOURCING
ITGI Security Framework Topics:
Access and Authentication
 Access and Authentication
– Company must employ methods to validate that only
authorized personnel can access system and perform
activities within their level of authorization.
– Methods could include:
 Two factor
 Biometric
 Password (provided that passwords are subject to
appropriate requirements regarding length, complexity, aging
and reuse)
– Company should have clear policies prohibiting password
sharing
- 47 -
GLOBAL SOURCING
ITGI Security Framework Topics:
User Account Management
 User Account Management
Company should have clearly documented processes
regarding creation/modification/removal of user accounts.
– In writing and subject to review and approval;
– Process regarding termination of access for terminated
employees, including procedures for IT notification; and
– Regular access privilege review and adjustment.
- 48 -
GLOBAL SOURCING
ITGI Security Framework Topics:
Network Security
 Network Security
– Perimeter security with firewalls and IDS
 Internal firewalls could be warranted to segregate sensitive
areas of the internal network or wireless access points
– Encryption should be used for sensitive information (SSL
in general and PGP (or better) for financial information)
– Anti-virus protection should be installed and regularly
updated
– Wireless security requires special assessment and could
be segregated from remainder of network.
– Regular penetration testing.
- 49 -
GLOBAL SOURCING
ITGI Security Framework Topics:
Monitoring & Segregation
 Monitoring
– Policies and procedures should exist to monitor logs and
identify incidents.
– Policies and procedures should exist for incident
response.
 Segregation of Duties
– Separation of duties minimizes opportunity for
catastrophic error or fraud.
– Where segregation of duties is not possible, other controls
to detect fraud should be implemented.
- 50 -
GLOBAL SOURCING
ITGI Security Framework Topics:
Physical Security
 Physical Security
– Appropriate physical mechanisms to secure access to
facilities and individual hardware should be implemented.
– Controls over access should be developed and
implemented.
 Ability to issue keys, for example, should be controlled, and
keys should be accounted for.
 Access to facilities and specified areas should be regularly
reviewed and modified to reflect changes in responsibilities.
 Procedures for recovering/disabling keys or access devices
from terminated personnel should be developed and
implemented.
- 51 -
GLOBAL SOURCING
Part III
State Information Security
“Rules”
- 52 -
GLOBAL SOURCING
California has been leading the way
 SB 1386
– Requires notification to California-resident data owners if a
security breach discloses (or might have disclosed) certain
information that could lead to identity theft.
– Covered information:
 Name (full name or first initial and last name)
connected with




social security number;
driver’s license number;
California Identification Care number; or
account number or credit or debit card number along with any required
security code, access code, or password that would permit access to an
individual’s financial account.
- 53 -
GLOBAL SOURCING
SB 1386 (cont)
 Companies are not required to notify customers
if the information was stored in encrypted form.
– Some speculation that even something as simple as
ROT13 would satisfy this requirement, but don’t bank on it.
- 54 -
GLOBAL SOURCING
AB 1950
 On Sept. 29, California enacted AB 1950, which
requires a business that
– Stores personal information about a California resident
MUST implement and maintain reasonable security
procedures and practices appropriate to the nature of the
information to protect it from unauthorized access,
destruction, modification, use or disclosure.
– Discloses personal information about a California resident
to a third party as part of a contract will require the third
party to implement and maintain the same reasonable
security procedures and practices appropriate to the
nature of the information to protect it from unauthorized
access, destruction, modification, use or disclosure.
- 55 -
GLOBAL SOURCING
My organization isn’t in California, why
should I care?
 Because SB 1386 applies to any person or
organization that conducts business in
California and stores personal information about
California residents on a computer system.
 Because AB 1950 applies to any business that
“owns or licenses” personal information about a
California resident, and any company that
contracts to receive personal information about
a California resident.
- 56 -
GLOBAL SOURCING
Part IV
Enforcement
- 57 -
GLOBAL SOURCING
FTC has started enforcing security
“promises”
FTC Actions Regarding Security:
 Eli Lilly
Disclosure of email addresses of Prozac prescription holders
 Microsoft
Overpromising regarding security of MS Passport service
 Guess, Inc.
Promising security of information while remaining vulnerable to
common attacks
- 58 -
GLOBAL SOURCING
FTC is creating a standard
 FTC and other bodies are creating a de facto
“reasonableness” standard with regard to
security.
 COBIT, ISO 17799, NIST standards may become
the default standards for a “reasonable”
company.
 So what?
- 59 -
GLOBAL SOURCING
You’ve been cracked…
And now you’re sued.
 US law requires people to behave “reasonably”.
 If you don’t behave reasonably and someone is
harmed because of it, you may be liable for
negligence.
 So…If your systems get cracked, and the
cracker uses your boxes to launch an attack on
someone else, that victim may try to sue you for
negligently configuring your systems so that the
cracker could get in.
- 60 -
GLOBAL SOURCING
You’ve been sued…
And you might lose.
 If you cannot show that you were “reasonable” which may be defined as having complied with
COBIT/NIST/ISO 17799, a court may decide that
you were negligent and your company is liable
for the damages of the downstream victim(s).
 This hasn’t happened, yet, but many people
think it’s coming.
- 61 -
GLOBAL SOURCING
Part V
Conclusion
- 62 -
GLOBAL SOURCING
Conclusion
 Whether you like it or not, some form of regulatory
requirement for information security is coming your
way.
– It may be GLBA, HIPAA, SOX, a State regulation or some
combination (which may not be consistent)
 Get familiar with COBIT, the NIST guidelines and ISO
17799 and begin planning for compliance if you
haven’t already done so.
 Understand how laws and regulations are created.
You have a voice and the people writing the laws are
not technically savvy.
- 63 -
GLOBAL SOURCING