Put this in c:>Documents and Settings>YourName
advertisement
Information Privacy & PCI DSS Bill Franklin | Senior IT Auditor | bfranklin@lighthousecs.com October 28, 2009 Agenda Introduction Laws, Regulations, Industry Requirements Federal Regulations State Regulations BREAK – 20 Minutes PCI DSS Example AICPA - Generally Accepted Privacy Principles (GAPP) Case Studies / Discussion Privacy Evaluation Next Steps Summary 2 Introduction Lighthouse IT Compliance Group Bill Franklin CISA, CGEIT, QSA Senior IT Auditor bfranklin@lighthousecs.com (978) 821-4863 http://www.lighthouseITCompliance.com 3 Introduction … Knowledge and Experience Highly Experienced Staff (15 to 25 Years in the Industry) Certifications Include: CISA – Certified Information Systems Auditor CISSP – Certified Information Systems Security Professional QSA – PCI Qualified Security Assessor ASV – Authorized Scanning Vendor CGEIT – Certified in the Governance if Enterprise Information Technology CoBiT® 4 - Control Objectives for Information and related Technology Utilize Industry Standard Frameworks and Best Practices Including: CoBiT® ISO ITIL 4 Introduction Services Include: IT Risk Assessments and Audits External and Internal Network Scanning Business Continuity Planning / Disaster Recovery Training & Education PCI Compliance ASV Scanning Solutions QSA Services PCI Remediation SAS 70 Preparation For More Information: www.lighthouseITCompliance.com Or www.lighthousecs.com 5 Data Security Privacy – Freedom from Unauthorized Intrusion Merriam-Webster Dictionary Security Confidentiality – Private, Secret Availability Integrity Merriam-Webster Dictionary 6 Privacy – What is it? Definition According to NIST (National Institute of Standards and Technology) information security is defined as “…protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide integrity, confidentiality, and availability.” http://csrc.nist.gov/ Publication SP800-59 Privacy focuses on the unauthorized access, use, and disclosure part of the definition - confidentiality. Definition of privacy/confidentiality for our purposes will be “Ensuring that information is accessible only to those authorized to have access” as stated ISO (International Standard Organization) http://www.iso.org. 7 Dangers of Identity Theft 8 Types of Risk Global in a World Made Flat by the Internet Business Geographic Unintended Events Political Malicious Actions (Internal & External) Mismanagement Human Errors Security Compromise Planning Accidents IT Fraud / Social Engineering Control Natural Disasters Hackers / Virus Attacks Compliance Physical Vandalism Monitoring N W E S Remediation 9 Malicious Risks Who Would Do That? Hackers - Viruses (International) Social Engineering (Confidence Man/Woman) External Internal Internal and External Team X X Employees N With access to funds E andW confidential information S 10 Data Breaches • According to Verizon’s 2009 Data Breach Investigations Report, Data Breach statistics for 2009 closely resemble the stats from 2008 • Data Breaches continue to originate from external sources • Breaches linked to business partners fell for the first time in years • Breaches caused by insiders is still very high • The predominance of total records lost was attributed to outsiders • 91 percent of all compromised records were linked to organized criminal groups 11 Rules Privacy – Confidentiality - Security Laws Regulations Requirements 12 Mitsubishi Corp. (New York, NY) Sept. 5, 2009 • A Mitsubishi Corp. internet shopping unit lost credit card details on 52,000 customers after its servers were hacked from overseas. • The company has informed customers and relevant authorities of the leaks and has suspended the Web site until it can improve the system. • 52,000 records were known to be compromised. www.privacyrights.org 13 Analysis of Worst Breaches June 2009 Dr. Peter Tippett, VP of Technology and Innovation at Verizon Business A report on actual data from investigations of over 600 cases of computer crime that were the worst in the world “The quick, short story for the bank and financial industries this year is they have had an increase in organized crime and they were entirely focused at the financial sector, very focused. We saw an increase in sophisticated tool use. But the good news is that in all of those cases, they got in through some easy way. They got in somewhere on a nonsensitive, non-critical device where the password was password, or where it wasn't patched two years ago, or where it was a little SQL injection attack.” www.BankInfoSecurity.com 14 What’s the Difference Law or Legal Requirement Government Regulation Industry Requirement 15 Legal Requirement The LAW http://dictionary.law.com 1) Any system of regulations to govern the conduct of the people of a community, society or nation, in response to the need for regularity, consistency and justice based upon collective human experience. 2) A statute, ordinance or regulation enacted by the legislative branch of a government and signed into law, or in some nations created by decree without any democratic process. Protect Against / Penalties for: • Fraud • Embezzlement • Money Laundering = Prison Time 16 Regulations Rules and administrative codes issued by governmental agencies at all levels, municipal, county, state and federal. Although they are not laws, regulations have the force of law, since they are adopted under authority granted by statutes, and often include penalties for violations. http://dictionary.law.com Requirements put in place by an Industry Group by which companies of that industry qualify or certify they meet a particular standard. 17 Industry Requirements Industry Requirements − Certify that an organization meets certain standards to ensure a required level of competence in a particular area − Individuals and businesses using their products and services can rely on this certification to verify the organization’s competence. 18 Industry Requirements What do these pictures have in common? It’s not just the IT industry that has these requirements: − Extractive Industry: Mineral & Petroleum (Explosives) – Really important when you’re handling dynamite. − Manure Management: Beef Cattle Industry – Who knew there were requirements for this? − PCI DSS: Payment Card Industry Data Security Standards – Here’s something that’s relevant to us. 19 Remember Your Requirements − Not only is your business affected by Privacy Laws, Regulations and Requirements … − You as an Individual and Consumer are affected as well − Think about YOUR personal information being compromised − Threats are no longer just Local, they are International 20 Federal Regulations 21 GLBA - Gramm-Leach-Bliley Act This is the nation's first effort to enact restrictions on the sharing and sale of consumers’ personal financial information. 22 GLBA - Areas of the Organization Affected • Consumer Compliance • Information Systems 23 GLBA The privacy of consumers' financial information became relevant to regulatory agencies when lawmakers passed the Gramm-Leach- Bliley Act, which was signed into law on November 12th, 1999. The focus of the act was to modernize the nation's financial industries by breaking down barriers between banking and related areas such as securities and insurance. 