IT Legislation & Regulation CS5493
Information has become a valued asset for commerce and governments. … as a result of its value, information is a target for malicious attackers.
Early legislation was designed create punitive measures against those who – gained unauthorized access to data and systems – caused damage to data and systems. (etc) Later legislation was designed to target the custodians of information systems and their data.
Computer Fraud & Abuse Act (1984) Establishes punishment for unauthorized or fraudulent access to government computers and electronic data. Amended 1994 and 1996 Patriot Act amended it in Search document for “protected computer” and “financial institution”
Computer Security Act (1987) Governs the security and privacy of sensitive information in Federal computer systems and to establish the minimum acceptable security practices for such systems. Requires the creation of computer security plans, and the appropriate training of system users and owners (Read the Background)
SOX Sarbanes – Oxley (2002) – Public Company Accounting Reform and Investor Protection Act (senate) – Corporate and Auditing Accountability and Responsibility Act (house) SOX contains 11 articles covering regulations for publicly traded companies and private financial companies.
SOX There is nothing specific in the original SOX concerning IT policies, procedure, best practices, etc. Article 8 addresses criminal penalties for manipulation, destruction, or alteration of financial records (IT professionals should be aware).
SOX Section 404 It is the responsibility of management to establish and maintain adequate internal control structures for financial information and reporting.
SOX Section 404 The compliance costs of SOX represent a tax on inefficiency, encouraging companies to centralize and automate their financial reporting systems (an efficient IT infrastructure for maintaining financial records)
PCAOB Public Accounting Oversight Board established by SOX. The PCAOB (created by SOX) emphasizes the need for IT controls, but provides no details as to what the controls should be.
SOX Efficacy FEI study shows that for companies with revenues above 4 billion, the % cost attributed to SOX is below.04% of reveune Borrowing costs were lower for companies in compliance with SOX (Iliev 2007) Compliance led to faster rise in share price (Lord & Benoit 2006)
SOX Companies with less than $100 million in revenues experienced a higher % of cost due to SOX – 2.55% of revenues. Fewer new companies are registering as publicly traded due to the cost of compliance. Only 22% of surveyed companies believed SOX was of any benefit to them (maybe the larger firms?)
SOX The following has a link to the actual bill: The following has a synopsis of penalties in section 802:
SOX Conclusion
HIPAA Health Insurance Portability and Accountability Act (1996, amended 2006) Governs how doctors, hospitals, insurance companies, and other health care providers handle personal medical information All patient information be handled to maintain patient privacy Patients are empowered to access their own medical records and petition to correct errors or omissions. Informed consent of how their personal medical information is used.
HIPAA Requires notification of privacy procedures whenever medical information is collected or distributed. Procedures should document instructions for addressing and responding to security breaches that are identified either during an audit or the normal course of operations.
HIPAA Controls must govern the introduction and removal of hardware and software from the network. When equipment is retired it must be disposed of properly to ensure that PHI is not compromised. Access to equipment containing health information should be carefully controlled and monitored
HIPAA Access to hardware and software must be limited to properly authorized individuals Required access controls consist of facility security plans, maintenance records, and visitor sign-in and escorts Policies are required to address proper workstation use. Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public
HIPAA Penalties
HIPAA
GLBA (1999) Gramm-Leach-Bliley Act Banks and financial institutions must protect the confidentiality and security of information Must disclose how private information is gathered on clients and how it is shared. Must disclose how private client information is protected. Must disclose privacy policies and procedures upon entering into a contract Pre-texting provision.
GLBA (read the section on pre-texting)
GLBA non-Compliance GLBA noncompliance can mean severe fines and even class-action lawsuits. Noncompliance can result in: Institutions can be subject to civil penalties of up to $100,000 for each violation. The officers and directors of the financial institution can be subject to, and personally liable for, a civil penalty of up to $10,000. Imprisonment for up to five years is possible
GISRA Government Information Security Reform Act (2000) – Establishes accountability – Gov. agency security policies must be submitted to the Office of Management and Budget (OMB). Failure could result in loss of funding. act.html
FISMA (2002) Federal Information Security Management Act All federal agencies must develop and maintain formal information security programs. Security awareness efforts Secure access to computer resources Strict AUP Incident response and contingency planning
FISMA Compliance Poor FISMA compliance may result in a requirement to report before Congress and significant budget-related penalties may be applied.
FERPA (1974) Family Education Rights and Privacy Act Covers the privacy of student education records Applies to all schools receiving any funding from the US Dept. of Education.
Expands the authority of US law-enforcement agencies to access information that pertains to their investigations. Patriot Act (2001)
COPPA Children's On-line Privacy Protection Act (1998) Restricts how information is collected on children under the age of 13. Operators must disclose how to verify consent from a parent or legal guardian Outlines responsibilities for protecting children's privacy and safety on-line.
CDSBA California Database Security Breach Act (2003) Companies must immediately notify their customer if the customer's private information has been compromised. Also limits how financial institutions share personal information of their clients. Similar laws followed and have been enacted in 46 other states.
PCI DSS Payment Card Industry Data Security Standards An information security standard for organizations that handle cardholder information Debit cards Credit cards ATM cards Pre-pay cards etc
PCI DSS Not a law, but guidelines for the payment card industry. Participants include the major card issuers: Amex, Visa, MasterCard, Discover.
PCI-DSS: PCI-SSC Defined by the Payment Card Industry Security Standards Council, the standard was created to increase controls around cardholder data and thereby reduce credit card fraud.
PCI DSS Establishes standards for Security management policies and procedures Network architecture Software design
PCI Compliance Validation of compliance is done annually — by an external Qualified Security Assessor (QSA) for organisations handling large volumes of transactions, or by Self-Assessment Questionnaire (SAQ) for companies handling smaller volumes
PCI QSA The Qualified Security Assessor is conferred by the PCI SSC to those that meet specific information security requirements including: The QSA must have completed a training programming endorsed by the PCI SSC The QSA must be an employee of an approved PCI security and auditing firm.
PCI-DSS: 12-Requirements Build and Maintain a Secure Network 1.Install and maintain a firewall configuration to protect cardholder data. 2. Do not use vendor-supplied defaults for system passwords and other security parameters
PCI 12-Requirements Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks
PCI 12-Requirements Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications
PCI 12-Requirements Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to- know policy 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data
PCI 12-Requirements Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes
PCI 12-Requirements Maintain an Information Security Policy 12. Maintain a policy that addresses information security
PCI Merchant Levels There are four compliance-categories based on the volume of transactions by merchants.
PCI Merchant Levels L-1 : more than 6 million transactions per year. L-2 : 1 to 6 million transactions per year. L-3 : 20,000 to 1 million transactions per year L-4 : fewer than 20,000 transactions per year. Transactions are base on Visa transactions.
PCI – Compliance Guide
PCI - Compliance
Regulation Summary If you are better at complying with these rules and regulations you will achieve a higher level of efficiency and effectiveness in your security and privacy programs. (conclusion by Dr. L. Ponemon)