Regulatory Compliance and You WHO PUT ALL THESE REGULATIONS ON ME? WHAT IS A PERSON TO DO? WHERE DO I GO FROM HERE? WHEN DID THIS GET SO COMPLICATED? WHY DO I HAVE TO DO THIS? HELLO Judi Ellis EDMC Security Architect CGEIT, CISM, CRISC jjpineridge@zoominternet.net Experience: • PNC • Highmark • KPMG • CMRI • NCFTA • e-Profile •Jefferson Wells Overview •Control Standards •Frameworks •Regulations •Measurement •Bringing it all together Control Standards ISO 27001 Basel II CoBIT SEC ITIL FFIEC FISMA CIS NIST FDCC CIS-Center for Internet COSO Security AES-Advanced Encryption Standard SANS BS 1799 Regulations HIPAA FERPA SOX 404/302 Red Flags PCI-DSS HiTECH Title IV ACH GLBA NACHA US Patriot Act PII Laws FLSA Safe Harbor Can Spam COPA Frameworks Armed robbery, eh? I’m in for being out of compliance with Federal Guidelines. ISO 2700* Formally known as ISO/IEC 27001: 2005 - Information technology Security techniques Information security management systems – ISMS Requirements, is an information security management system standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard is derived from British standard 1799, and for that reason the standard is frequently cited as ISO 17799. It is intended to be used in conjunction with ISO/IEC 27002, the Code of Practice for Information Security Management, which delineates security control objectives and recommends a range of specific security controls. Adopt an all encompassing management process to ensure all information security controls meet info security needs on an ongoing basis. FISMA-NIST The Federal Information Security Management Act of 2002 (FISMA) is a Federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act was designed to bolster computer and network security within the federal government and affiliated parties (such as recipients of Federal monies and government contractors) by mandating yearly information security audits. FISMA establishes: _ Standards for categorizing information and information systems by mission impact _ Standards for minimum security requirements for information and information systems _ Guidance for selecting appropriate security controls for information systems _Guidance for assessing security controls in information systems _Guidance for security authorization of information systems _Guidance for monitoring the security controls and security authorization of systems NIST References NIST publications include the following key security-related documents: FIPS Publication 199, Standards for Security Categorization of Federal Information and Information System FIPS Publication 200, Minimum Security Requirements for Federal Information and Federal Information Systems NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems NIST Special Publication 800-37 Revision 1, Guide for Security Authorization of Federal Information Systems: A Security Lifecycle Approach NIST Special Publication 800-39, NIST Risk Management Framework NIST Special Publication 800-53 Revision 2, Recommended Security Controls for Federal Information Systems NIST Special Publication 800-53A, Guide for Assessing the Security Controls in Federal Information Systems NIST Special Publication 800-59, Guide for Identifying an Information System as a National Security System NIST Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories PCI-DSS Payment Card Industry Data Security Standard PCI DSS is a worldwide security standard established through the Security Standards Council (SSC) in 2006 by: American Express Discover Financial Services JCB International MasterCard Worldwide Visa The PCI security standards are technical and operational requirements placed on organizational entities that process card payments to prevent credit card fraud, and hacking and mitigate other security vulnerabilities/threats. The standards apply to all organizations that store, process or transmit cardholder data, which obviously includes an increasingly larger number of state agencies transacting with businesses, with citizens, and with other government entities. PCI-DSS The following are the six primary control areas comprising the Payment Card Industry security standard: Build and Maintain a Secure Network Protect Cardholder Data Maintain a Vulnerability Management Program Implement Strong Access Control Measures Regularly Monitor and Test Networks Maintain an Information Security Policy CoBIT Control Objectives for Information and related Technology, COBIT, is an open, international standard originally published in 1996 by the IT Governance Institute and the Information Systems Audit and Control Association (ISACA). COBIT is a set of best practices for information technology designed to provide managers, auditors, and IT users with a set of generally accepted measures, indicators, processes and best practices. It assists in maximizing the benefits derived through the use of information technology and develops appropriate IT governance and control for private-sector companies or public agencies. The COBIT Framework is organized into four domains, thirty-four high-level control objectives, and 318 detailed control objectives. The framework follows a general plan-docheck-act structure. CoBIT Plan and Organize Acquire and Implement Deliver and Support Monitor and Evaluate CoBIT-Plan and Organize P01 Define a strategic IT plan. P02 Define the information architecture. P03 Determine technological direction. P04 Define the IT processes, organization, and relationships. P05 Manage the IT investment. P06 Communicate management aims and direction. P07 Manage IT human resources. P08 Manage quality. P09 Assess and manage IT risks. P10 Manage projects CoBIT-Acquire and Implement AI1 Identify automated solutions. AI2 Acquire and maintain application software. AI3 Acquire and maintain technology infrastructure. AI4 Enable operation and