24 GLBA • The GLBA primarily sought to "modernize" financial services -- that is, end regulations that prevented the merger of banks, stock brokerage companies, and insurance companies. • The removal of these regulations, however, raised significant risks that these new financial institutions would have access to an incredible amount of personal information, with no restrictions upon its use. 25 GLBA • Prior to GLBA, the insurance company that maintained your health records was distinct from the bank that mortgaged your house and the stockbroker that traded your stocks. • Once these companies merge, however, they would have the ability to consolidate, analyze and sell the personal details of their customers' lives. 26 Safe Harbor • In order to bridge the different privacy approaches and provide a streamlined means for U.S. organizations to comply with the Directive imposed by European Commission, the U.S. Department of Commerce in consultation with the European Commission developed a “Safe Harbor" framework. • The Safe Harbor—approved by the EU in 2000—is an important way for U.S. companies to avoid experiencing interruptions in their business dealings with the EU or facing prosecution by European authorities under European privacy laws. Certifying to the safe harbor will assure that EU organizations know that your company provides "adequate" privacy protection, as defined by the Directive. 27 GLBA • Because of these risks, the GLBA included three simple requirements to protect the personal data of individuals: 1. First, banks, brokerage companies, and insurance companies must securely store personal financial information 2. Second, they must advise you of their policies on sharing of personal financial information 3. Third, they must give consumers the option to opt-out of some sharing of personal financial information 28 HIPAA HIPAA - Health Insurance Portability and Accountability Act • National health information privacy standards issued by the U.S. Department of Health and Human Services (DHHS), pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). • The HIPAA Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) provides the first national standards for protecting the privacy of health information. 29 HIPAA • The Privacy Rule regulates how certain entities, called covered entities, use and disclose certain individually identifiable health information, called protected health information (PHI). PHI is individually identifiable health information that is transmitted or maintained in any form or medium (e.g., electronic, paper, or oral), but excludes certain educational records and employment records. 30 HITECH • HITECH - Health Information Technology for Economic and Clinical Health Act • Series of privacy and security provisions that expand the current requirements under HIPAA 31 HIPAA Information Stolen October 6, 2009 BlueCross BlueShield Association (Chicago, IL) • A file containing identifying information for every physician in the country contracted with a Blues-affiliated insurance plan was on a laptop computer stolen from a BlueCross BlueShield Association employee. • The file included the name, address, tax identification number and national provider identifier number for about 850,000 doctors. • Some 16% to 22% of those physicians listed -- as many as 187,000 - used their Social Security Numbers as a Tax ID or NPI number. www.PrivacyRights.org 32 NAIC National Association of Insurance Commissioners • The NAIC adopted the Privacy of Consumer Financial and Health Information Model Regulation on September 26, 2000. • The model regulation was drafted in response to requirements set forth in Title V of the Gramm-Leach-Bliley Act (GLBA). GLBA calls on the state insurance regulators to issue regulations protecting the privacy of insurance consumers’ personal information. • Importantly, the NAIC model privacy regulation also includes special protections for health information. The regulation requires insurance companies and agents to get your affirmative consent before sharing health information with any other entity. 33 Family Educational Rights and Privacy Act (FERPA) • The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. • FERPA gives parents certain rights with respect to their children's education records. These rights transfer to the student when he or she reaches the age of 18 or attends a school beyond the high school level. Students to whom the rights have transferred are "eligible students." 34 ID Theft Red Flags … Federal Trade Commission • The Fair and Accurate Credit Transaction Act (the FACT Act), which amends the Fair Credit Reporting Act (FCRA) establishes numerous requirements that provide protection for the victims of identity theft, provide more information to consumers about credit reports and credit scoring, limits sharing of information with affiliates, and protects consumer medical and other information. FIGHTING FRAUD WITH THE RED FLAGS RULE A How-To Guide for Business http://www.ftc.gov/redflagsrule http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus23.pdf 35 ID Theft Red Flags … Overview The Red Flags Rule sets out how certain businesses and organizations must develop, implement, and administer their Identity Theft Prevention Programs. Your Program must include four basic elements, which together create a framework to address the threat of identity theft. 36 ID Theft Red Flags … Who Must Comply … The Red Flags Rule applies to “financial institutions” and “creditors.” The Rule requires you to conduct a periodic risk assessment to determine if you have “covered accounts.” You need to implement a written program only if you have Covered Accounts. 37 ID Theft Red Flags … Who Must Comply It’s important to look closely at how the Rule defines “financial institution” and “creditor” because the terms apply to groups that might not typically use those words to describe themselves. For example, many non-profit groups and government agencies are “creditors” under the Rule. The determination of whether your business or organization is covered by the Red Flags Rule isn’t based on your industry or sector, but rather on whether your activities fall within the relevant definitions. 38 ID Theft Red Flags … First, your Program must include reasonable policies and procedures to identify the “red flags” of identity theft you may run across in the dayto-day operation of your business. Red flags are suspicious patterns or practices, or specific activities, that indicate the possibility of identity theft. For example, if a customer has to provide some form of identification to open an account with your company, an ID that looks like it might be fake would be a “red flag” for your business. 39 ID Theft Red Flags Second, your Program must be designed to detect the red flags you’ve identified. For example, if you’ve identified fake IDs as a red flag, you must have procedures in place to detect possible fake, forged, or altered identification. Third, your Program must spell out appropriate actions you’ll take when you detect red flags. Fourth, because identity theft is an ever-changing threat, you must address how you will re-evaluate your Program periodically to reflect new risks from this crime. 