IT Legislation & Regulation

CS5493

Early legislation was designed create punitive measures against those who

– gained unauthorized access to data and systems

– caused damage to data and systems. (etc)

Later legislation was designed to target the custodians of information systems and their data.

Computer Fraud & Abuse Act (1984)

Establishes punishment for unauthorized or fraudulent access to government computers and electronic data.

Amended 1994 and 1996 Patriot Act amended it in 2001

http://www.panix.com/~eck/computer-fraud-act.html

Search document for “protected computer” and “financial institution”

Computer Security Act (1987)

Governs the security and privacy of sensitive information in Federal computer systems and to establish the minimum acceptable security practices for such systems.

Requires the creation of computer security plans, and the appropriate training of system users and owners.

http://epic.org/crypto/csa/

http://epic.org/crypto/csa/csa.html

http://csrc.nist.gov/groups/SMA/ispab/documents/csa_87.txt

(Read the Background)

SOX

Sarbanes – Oxley (2002)

– Public Company Accounting Reform and Investor Protection Act (senate)

– Corporate and Auditing Accountability and Responsibility Act (house)

SOX contains 11 articles covering regulations for publicly traded companies and private financial companies.

SOX

There is nothing specific in the original SOX concerning IT policies, procedure, best practices, etc.

Article 8 addresses criminal penalties for manipulation, destruction, or alteration of financial records (IT professionals should be aware).

SOX Section 404

• It is the responsibility of management to establish and maintain adequate internal control structures for financial information and reporting.

SOX Section 404

• The compliance costs of SOX represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems

(an efficient IT infrastructure for maintaining financial records)

PCAOB

Public Accounting Oversight Board established by SOX. The PCAOB (created by SOX) emphasizes the

need for IT controls, but provides no details as to what the controls should be.

SOX

Companies with less than $100 million in revenues experienced a higher % of cost due to SOX – 2.55% of revenues.

Fewer new companies are registering as publicly traded due to the cost of compliance.

Only 22% of surveyed companies believed SOX was of any benefit to them (maybe the larger firms?)

SOX

The following has a link to the actual bill:

http://uscode.house.gov/download/pls/15C98.txt

The following has a synopsis of penalties in section 802:

http://www.soxlaw.com/

SOX Conclusion

http://www.youtube.com/watch?v=n2ylBKOURtw

HIPAA

Health Insurance Portability and Accountability Act (1996, amended 2006) Governs how doctors, hospitals, insurance

companies, and other health care providers handle personal medical information

All patient information be handled to maintain patient privacy

Patients are empowered to access their own medical records and petition to correct errors or omissions.

Informed consent of how their personal medical information is used.

HIPAA

Requires notification of privacy procedures whenever medical information is collected or distributed.

Procedures should document instructions for addressing and responding to security breaches that are identified either during an audit or the normal course of operations.

HIPAA

Controls must govern the introduction and removal of hardware and software from the network.

When equipment is retired it must be disposed of properly to ensure that PHI is not compromised.

Access to equipment containing health information should be carefully controlled and monitored

HIPAA

Access to hardware and software must be limited to properly authorized individuals

Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts

Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public

HIPAA Penalties

http://www.ucdmc.ucdavis.edu/compliance/guidance/privacy/penalties.html

HIPAA

https://www.cms.gov/EducationMaterials/02_HIPAAMaterials.asp#TopOfPage

http://www.youtube.com/watch?v=Czpa6rw16Yw&feature=related

http://www.youtube.com/watch?v=MWK9DmmenIQ&feature=related

http://www.youtube.com/watch?v=6wRDorQ73Ng&feature=related

GLBA (1999)

Gramm-Leach-Bliley Act Banks and financial institutions must protect the

confidentiality and security of information Must disclose how private information is gathered

on clients and how it is shared. Must disclose how private client information is

protected. Must disclose privacy policies and procedures upon

entering into a contract Pre-texting provision.

GLBA

• http://en.wikipedia.org/wiki/Gramm–Leach–Bliley_Act

(read the section on pre-texting)

GLBA non-Compliance

GLBA noncompliance can mean severe fines and even class-action lawsuits. Noncompliance can result in:

• Institutions can be subject to civil penalties of up to $100,000 for each violation.