use. AI5 Procure IT resources. AI6 Manage changes. AI7 Install and accredit solutions and changes CoBIT Deliver and Support DS1 Define and manage service levels. DS2 Manage third-party services. DS3 Manage performance and capacity. DS4 Ensure continuous service. DS5 Ensure systems security. DS6 Identify and allocate costs. DS7 Educate and train users. DS8 Manage service desk and incidents. DS9 Manage the configuration. DS10 Manage problems. DS11Manage Data. DS12 Manage the physical environment. DS13 Manage operations CoBIT Monitor and Evaluate ME1 Monitor and evaluate IT performance. ME2 Monitor and evaluate internal control. ME3 Ensure regulatory compliance. ME4 Provide IT governance Regulations I’ve been here for so long I don’t remember what I did, but it had something to do with non-compliance. SAS-70 Statement on Auditing Standards No. 70 (SAS-70), Service Organizations, is an auditing standard created by the American Institute of Certified Public Accountants (AICPA) in 1992. SAS 70 defines standards used by auditors to assess the internal controls of service organizations and prepare service auditor’s reports. Service organizations are entities providing services that impact the control environment of their customers. Examples of service organizations are insurance and medical claims processors, trust companies, hosted data centers, application service providers (ASPs), managed security providers, credit processing organizations and clearinghouses. SAS-70 Auditors follow AICPA standards for fieldwork, quality control and reporting and issue a formal report to the service provider that includes the auditor’s opinion once the audit is completed. SAS-70 audits consist of two types. A Type I audit assesses the service organization’s description of controls placed in operation and the suitability of the design of the controls to achieve the specified control objectives, as the latter are defined by the service provider. A Type II service auditor’s report includes the information contained in a Type I service auditor’s report and also includes the service auditor’s opinion on whether the specific controls were operating effectively during the period under review. Recently replaced by SSAE-16 – 6/2011- more of an international presence, broadly accepted in accordance to ISAE 3402. HIPAA The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the Federal government in 1996. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers, with the overall goals of protecting the privacy and security of health information and promoting the efficiency of the health care industry through use of standardized electronic transactions. Requires covered entities to protect the privacy and security of an individual’s health information. HIPAA HIPAA’s Security Rule covers health plans, healthcare clearinghouses, and healthcare providers. Health plans are defined as any individual or group plan that provides or pays the cost of health care, which includes the Medicare and Medicaid programs operated at the state and federal levels. The Rule establishes three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, various security standards are identified, and for each standard, both required and addressable implementation specifications are delineated. The rule includes eighteen standards that cover thirty-six implementation specifications. HIPAA Required specifications must be adopted and administered as dictated by the rule. Addressable specifications are more flexible. The Centers for Medicare and Medicaid Services defines the following steps for complying with the Security Rule: Assess current security, risks, and gaps Develop an implementation plan Review the Security Rule standards and specifications Review addressable implementation specifications Determine security measures Implement solutions Document decisions Reassess periodically The security rule required covered entities to be in compliance with the rule no later than April 2005, though smaller health plans were given an additional year to comply. HIPAA (“Privacy Rule”) establishes, a set of national standards that address the use and disclosure of individuals’ health information—called PHI (Personal Health Information) by organizations called “covered entities” as well as standards for individuals privacy rights to understand and control how their health information is used. Thank you OCR (Office of Civil Rights) A major goal of the Privacy Rule is to assure that PHI is properly protected while permitting appropriate uses of the information protecting the privacy of the individual. HIPAA HIPAA was passed in 1996, it wasn’t until 2/4/2011 the first HIPAA violation occurred and resulted in a $4.3 m fine to Maryland healthcare provider Cignet for the failure to provide 41 patients with copies of their medical records. HIPAA did not have teeth until HiTech came along and provided enforcement and penalties. http://threatpost.com/en_us/blogs/hipaa-bares-its-teeth- 43m-fine-privacy-violation-022311 FERPA The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education. Schools or public agencies that receive student data may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors and awards, and dates of attendance. However, schools or agencies must tell parents and eligible students about directory information and allow parents and eligible students a reasonable amount of time to request that the school not disclose directory information about them. Schools must notify parents and eligible students annually of their rights under FERPA. Education records must not be disclosed and must be protected. SOX The Sarbanes-Oxley Act (SOX) was enacted by the Federal government in 2002 in response to a number of major corporate and accounting scandals, most prominently that of the Enron Corporation. SOX establishes