40 State Regulations 41 State Privacy Regulations • The State Security Breach Laws were enacted to protect the confidential personal information of consumers. • The laws require that an individual or a commercial entity that conducts business in a state and that owns or licenses computerized data that includes personal information about a resident of a state becomes aware of a breach of the security of their computer system, the business or entity should conduct a prompt investigation to determine if personal information has been compromised and assess the risk of misuse. 42 State Privacy Regulations • The law also requires the individual or the commercial entity provide notice as soon as possible to the affected state resident unless the investigation determines that the misuse of information about a state resident has not occurred and is not reasonably likely to occur. 43 State Privacy Regulations • In addition to Federal regulations, various states are enacting privacy regulations. The following slides provide information on various state privacy legislation. • Forty-four states, the District of Columbia, Puerto Rico and the Virgin Islands have now enacted legislation requiring that companies and/or state agencies disclose to consumers security breaches involving personal information. 44 State Privacy Regulations 45 State Privacy Regulations 46 Rhode Island Banking & Insurance Protection CHAPTER 27-58 The Banking And Insurance Consumer Protection Act § 27-58-10 Confidential customer information. A. As used in this section, unless the context requires otherwise: 1) "Customer" means a person with an investment, security, deposit, trust, or credit relationship with a financial institution; and 2) "Nonpublic customer information" means information regarding a person that has been derived from a record of a financial institution, including information concerning the terms and conditions of insurance coverage, insurance expirations, insurance claims, or insurance history of an individual. Nonpublic customer information does not include customer names, addresses or telephone numbers. B. No financial institution shall use any nonpublic customer information for the purpose of selling or soliciting the purchase of insurance or provide the nonpublic customer information to a third party for the purpose of another's sale or solicitation of the purchase of insurance. 47 Rhode Island Personal Information § 27-58-13 Penalties. • Any person who violates the provisions of this chapter, or who fails to perform any duties imposed by this chapter, or who violates any administrative regulation promulgated pursuant to this chapter shall be liable for a civil penalty not to exceed the sum of one hundred dollars ($100) for each day which the violation continues, and in addition, may be concurrently enjoined from any further violations by the superior court upon petition of the insurance commissioner. 48 Rhode Island Financial Information REGULATION 99 PRIVACY OF CONSUMER FINANCIAL INFORMATION A. Purpose. This Regulation governs the treatment of nonpublic personal financial information about individuals by all insurance licensees of the Rhode Island Department of Business Regulation. This Regulation: 1) Requires a licensee to provide notice to individuals about its privacy policies and practices; 2) Describes the conditions under which a licensee may disclose nonpublic personal financial information about individuals to affiliates and nonaffiliated third parties; and 3) Provides methods for individuals to prevent a licensee from disclosing that information. 49 Rhode Island Financial Information B. Scope. This Regulation applies to nonpublic personal financial information about individuals who obtain or are claimants or beneficiaries of products or services primarily for personal, family or household purposes from licensees. This Regulation does not apply to information about companies or about individuals who obtain products or services for business, commercial or agricultural purposes. C. Compliance. A licensee domiciled in this state that is in compliance with this Regulation in a state that has not enacted laws or regulations that meet the requirements of Title V of the Gramm-Leach-Bliley Act (PL 102-106) may nonetheless be deemed to be in compliance with Title V of the GrammLeach- Bliley Act in the other state. 50 Rhode Island Health Information REGULATION 100 PRIVACY OF CONSUMER HEALTH INFORMATION A. Purpose. This Regulation governs the treatment of individual’s nonpublic personal health information by all insurance licensees of the Rhode Island Department of Business Regulation. This Regulation: 1) Describes the conditions under which a licensee may disclose nonpublic personal health information about individuals to affiliates and nonaffiliated third parties; and 2) Provides methods for individuals to prevent a licensee from disclosing that information. B. Scope. This Regulation applies to all nonpublic personal health information C. Compliance. An insurance licensee that is in compliance with this regulation may be deemed to be in compliance with Title V of the GrammLeach-Bliley Act in a state which has not yet enacted laws or regulations that meet the requirements of Gramm-Leach-Bliley. 51 Rhode Island Health Information Section 7 Relationship to Federal Rules Irrespective of whether a licensee is subject to the Health Insurance Portability and Accountability Act privacy rule as promulgated by the U.S. Department of Health and Human Services (the “federal rule”), if a licensee complies with all requirements of the federal rule except for its effective date provision, the licensee shall not be subject to the provisions of this Regulation. 52 Top 10 Tips Preventing a Security Breach www.scmagazineus.com David Hobson, managing director of Global Gecure Systems August 12, 2008 1. Management sets the tone for their organizations by their own behavior. As such, good information practices are obligatory for all stakeholders, not just employees. 2. Be proactive – management should deal with information assurance issues proactively, rather than reactively as information assurance is far more cost effective in a preventative rather than a remedial context. 53 Top 10 Tips Preventing a Security Breach 3. Information assurance is a business issue, not something extra for IT to handle. IT simply does not have the resources and/or authority to drive information assurance best practices through their organizations. 4. Understand that information assurance is an ongoing process, not an annual event just before the auditors arrive. 5. Information assurance is everyone's job and as such investments in training and awareness programs for all employees are critical. 6. Management should set out the company's expectations with respect to information assurance in clear, accessible policies. 54 Top 10 Tips Preventing a Security Breach 7. The process for dealing with information security incidents should be defined in straightforward and unambiguous procedures. 8. Investments need to be made in technology that will result in the secure transport and processing of information by the company's information technology assets. 9. Suitable best practices should be identified and implemented rather than ad hoc approaches. 10. Expert advice should be sought and used at all times to advise and oversee efforts in respect to information assurance from an experienced and objective third-party perspective. 