• The officers and directors of the financial institution can be subject to, and personally liable for, a civil penalty of up to $10,000.

• Imprisonment for up to five years is possible

GISRA

Government Information Security Reform Act (2000)

– Establishes accountability

– Gov. agency security policies must be submitted to the Office of Management and Budget (OMB). Failure could result in loss of funding.

http://whatis.techtarget.com/definition/government-information-security-reform-act.html

FISMA (2002)

Federal Information Security Management Act All federal agencies must develop and maintain

formal information security programs. Security awareness efforts Secure access to computer resources Strict AUP Incident response and contingency planning

FISMA Compliance

• Poor FISMA compliance may result in a requirement to report before Congress and significant budget-related penalties may be applied.

FERPA (1974)

Family Education Rights and Privacy Act Covers the privacy of student education records Applies to all schools receiving any funding from the

US Dept. of Education.http://www.youtube.com/watch?v=_5XpRGd8O44

Expands the authority of US law-enforcement agencies to access information that pertains to their investigations.

Patriot Act (2001)

COPPA

Children's On-line Privacy Protection Act (1998) Restricts how information is collected on children

under the age of 13. Operators must disclose how to verify consent from

a parent or legal guardian Outlines responsibilities for protecting children's

privacy and safety on-line.http://www.youtube.com/watch?v=PFGhisN6he0&feature=related

CDSBA

California Database Security Breach Act (2003) Companies must immediately notify their customer

if the customer's private information has been compromised.

Also limits how financial institutions share personal information of their clients.

Similar laws followed and have been enacted in 46 other states.

PCI DSS

Payment Card Industry Data Security Standards

• An information security standard for organizations that handle cardholder information

• Debit cards

• Credit cards

• ATM cards

• Pre-pay cards

• etc

PCI DSS

Not a law, but guidelines for the payment card industry.

Participants include the major card issuers:Amex, Visa, MasterCard, Discover.

PCI-DSS: PCI-SSC

• Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data and thereby reduce credit card fraud.

PCI DSS

Establishes standards for Security management policies and procedures Network architecture Software design

PCI Compliance

• Validation of compliance is done annually —

• by an external Qualified Security Assessor (QSA) for organisations handling large volumes of transactions, or

• by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes

PCI QSA

The Qualified Security Assessor is conferred by the PCI SSC to those that meet specific information security requirements including:

• The QSA must have completed a training programming endorsed by the PCI SSC

• The QSA must be an employee of an approved PCI security and auditing firm.

https://www.pcisecuritystandards.org/approved_companies_providers/become_qsa.php

PCI-DSS: 12-Requirements

 Build and Maintain a Secure Network

 1. Install and maintain a firewall configuration to protect

cardholder data.

2. Do not use vendor-supplied defaults for system passwords and other security parameters

PCI 12-Requirements

Protect Cardholder Data

 3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

PCI 12-Requirements

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software on all systems commonly affected by malware

6. Develop and maintain secure systems and applications

PCI 12-Requirements

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know policy

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

PCI 12-Requirements

Regularly Monitor and Test Networks

 10. Track and monitor all access to network

resources and cardholder data

11. Regularly test security systems and processes

PCI 12-Requirements

Maintain an Information Security Policy

12. Maintain a policy that addresses information security

http://www.youtube.com/watch?v=OceYWri86Ts&feature=related

PCI Merchant Levels

There are four compliance-categories based on the volume of transactions by merchants.

PCI Merchant Levels

• L-1 : more than 6 million transactions per year.

• L-2 : 1 to 6 million transactions per year.

• L-3 : 20,000 to 1 million transactions per year

• L-4 : fewer than 20,000 transactions per year.

Transactions are base on Visa transactions.

PCI – Compliance Guide

http://www.pcicomplianceguide.org/pcifaqs.php

PCI - Compliance

• http://www.youtube.com/watch?v=7nF38aYBaTE&feature=related

• http://www.youtube.com/watch?v=JvxxYClGBtA&feature=related

Regulation Summary

If you are better at complying with these rules and regulations you will achieve a higher level of efficiency and effectiveness in your security and privacy programs. (conclusion by Dr. L. Ponemon)