new, enhanced standards for all U.S. public companies, and though as such it is not directed at government, it has nonetheless had a significant impact on internal accounting controls in public agencies through its focus on management oversight of how fiscal information within agencies is created, accessed, stored, processed, and transmitted within automated as well as manual record systems. SOX Among the Act’s principal reforms are these elements: _ Creation of an independent public company accounting oversight board _ A heightened level of corporate governance and responsibility measures _ Expanded corporate, financial, and insider disclosure requirements, and _ A range of new penalties for fraud and other violations. Measurements As-Is Assessment Where do I start? _Come up with the Plan _Assessment _ Measurement _Identify Gaps _Plan of Attack What regulations do I need to follow? Where am I today? Where are my gaps? What do I need to do? I need a plan. I need to get started. How do I start? What do I do? How do I do this? Where do I need to be to pass an audit _Work your plan _ Assessment _Measurement _ Identify Gaps _Readjust your plan _Assessment _Measurement _Identify Gaps Plan-ISMS Information Security Management System Assessment Getting Started _ Choose a tool-SANS, CMS, Big 4, NIST, ISO…. OCTAVE OCTAVE® (Operationally Critical Threat, Asset, and Vulnerability EvaluationSM) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. OCTAVE Methods There are three OCTAVE methods: the original OCTAVE method, which forms the basis for the OCTAVE body of knowledge OCTAVE-S, for smaller organizations OCTAVE-Allegro, a streamlined approach for information security assessment and assurance OCTAVE methods are founded on the OCTAVE criteria—a standard approach for a risk-driven and practice-based information security evaluation. The OCTAVE criteria establish the fundamental principles and attributes of risk management that are used by the OCTAVE methods. Features and benefits of OCTAVE methods The OCTAVE methods are self-directed—Small teams of organizational personnel across business units and IT work together to address the security needs of the organization. flexible—Each method can be tailored to the organization's unique risk environment, security and resiliency objectives, and skill level. evolved—OCTAVE moved the organization toward an operational risk-based view of security and addresses technology in a business context. CMMI Model Capability Maturity Model Integration (CMMI) is a Process improvement approach whose goal is to help organizations improve their performance. CMMI can be used to guide process improvement across a project, a division, or an entire organization. CMMI in software engineering and organizational development is a process improvement approach that provides organizations with the essential elements for effective process improvement. CMMI is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University. According to the Software Engineering Institute (SEI, 2008), CMMI helps "integrate traditionally separate organizational functions, set process improvement goals and priorities, provide guidance for quality processes, and provide a point of reference for appraising current processes.” What’s a person to do? To benefit from the standards and guidelines, it is imperative that you: Understand the complexity of overlapping standards Select a foundational standard while expecting to reference others as needed Start the “as is” assessment to identify existing gaps Incorporate the standard by reference in your security architecture Understand related vertical standards and potential impacts on the enterprise as they evolve Develop strong working relationships with internal and external auditors Monitor, test, and quantify compliance levels, to ensure that standards and controls are working and effective (CMMI model already discussed) Work untiringly to educate your enterprise about the role of security standards and their own responsibilities under those standards Work untiringly to educate your enterprise about the role of security standards and their own responsibilities under those standards Work untiringly to educate your enterprise about the role of security standards and their own responsibilities under those standards Work untiringly to educate your enterprise about the role of security standards and their own responsibilities under those standards Pulling “IT” All Together Control Activity CoBIT Create Backups X ISO2700 ITIL NewCo Best Practices SOX GLBA PCIDSS CMS HiTech X X X X X X X Passwords must be 8 characters long X X X X X Conduct a yearly IT risk assessment X X X X X Centralized Monitoring X X X X Measuring IT Create Backups – CMMI - 2 Passwords 8 characters long –CMMI - 3 Yearly IT Risk Assessment – CMMI-2 Centralized monitoring – CMMI-1 Measurement Pulling it Together Focus on Relevant Regulations Get Executive Buy-in Assemble the Right Team Develop Policies for Compliance Identify Common Controls Perform a Gap Analysis Classify your Data Look for the Quick Wins Start Small, Go Big Educate Users Useful Websites CMMI- http://www.sei.cmu.edu/library/abstracts/presentations/20080925webinar.cfm PCI-DSS V 2.0 - https://www.pcisecuritystandards.org/security_standards/documents.php CMS - https://www.cms.gov/home/regsguidance.asp HIPAA - http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html HiTech http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html GLBA- http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act FISMA - http://csrc.nist.gov/groups/SMA/fisma/index.html NIST – 800 series - http://csrc.nist.gov/publications/PubsSPs.html CoBIT - http://www.isaca.org/Knowledge-Center/cobit/Pages/COBIT-Online.aspx OCTAVE - http://www.cert.org/octave/ Conclusion How long do we have to get in Compliance? Questions?