55 www.ponemon.org Fourth Annual US Cost of Data Breach Study Benchmark Study of Companies Sponsored by PGP Corporation Independently conducted by Ponemon Institute LLC Publication Date: January 2009 56 Break 20 Minutes 57 PCI DSS Payment Card Industry Data Security Standard Example Protection of Sensitive Information Application Can be Applied to More Than Payment Card Data 58 Who / What Is PCI? Payment Card Industry Data Security Standard Global Standard (Standard Released in 2006 v1.1, October 2008 Revised Standard Released v1.2) “The PCI Security Standards Council is an open global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection.” “The PCI Security Standards Council’s mission is to enhance payment account data security by driving education and awareness of the PCI Security Standards.” “The organization was founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa, Inc.” https://www.pcisecuritystandards.org/ 59 PCI Security Standards Site 60 What Does PCI DSS Apply To? Brands MasterCard Worldwide Visa, Inc. American Express Discover Financial Services JCB International (Japanese) Credit Cards Debit Cards Stored Value / Top Up (Replenished from a Credit or Debit Card) 61 Cardholder Data PCI DSS Req. 3.4 Data Element Storage Permitted Protection Required (Render PAN Unreadable Anywhere It is Stored) Primary Account Number (PAN) Yes Yes Yes Cardholder Name 1 Yes Yes 1 No Service Code 1 Yes Yes 1 No Expiration Date 1 Yes Yes 1 No Full Magnetic Stripe 3 No N/A N/A CAV2 / CVC2 / CVV2 / CID No N/A N/A PIN / PIN Block No N/A N/A Cardholder Data Sensitive Authentication Data 2 1 These data elements must be protected if stored in conjunction with the PAN. This protection must be per PCI DSS requirements for general protection of the cardholder environment. Additionally, other legislation (for example, related to consumer personal data protection, privacy, identity theft, or data security) may require specific protection of this data, or proper disclosure of a company's practices if consumerrelated personal data is being collected during the course of business. PCI DSS; however, does not apply if PANs are not stored, processed, or transmitted. 2 Sensitive authentication data must not be stored after authorization (even if encrypted). 3 Full track data from the magnetic stripe, magnetic image on the chip, or elsewhere. 62 3 PCI Security Standards … www.pcisecuritystandards.org/pdfs/pcissc_overview.pdf 63 3 PCI Security Standards … 1 PED - PIN Entry Devices Set of requirements and guidelines for vendors PIN Entry Devices to ensure the security and confidentiality of payment card data. Devices POS – Point of Sale EPP – Encrypting Pin Pad AFD – Automated Fuel Dispensers 64 3 PCI Security Standards … 2 PA DSS – Payment Application Data Security Standard “… help software vendors and others develop secure payment applications that do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data, and ensure their payment applications support compliance with the PCI DSS. Payment applications that are sold, distributed or licensed to third parties are subject to the PA-DSS requirements.” Software Payment – Back Office, Middleware, Switching POS – Face to Face, Kiosk Shopping Cart / Store Front 65 3 PCI Security Standards 3 PCI DSS – Payment Card Industry Data Security Standard “… a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data.” Acceptance of Payment Card data - Process, Transmit, Store Merchants – Sell Goods or Services Service Providers – Processes, Transmits, Stores Payment Card Data on Behalf of Another Organization 66 Who Needs To Comply? If you handle payment card information Proccess (Accept) Transmit Store Payment Card Transactions Internet POS (Point of Sale) Phone Mail Paper (In Person) 67 Structure Brands MasterCard, Visa, Amex, Discover, JCB PCI Council Service Provider Acquiring Banks Merchants 68 Levels Merchant Levels Determined by the Brand Determines the Method of Compliance Determines the Frequency of Compliance If a Security Breach Occurs You Are Automatically a Level 1 Service Provider Levels Generally a Level 1 Exceptions for lower volume providers 69 Merchant Level 1 Onsite Review 1, 3 Self Assessment 3 Network Security Scan 2, 3 American Express 2.5 million American Express Card transactions or more per year; Any merchant that has had a data incident Any merchant that American Express otherwise deems a Level 1 Required Annually Not Required Required Quarterly Discover Merchants processing over 6 million Discover Network card transactions annually Any merchant Discover Network determines to be a Level 1 Merchants required by another payment brand to validate and report as a Level 1 Required Annually Not Required Required Quarterly Required Annually Not Required Required Quarterly Required Annually Not Required Required Quarterly Required Annually Attestation of Compliance Form Not Required Required Quarterly Merchant Level Level 1 Level 1 Level 1 Level 1 Level 1 Criteria JCB - Merchants processing over 1 million JCB transactions annually Compromised merchants MasterCard Any merchant, including electronic commerce merchants, with more than 6 million total MasterCard transactions annually Any merchant that experienced a compromise of payment card data Any merchant meeting the Level 1 criteria of a competing payment brand Any merchant that MasterCard, at its sole discretion, determines should meet the Level 1 merchant requirements Visa Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year Any merchant that experienced a compromise of payment card data Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system 70 Merchant Level 2 Criteria Merchant Level Level 2 Level 2 Level 2 Level 2 Level 2 American Express 50,000 to 2.5 million American Express Card transactions per year Discover Merchants processing 1 million to 6 million Discover Network card-notpresent only transactions annually Merchants required by another payment brand to validate and report as a Level 2 merchant JCB Less than 1 million JCB transactions anually MasterCard All merchants with more than one million total MasterCard transactions but less than six million total transactions annually All merchants meeting the Level 2 criteria of a competing payment brand Visa Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year Onsite Review 1, 3 Self Assessment 3 Network Security Scan 2, 3 Not Required Required Annually Required Quarterly Not Required Required Annually Required Quarterly Not Required Required Annually Required Quarterly Not Required Required Annually Required Quarterly Not Required Required Annually Attestation of Compliance Form Required Quarterly 71 Merchant Level 3 Merchant Level Level 3 Level 3 Level 3 Level 3 Level 3 Criteria American Express Less than 50,000 American Express Card transactions per year Discover Merchants processing 20,000 to 1 million Discover Network card-notpresent only transactions annually Merchants required by another payment brand to validate and report as a Level 3 merchant JCB NA MasterCard All merchants with annual MasterCard e-commerce transactions greater than 20,000 but less than one million total transactions All merchants meeting the Level 3 criteria of a competing payment brand Visa Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year. Onsite Review 1, 3 Self Assessment 3 Network Security Scan 2, 3 Not Required Required Annually Required Quarterly Not Required Required Annually Required Quarterly NA NA NA Not Required Required Annually Required Quarterly Not Required Required Annually Required Quarterly 72 Merchant Level 4 Merchant Level Level 4 3 Level 4 3 Level 4 3 Level 4 3 Level 4 3 Criteria American Express NA Discover All other Discover Network merchants JCB NA MasterCard All other merchants Visa Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year. Onsite Review 1, 3 Self Assessment 3 Network Security Scan 2, 3 NA NA NA Not Required Recommended Annually Recommended Quarterly NA NA NA Not Required Recommended Annually Recommended Quarterly Not Required Recommended Annually Recommended Quarterly 1 For Level 1 merchants, the annual onsite review may be conducted by either the merchant’s internal auditor or a QSA - Qualified Security Assessor. 2 To fulfill the network scanning requirement, all merchants must conduct scans on a quarterly basis using an ASV - Approved Scanning Vendor. 3 Level 4 Merchants are required to comply with the PCI Data Security Standard. Level 4 Merchants should consult their acquirer to determine if compliance validation is also required. 73 PCI Validation Change http://treasuryinstitute.org/blog/index.php?itemid=260 MasterCard Requiring ROC by a QSA for Level 2 Merchants 74 PCI Compliance Process 75 PCI DSS v 1.2 Confidential Information Substitute Your Confidential Information for the PCI Confidential Information Social Security Numbers Drivers License Numbers Account Numbers Health Information Etc… 76 PCI DSS v 1.2 (6 Areas, 12 Requirements) Build and Maintain a Secure Network 1. Install and maintain a firewall configuration 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect Stored Data (Electronic) 4. Encrypt transmission of cardholder and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and Maintain Secure Systems and Applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors 77 PCI DSS Requirements The Numbers 6 Areas 12 High Level Requirements 62 Detail Level Requirements Numerous Sub Requirements 78 PCI DSS Build and Maintain a Secure Network Build and Maintain a Secure Network 1. Install and maintain a firewall configuration 2. Do not use vendor-supplied defaults for system passwords and other security parameters 1.1 - Establish firewall and router configuration standards 1.2 - Build a firewall configuration that restricts connections between untrusted networks and any system components in the cardholder data environment. Note: An “untrusted network” is any network that is external tot the networks belonging to the entity under review, and/or which is out of the entity's ability to control or manage. 1.3 - Prohibit direct public access between the Internet and any system component in the cardholder data environment. 1.4 - Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network. 79 PCI DSS Build and Maintain a Secure Network Build and Maintain a Secure Network 1. Install and maintain a firewall configuration 2. Do not use vendor-supplied defaults for system passwords and other security parameters 2.1 - Always change vendor-supplied defaults before installing a system on the network (for example, include passwords, simple network management protocol (SNMP) community strings, and elimination of unnecessary accounts). 2.2 - Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards. 2.3 - Encrypt all non-console administrative access. Use technologies such as SSH, VPN, or SSL/TLS for web based management and other non-console administrative access. 2.4 - Shared hosting providers must protect each entity’s hosted environment and data. These providers must meet specific requirements as detailed in “Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers.” 80 PCI DSS Protect Card Holder Data Protect Cardholder Data 3. Protect Stored Data (Electronic) 4. Encrypt transmission of cardholder and sensitive information across public networks 3.1 - Keep cardholder data storage to a minimum. Develop a data retention and disposal policy. Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes, as documented in the data retention policy. 3.2 - Do not store sensitive authentication data after authorization (even if encrypted). 3.3 - Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). 3.4 - Render PAN, at minimum, unreadable anywhere it is stored (including data on portable digital media, backup media, in logs) 81 PCI DSS Protect Card Holder Data Protect Cardholder Data 3. Protect Stored Data (Electronic) 4. Encrypt transmission of cardholder and sensitive information across public networks 3.5 - Protect cryptographic keys used for encryption of cardholder data against both disclosure and misuse. 3.6 - Fully document and implement all key-management processes and procedures for cryptographic keys used for encryption of cardholder data. 4.1 - Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks. 4.2 - Never send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat). 82 PCI DSS Maintain a Vulnerability Management Program Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and Maintain Secure Systems and Applications 5.1 - Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). 5.2 - Ensure that all anti-virus mechanisms are current, actively running, and capable of generating audit logs. 6.1 - Ensure that all system components and software have the latest vendorsupplied security patches installed. Install critical security patches within one month of release. 6.2 - Establish a process to identify newly discovered security vulnerabilities (for example, subscribe to alert services freely available on the Internet). Update configuration standards as required by PCI DSS Requirement 2.2 to address new vulnerability issues. 83 PCI DSS Maintain a Vulnerability Management Program Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and Maintain Secure Systems and Applications 6.3 - Develop software applications in accordance with PCI DSS (for example, secure authentication and logging) and based on industry best practices and incorporate information security throughout the software development life cycle. 6.4 - Follow change control procedures for all changes to system components. 6.5 - Develop all web applications (internal and external, and including web administrative access to application) based on secure coding guidelines such as the Open Web Application Security Project Guide. Cover prevention of common coding vulnerabilities in software development processes. 84 PCI DSS Maintain a Vulnerability Management Program Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and Maintain Secure Systems and Applications 6.6 - For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks. Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes. OR Installing a web-application firewall in front of public-facing web applications 85 PCI DSS Implement Strong Access Control Measures Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign unique ID to each person with computer access 9. Restrict physical access to cardholder data 7.1 - Limit access to system components and cardholder data to only those individuals whose job requires such access. 7.2 - Establish a mechanism for system components with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed. 8.1 - Assign all users a unique ID before allowing them to access system components or cardholder data. 86 PCI DSS Implement Strong Access Control Measures Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign unique ID to each person with computer access 9. Restrict physical access to cardholder data 8.2 - In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: Password or passphrase Two-factor authentication (for example, token devices, smart cards, biometrics, or public keys) 8.3 - Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. Use technologies such as remote authentication and dial-in service (RADIUS); terminal access controller access control system (TACACS) with tokens; or VPN (based on SSL/TLS or IPSEC) with individual certificates. 87 PCI DSS Implement Strong Access Control Measures Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign unique ID to each person with computer access 9. Restrict physical access to cardholder data 8.4 - Render all passwords unreadable during transmission and storage on all system components using strong cryptography (defined in PCI DSS and PA- DSS Glossary of Terms, Abbreviations, and Acronyms). 8.5 - Ensure proper user authentication and password management for nonconsumer users and administrators on all system components. 9.1 - Use appropriate facility entry controls to limit and monitor physical access to systems in the cardholder data environment. 9.2 - Develop procedures to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. 88 PCI DSS Implement Strong Access Control Measures Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign unique ID to each person with computer access 9. Restrict physical access to cardholder data 9.3 - Make sure all visitors are handled as follows: Authorized before entering areas where cardholder data is processed or maintained. Given a physical token (for example, a badge or access device) that expires and that identifies the visitors as non-employees. Asked to surrender the physical token before leaving the facility or at the date of expiration. 9.4 - Use a visitor log to maintain a physical audit trail of visitor activity. Document the visitor’s name, the firm represented, and the employee authorizing physical access on the log. Retain this log for a minimum of three months, unless otherwise restricted by law. 89 PCI DSS Implement Strong Access Control Measures Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign unique ID to each person with computer access 9. Restrict physical access to cardholder data 9.5 - Store media backups in a secure location, preferably in an off-site facility, such as an alternate or back-up site, or a commercial storage facility. Review the location’s security at least annually. 9.6 - Physically secure all paper and electronic media that contain cardholder data. 9.7 - Maintain strict control over the internal or external distribution of any kind of media that contains cardholder data. 9.8 - Ensure management approves any and all media containing cardholder data that is moved from a secured area (especially when media is distributed to individuals). 90 PCI DSS Implement Strong Access Control Measures Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign unique ID to each person with computer access 9. Restrict physical access to cardholder data 9.9 - Maintain strict control over the storage and accessibility of media that contains cardholder data. 9.10 - Destroy media containing cardholder data when it is no longer needed for business or legal reasons. 91 PCI DSS Regularly Monitor and Test Networks Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes 10.1 - Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. 10.2 - Implement automated audit trails for all system components to reconstruct the following events: All individual user accesses to cardholder data All actions taken by any individual with root or administrative privileges Access to all audit trails Invalid logical access attempts Use of identification and authentication mechanisms Initialization of the audit logs Creation and deletion of system-level objects 92 PCI DSS Regularly Monitor and Test Networks Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes 10.3 - Record at least the following audit trail entries for all system components for each event: User identification Type of event Date and time Success or failure indication Origination of event Identity or name of affected data, system component, or resource 10.4 - Synchronize all critical system clocks and times. 10.5 - Secure audit trails so they cannot be altered. 93 PCI DSS Regularly Monitor and Test Networks Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes 10.6 - Review logs for all system components at least daily. Log reviews must include those servers that perform security functions like intrusion detection system (IDS) and authentication, authorization, and accounting protocol (AAA) servers (for example, RADIUS). Note: Log harvesting, parsing, and alerting tools may be used to meet compliance with Requirement 10.6. 10.7 - Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from back-up). 94 PCI DSS Regularly Monitor and Test Networks Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes 11.1 - Test for the presence of wireless access points by using a wireless analyzer at least quarterly or deploying a wireless IDS/IPS to identity all wireless devices in use. 11.2 - Run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades). Note: Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by Payment Card Industry Security Standards Council (PCI SSC). Scans conducted after network changes may be performed by the company’s internal staff. 95 PCI DSS Regularly Monitor and Test Networks Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes 11.3 - Perform external and internal penetration testing at least once a year and after any significant infrastructure or application upgrade or modification (such as an operating system upgrade, a sub-network added to the environment, or a web server added to the environment). These penetration tests must include the following: Network-layer penetration tests Application-layer penetration tests 11.4 - Use intrusion detection systems, and/or intrusion prevention systems to monitor all traffic in the cardholder data environment and alert personnel to suspected compromises. Keep all intrusion detection and prevention engines up-to-date. 96 PCI DSS Regularly Monitor and Test Networks Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes 11.5 - Deploy file-integrity monitoring software to alert personnel to unauthorized modification of critical system files, configuration files, or content files, and configure the software to perform critical file comparisons at least weekly. Note: For file-integrity monitoring purposes, critical files are usually those that do not regularly change, but the modification of which could indicate a system compromise or risk of compromise. File-integrity monitoring products usually come pre-configured with critical files for the related operating system. Other critical files, such as those for custom applications, must be evaluated and defined by the entity (that is the merchant or service provider). 97 PCI DSS Maintain Information Security Policy Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors 12.1 - Establish, publish, maintain, and disseminate a security policy that accomplishes the following: Addresses all PCI DSS requirements. Includes an annual process that identifies threats and vulnerabilities, and results in a formal risk assessment. Includes a review at least once a year and updates when the environment changes. 12.2 - Develop daily operational security procedures that are consistent with requirements in this specification (for example, user account maintenance procedures, and log review procedures). 98 PCI DSS Maintain Information Security Policy Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors 12.3 - Develop usage policies for critical employee-facing technologies (for example, remote access technologies, wireless technologies, removable electronic media, laptops, personal data/digital assistants (PDAs), e-mail usage and Internet usage) to define proper use of these technologies for all employees and contractors. 12.4 - Ensure that the security policy and procedures clearly define information security responsibilities for all employees and contractors. 99 PCI DSS Maintain Information Security Policy Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors 12.5 - Assign to an individual or team the following information security management responsibilities: Establish, document, and distribute security policies and procedures. Monitor and analyze security alerts and information, and distribute to appropriate personnel. Establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. Administer user accounts, including additions, deletions, and modifications. Monitor and control all access to data. 100 PCI DSS Maintain Information Security Policy Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors 12.6 - Implement a formal security awareness program to make all employees aware of the importance of cardholder data security. Educate employees upon hire and at least annually. Require employees to acknowledge at least annually that they have read and understood the company’s security policy and procedures. 12.7 - Screen potential employees (see definition of “employees” at 9.2 above) prior to hire to minimize the risk of attacks from internal sources. For those employees such as store cashiers who only have access to one card number at a time when facilitating a transaction, this requirement is a recommendation only. 101 PCI DSS Maintain Information Security Policy Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors 12.8 - If cardholder data is shared with service providers, maintain and implement policies and procedures to manage service providers, to include the following: Maintain a list of service providers Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess Ensure there is an established process for engaging service providers including proper due diligence prior to engagement Maintain a program to monitor service providers’ PCI DSS compliance status 12.9 -Implement an incident response plan. Be prepared to respond immediately to a system breach. 102 PCI DSS v 1.2 (6 Areas, 12 Requirements) Build and Maintain a Secure Network 1. Install and maintain a firewall configuration 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect Stored Data (Electronic) 4. Encrypt transmission of cardholder and sensitive information across public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software 6. Develop and Maintain Secure Systems and Applications Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know 8. Assign unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data. 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for employees and contractors 103 QSA Audit Process QSA SAQ Qualified Security Assessor Self Assessment Questionnaire ROC Report On Compliance 104 External ASV Scanning Process ASV Approved Scanning Vendor 105 Scoring Results Pass or Fail 106 Areas to Assess Business Process – Flow of Payment Card Data Wireless, Email, Encryption Third Party Applications Run In-House Proprietary Applications Network Segmentation Third Parties / Outsourcing Compensating Controls Documentation, Documentation, Documentation 107 Common Weaknesses … Firewall and Router Configuration Documentation Change Management Policy and Procedures Firewalls and Routers In General Information Security Program Lack of Annual Overall IT Risk Assessment and Remediation 108 Common Weaknesses … Lack of Quarterly External Vulnerability Scan with an ASV Patches Upgrades Lack of Quarterly Internal Vulnerability Scan Open Ports Unnecessary Services Lack of Penetration Tests for Networks and Applications 109 Common Weaknesses … No DMZ (Demilitarized Zone) For Web Applications Processing Payment Card Data 110 Common Weaknesses Encryption of Cardholder Data In Storage (PCI DSS 3.4) During Transmission Encryption Key Management PCI DSS Section 6 - Biggest Change in PCI DSS 1.2 Application Firewall Thorough Application Testing Hackers are focusing more on Applications Lack of Documentation 111 Penalties Fines of up to $25,000 per month for Level 1 and Level 2 Merchants Increased Transaction Fees Possible Revocation of Privilege to Accept Payment Cards In the Case of A Security Breach Responsible for full scale forensic investigation and remediation costs Must obtain PCI DSS Level 1 Compliance to continue accepting payment cards Possible Cost of Reissuing Cards incurred by Banks, Credit Unions, etc… Lack of consumer trust due to confidential data disclosures harming the organizations reputation and brand 112 PCI DSS Summary PCI Council is put together by the Brands (Visa, MC, AMEX, Discover, JCB) PCI Council Determines the Standards Global Standard Acquiring Banks enforce the standard Determine Levels and Reporting Requirements 2 Parts to the PCI DSS Audit Full Audit by an QSA (Qualified Security Assessor) SAQ (Self Assessment Questionnaire) External Scan By an ASV (Approved Scanning Vendor) PASS or FAIL 113 The Challenge 114 The Challenge - Sustainability Address Compliance and Create Sustainability Improve Sustain Compliance Prepare For Audit Test And Remediate The Wall 115 Control Solution n Control Solution 7 Control Solution 6 PCI DSS State Privacy 1 2 3 n 1 2 3 n 1 2 3 n Requirement Requirement Requirement Requirement Requirement Requirement Requirement Requirement 1 2 3 n ID Theft Red Flags Requirement Requirement Requirement Requirement Requirement Requirement Requirement Requirement NAIC Control Solution 5 Control Solution 4 Control Solution 3 1 2 3 n GLBA Integrated Governance Framework CobiT® 4.1 NIST ISO 27002 ITIL IT Controls Address Multiple Requirements Control Solution 2 Requirement Requirement Requirement Requirement 1 2 3 n HIPAA Control Solution 1 Requirement Requirement Requirement Requirement Map Regulatory and Standard Requirements to IT Controls IT Integrated Framework Solution LEVERAGE 116 AICPA American Institute Of Certified Public Accountants 117 AICPA - Generally Accepted Privacy Principles (GAPP) Principle 1: Management This principle requires that the entity define, document, communicate, and assign accountability for its privacy polices and procedures. Principle 2: Notice This principle requires that the entity provide notice about its privacy policies and procedures and identify the purpose for which personal information is collected, used, retained, and disclosed. Principle 3: Choice and Consent This principle requires that the entity describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information. 118 AICPA - Generally Accepted Privacy Principles (GAPP) Principle 4: Collection This principle requires that the entity collect personal information only for the purposes identified in the notice. Principle 5: Use and Retention This principle requires that the entity limit the use of personal information to the purpose identified in the notice and for which the individual has provided implicit or explicit consent. Principle 6: Access This principle requires that the entity provide individuals with access to their personal information for review and update. 119 AICPA - Generally Accepted Privacy Principles (GAPP) Principle 7: Disclosure to Third Parties This principle requires that the entity disclose personal information to third parties only for the purposes identified in the notice and only with the implicit or explicit consent of the individual. Principle 8: Security for Privacy This principle requires that the entity protect personal information against unauthorized access (both physical and logical). Principle 9: Quality This principle requires that the entity maintain accurate, complete, and relevant personal information for the purposes identified in the notice. Principle 10: Monitoring and Enforcement This principle requires that the entity monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes. 120 Case Study Review 121 Network Solutions (Herndon, VA) July 24, 2009 • 573,000 records • Hackers have broken into Web servers owned by domain registrar and hosting provider Network Solutions, planting rogue code that resulted in the compromise of more than 573,000 debit and credit card accounts over the past three months. • Network Solutions discovered that attackers had hacked into Web servers the company uses to provide e-commerce services - a package that includes everything from Web hosting to payment processing -- to at least 4,343 customers, mostly mom-and-pop online stores. • The malicious code left behind by the attackers allowed them to intercept personal and financial information for customers who purchased from those stores. 122 American Express (New York, NY) August 14, 2009 • Unknown number of records • Some American Express card members' accounts may have been compromised by an employee's recent theft of data. • The former employee has been arrested and the company is investigating how the data was obtained. • American Express declined to disclose any more details about the incident. • The company has put additional fraud monitoring and protection controls on the accounts at issue. 123 Individual Business Owner October 18, 2009 • Phishing Email Sent to intercept email From: alert@dddd.com [mailto:alert@dddd.com] Sent: Monday, October 19, 2009 12:58 PM To: xxxxxxx.xxxxx@dddd.com Subject: The settings for the xxxxxxx.xxxxx@dddd.com mailbox were changed Dear user of the dddd.com mailing service! We are informing you that because of the security upgrade of the mailing service your mailbox (xxxxxxx.xxxxx@dddd.com) settings were changed. In order to apply the new set of settings click on the following link: <http://dddd.com.vvverfq.co.uk/owa/service_directory/settings.php?email=xxxxxxxx.xxxxx@dddd.co m&from=dddd.com&fromname=xxxxxxxx.xxxxx> http://dddd.com/owa/service_directory/settings.php?email=xxxxxxxx.xxxxx@dddd.com&from=dddd.c om&fromname=xxxxxxxx.xxxxx Best regards, dddd.com Technical Support. 124 University of California Berkeley School of Journalism Berkley, CA May 7, 2009 • 493 records • Campus officials discovered during a computer security check that a hacker had gained access to the journalism school's primary Web server. • The server contained much of the same material visible on the public face of the Web site. • However, the server also contained a database with Social Security numbers and/or dates of birth belonging to 493 individuals who applied for admission to the journalism school between September 2007 and May 2009. 125 Johns Hopkins Baltimore, MD May 12, 2009 • 10,000 Records Compromised • An investigation suggests a former employee who worked in patient registration may have been linked to a scheme to create fake drivers' licenses in Virginia. • The employee had access to information such as name, address, telephone number, mother and fathers names, dates of birth and Social Security numbers, but not to any health or medical information. 126 Maine Office of Information Technology June 4, 2009 • Through a printing error, 597 people receiving unemployment benefits last week got direct-deposit information including Social Security numbers belonging to another person. • "We received a print job and were running it, and there was an equipment malfunction," Thompson said. • "In restarting the piece of equipment, a mistake was made and it started one page off. It was an error and our quality assurance didn't pick it up.“ • Recipients received one page with their own information and another page with information belonging to a different person. 127 Quick Privacy Evaluation 128 Privacy Evaluation Handout Are the Businesses You Frequent or Work for Exposing You to an Identity Thief? Assign 1 point for each NO answer. Each item illustrates what businesses can do to prevent identity theft. If they are not, it may be time for you to speak up. If you weren't sure of some of the answers-perhaps you should be asking more questions at work and where you do business. It's your responsibility to be a ID theft aware consumer as well. The Higher the Score the More Risk www.onguardonline.gov/games/overview.aspx 129 Next Steps … Assess Prioritize Classify Training Monitor 130 Next Steps … 1. Privacy Assessment / Audit The first step is to assess the organization Use Frameworks such ase CoBiT, ISO, ITIL Review Policies Interview Staff Walkthroughs / Observation Understand the organization and types of Data in the Organization 131 Next Steps … 2. Prioritize Gaps Prioritize highest risks to be remediated Remediate issues Create/update policies and procedures Implement solutions to mitigate risks 132 Next Steps … 3. Data Classification The data in the organization must be classified Public to Private As The Privacy requirements increase so do the Security requirements Classify all types of data in the organization 133 Next Steps … 4. Perform Privacy Training Create/Acquire Privacy Training for organization Integrate Training with Company Polices Consider Training options – Onsite – Online – Mix of Both Train the entire Staff – On-Going 134 Next Steps … 5. Monitor Monitor all facets of the program Evaluate new threats and changes to IT and Business Update policies, procedures & training Continue to improve ongoing 135 Summary - Be Smart $$ Educate – (free webinars) $$ Implement a repeatable process / framework $$ Perform a Risk Assessment – Not just A Gap Analysis $$ Common Policies and Procedures that comply with PCI DSS, GLBA, FERPA, HIPAA, State Privacy, etc… 136 Summary - Be Smart $$ Regular External and Internal Vulnerability Scans (reduced pricing for extended years) $$ Leverage Outsourcing (Co-ops etc…) $$ Identify what you can do $$ Ask yourself: “Do we really need to store this information?”, and “Who really needs this access?” 137 Research Sources • Federal Trade Commission www.ftc.gov • The Federal Financial Institutions Examination Council (FFIEC) www.ffiec.gov • The AICPA's Information Technology Center http://www.aicpa.org • ISACA www.isaca.org • Maine Legislature www.maine.gov • Identity Theft Resource Site www.IDtheft.gov • Privacy Rights Organization www.privacyrights.org 138 Questions? Thank You! Bill Franklin Lighthouse IT Compliance Group bfranklin@lighthousecs.com 978-821-4863 139
